These days, business don’t just have to worry about the security of their own networks. Data breaches occurring on third-party servers are also dangerous.
That’s especially the case as more companies turn to cloud computing services to handle critical parts of their IT infrastructure. One danger is that those third-party providers could become an attractive target for hackers looking for a big payoff, including access to sensitive data from a lot of different organizations.
A string of recent — and possibly related — data breaches shows the dangers companies might face when their information is being held on third parties’ networks.
Security firm Hold Security recently discovered a data breach involving PR Newswire, a popular marketing and public relations service provider, in which a file containing information including access credentials and contact information about a number of clients was stolen.
While there’s no evidence hackers have done anything malicious with that information, PR Newswire say it’s notifying customers and implementing mandatory password changes.
Hold Security believes that attack was carried out by the same group of hackers that recently stole customer information from several other major service providers, including LexisNexis, Dun & Bradstreet and Kroll Background America.
The group reportedly sells Social Security numbers and other sensitive information to identity thieves so they can commit fraud. The PR Newswire database was discovered on the same web server as the information stolen from those other companies.
Preventing third-party data breaches
Despite the dangers, it’s inevitable that organizations will at times hand their data over to other companies.
There are some steps IT can take to minimize the risk of being hit with data breaches involving third parties:
- Conduct a risk assessment and annual reviews – Depending on the industry and the type of data being stored by the third party, security audits and testing may be required by law. But even if they’re not, it should be done anyway. And don’t just rely on general statements from auditors and the vendor’s employees — make sure you get the technical details from actual penetration tests.
- Train users to be careful when dealing with third parties and their representatives. Staff members should know not to share passwords with those employees and not to give them any more access than they’re authorized to have.
- Make sure vendor contracts have adequate protection. The agreement should describe the minimum security controls that must be in place, as well as assess penalties for incidents that are the fault of the vendor.