According to the Opus and Ponemon 2018 report, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is higher at 61 percent. Also noted that many breaches go undetected: 22 percent of respondents admitted they didn’t know if they’d had a third-party risk management data breach in the past 12 months. A third-party breach costs, on average, twice what a normal breach costs.
The vendor risk management series provides insight into vendor management program that considers IT Security Risk and Privacy Risk in addition to traditional Compliance, Operational, Strategic, Geography, and Financial risks. The series covers the following topics at a high level to provide sufficient knowledge for professionals to design the program that commensurates with the size, nature, and objectives of the organization. It explores the topics below:
- Drivers of Risk Management
- Alignment and Governance
- Categorizing Vendors
- Analyzing Vendor Risks
- Monitoring Vendor Risks: The Vendor Management Organization
- Communicating Vendor Risks
- Optimization and Standards
Major Breaches Leading to Corporate Bankruptcy
Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy. Below are a few examples of the businesses which failed and went bankrupt because of an intellectual property breach.
- AMCA’s lost four largest clients include Quest, LabCorp, Conduent and CareCentrix, and numerous class action suits were filed after the breach. The enormous penalties for noncompliance led to bankruptcy.
- Westinghouse Nuclear went bankrupt in large part because they lost their competitive advantage due to IP theft.
- The leading cryptocurrency exchange Mt. Gox was hacked leading to its insolvency.
- Promo Marketing Magazine reported the closure of Colorado Timberline’s management citing a ransomware attack.
- You Bit went bankrupt after that attack that compromised the exchange’s assets.
The target area for the hackers is third parties and the focus is on Personally Identifiable Information (PII). The hacker’s new strategy is in the form of targeting vendors instead of going after a large company. They collect more data by attacking a vendor who works with multiple large companies. Below are the examples of major breaches reported in 2019:
- American Medical Collection Agency (AMCA) is a third-party provider of billing services was hacked over 8 months till April 2019 and lost PII data for 20 million citizens. They provided services to companies like Quest, LabCorp and OPKO Health subsidiary BioReference Laboratories.
As a result of the breach, AMCA’s lost four largest clients include Conduent and CareCentrix, and numerous class action suits were filed, and the company faced enormous penalties for noncompliance with HIPAA lead to bankruptcy.
- The reported in April 2019 Facebook lost 540 million user PII data due to failure by the third party in securely storing data. A digital media company called Cultura Colectiva, based in Mexico lost 540 million PII records of user IDs though the publicly accessible server.
- The TechCrunch reported that a misconfigured unprotected server of a third-party vendor exposed 24 million of bank loan and mortgage documents that belong to Ascension, a data and analytics company for the financial industry. The documents contain sensitive information for many major financial institutions including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne, etc. The third-party involved, OpticsML, provided OCR (Optical Character Recognition) services to convert paper documents and handwritten notes into computer-readable files.
In addition to the misconfiguration of the server’s security settings, according to The Washington Post, the database allegedly did not have a password, meaning that anyone could have accessed the sensitive information.
- Humana notified its customers in early 2019 about a third-party data breach that compromised name, address, date of birth, partial social security numbers, and some info about policy type of an unknown number of customers. The incident was discovered while conducting an internal review on Feb. 14, 2019. The breach caused by one of Humana’s business partners, BankersLife.
Part II of the series will cover the vendor categorization, alignment, and governance.