Third-Party Vendor Security Mistakes Result in Holiday Data Breach Revelations

Holidays should be quiet times, but I’ve been writing about cybersecurity long enough to know that time off work is prime time for activity by hackers. Or, at least, that’s when cyber incidents are discovered and revealed to the public (maybe companies are hoping that no one will be paying attention if a new-found attack is found on the Sunday of a three-day weekend?). Clearly, something was up when I found my inbox flooded with commentary about not just one, but two, major data breaches revealed over Labor Day weekend.

One, as Gizmodo reported, is the result of a third-party security breakdown. A vendor used by a private security company called TigerSwan exposed the personal information of nearly 10,000 job applicants with high-level security clearances on an unsecure Amazon server. It’s believed that this information has been unsecure for most of this year. It is yet another incident where a third-party vendor caused problems for a company, but as Jeff Hill, director of Product Management with Prevalent, told me in an email comment, organizations need to step up when it comes to third parties and security:

TigerSwan’s response is unfortunately typical, reflecting a philosophy among many organizations that deflects third-party data protection responsibility to the vendor. TigerSwan emphatically declares the security of their servers and their perfect data breach security record, a self-congratulatory statement irrelevant to their current circumstance. Organizations are responsible for the security of sensitive data in their custody, whether it’s behind their firewall or that of a vendor. The information security community is increasingly appreciative of this reality, even if companies like TigerSwan have yet to fully digest it.

The other major cybersecurity story to come out of the holiday weekend also focused on the third-party risk. As Engadget reported, more than four million Time Warner Cable customer records were stored on an Amazon server without password protection. Although no credit card data was at risk, some personal information, like email addresses and billing addresses, were exposed. This cybersecurity incident has Michael Patterson, CEO of Plixer, echoing the concerns of Jeff Hill – corporations need to step up the responsibility of third-party security, adding:

Having said that, at this point, we should all expect any of our online data to be breached. Data leaks can occur as targeted attacks from bad actors, or as in this case, from the reckless behavior of a third-party vendor. Consumers and businesses alike can no longer trust that any online data will be kept safe by the organizations that are collecting and saving it.

It appears that the security message of Labor Day weekend is that organizations need to step up on holding their contractors to better security practices and to take responsibility for those data breaches.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba