Expert Comments

Experts warn of vetting third-part partners in light of Promo.com Breach

Expert(s): Security Experts
Expert(s): Security Experts Published: Last Updated on

Promo.com, an Israeli-based video marketing creation site, disclosed a data breach at the hands of an undisclosed third-party supplier that compromised the records of 22M users. The breach came to light after Promo.com found its data being given away for free on a hacker forum. Cybersecurity experts commented below on the importance of vetting third-party partners.

Experts Comments

Dot Your Expert Comments
Terence Jackson
July 30, 2020
Chief Information Security & Privacy Officer
Thycotic

Promo has laid blame on a third party vendor.
It appears as if Promo was collecting a large amount of data from its customers, inclusive of geolocation data. It is important for users to read their End User License Agreements to get an understanding of what data a company is collecting , where will it be stored and for how long. Promo has laid blame on a third party vendor. As this investigation unfolds, it will be interesting to see what role the vendor played in the supply chain and what if any GDPR fines may be leveraged.
Javvad Malik
July 29, 2020
Security Awareness Advocate
KnowBe4

Change passwords if they're reused anywhere, keep an eye on credit score, and send a strongly-worded email to the provider expressing their disdain.
Having 3rd parties and outsourcing elements of work is a reality in today's business world, but outsourcing any activity does not absolve an organisation of its security responsibilities. This is another incident where an organisation is stating the breach has occurred from a third party, which may be true, but it's still a breach for which they are responsible. Whenever handing over data to third parties, or allowing them access, organisations need to ensure they have adequate security.....Read More
Having 3rd parties and outsourcing elements of work is a reality in today's business world, but outsourcing any activity does not absolve an organisation of its security responsibilities. This is another incident where an organisation is stating the breach has occurred from a third party, which may be true, but it's still a breach for which they are responsible. Whenever handing over data to third parties, or allowing them access, organisations need to ensure they have adequate security controls in place and they have means to test the effectiveness of those said controls. For the impacted users, it's a case of groundhog day - another company breached and the same advice applies, change passwords if they're reused anywhere, keep an eye on credit score, and send a strongly-worded email to the provider expressing their disdain.  Read Less
Justin Heard
July 29, 2020
Director of the Security Intelligence and Analytics
Nuspire

The Promo breach serves as a reminder of the importance of vetting your third-party partners.
Your attack surface is a lot bigger than you think. The Promo breach serves as a reminder of the importance of vetting your third-party partners. If your third-party partners don’t have equal or greater security standards, they are a security risk. As your organization grows and scales, so does your list of third-party vendors, so it is in every organization’s best interest to always vet the security of their vendors. The overarching issue with third-party security is accountability......Read More
Your attack surface is a lot bigger than you think. The Promo breach serves as a reminder of the importance of vetting your third-party partners. If your third-party partners don’t have equal or greater security standards, they are a security risk. As your organization grows and scales, so does your list of third-party vendors, so it is in every organization’s best interest to always vet the security of their vendors. The overarching issue with third-party security is accountability. If your organization collects customer data or has privileged access, it is your responsibility to keep that data protected and fines should be issued if an organization fails to do so. If your organization has access to customer data, I recommend employing a layered approach to security, which requires advanced antivirus detection over legacy tools and educating your staff on what they can do to prevent security incidents.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

ObliqueRAT Trojan Lurks On Compromised Websites – Experts Comments

Microsoft Multiple 0-Day Attack – Tenable Comment

Experts Reaction On Malaysia Airlines 9 Years Old Data Breach

IoT Security In The Spotlight, As Research Highlights Alexa Security...

Oxfam Australia Confirms ‘Supporter’ Data Accessed In Cyber Attack

Expert Reaction On Solarwinds Blames Intern For Weak Passwords

Expert Reaction On Go Is Becoming The Language Of Choice...

Experts On Google Voice Outage

Expert Reaction On GCHQ To Use AI In Cyberwarfare

Comment: Hackers Break Into ‘Biochemical Systems’ At Oxford Uni Lab...