South Africa-based Nedbank has disclosed that personal information of 1.7 million customers was breached by an IT services provider. This comes at the same time a new report has uncovered a sharp increase in incidents involving companies handling sensitive data for business partners and other clients. The total number of such third-party breaches hit 368 in 2019, up from 328 in 2018 and 273 in 2017 — a 35% increase in two years.
The recent breach at Nedbank is an excellent example of what can happen when an organization does business with what many might consider to be a “low risk” supplier. This case involved a direct marketing company that issued SMS and email marketing information on behalf of the bank. While the company did not have any links to bank accounts, it nevertheless had access to customer information such as names, ID numbers, phone numbers and email addresses. In the wrong hands, this breached data could be used for identity theft or fraud.
The takeaway from this cyber incident is that every third party can present a possible risk to the organization that it is connected to. For this reason, it’s imperative that organizations assess all their third parties, determine their level of cyber risk and effectively manage their security accordingly.
Studies have indicated that the number of third parties that organizations are doing business with is increasing, along with the percentage of third parties that share organizations’ sensitive and confidential data. At the same time, we see that organizations are increasingly storing data on the cloud, often through third parties, and are therefore susceptible to cloud configuration mishaps that can leave data exposed. For all of these reasons, it’s not surprising that third-party data breaches are on the rise.
The consequences of third-party breaches—including loss of customer trust and costly regulatory penalties—can be devastating to businesses. Clearly, the call to action is for organizations to put effective processes in place in order to manage, thoroughly assess and continuously monitor the security of their third parties. This is important not only during screening and onboarding, but throughout their entire business relationship.