EI3PA

Last year, 56% of organizations were hit by a breach caused by one of their third party vendors. Let that sink in for a moment.

56%.

What has been the cause for the uptick in third party breaches lately? Supply chain attacks.  These coordinated, front-line network assaults can be difficult for businesses to tackle internally.  When you’re also working with third-party vendors that are utilizing your network, maintaining a high security posture during operating hours (which for some may end up being 24/7) can be near impossible.  Unless these third-party vendors operate entirely under the same roof or network as your business, you won’t have the same level of control over credit-based compliance efforts as you would with your own internal operations.  This lack of consistent control over credit-based compliance can leave your company in a tailspin after being hit by a devastating supply chain attack.

Third-party vendors are becoming more involved in business operations as time progresses. One survey notes that 75% of businesses saw third-party access grow over the past two years. With this increase in reliance on third party vendors to streamline business processes comes an increase in risks that might lead to a data breach if the consumer information is mismanaged and exploited by opportunistic hackers. When the organization is handling consumer credit information, there is a need to take extra precautions to ensure that the data does not fall into the wrong hands. This can be a difficult task to accomplish for a single organization, but when accounting for a third-party vendor, it can be nearly impossible to do unless security protocols are initiated to reinforce the consumer credit data.

In March of 2008, 134 million credit cards and the underlying data were stolen by spyware installed on the Heartland data systems via an SQL injection. Prior to the security breach, Heartland was processing over 100,000,000 card transactions a month for nearly 200,000 small to mid-sized retailers. This breach remained undiscovered until over six months later in January of 2009 when MasterCard and Visa alerted Heartland of suspicious activity and transactions. It was soon discovered that Heartland was out of compliance with the Payment Card Industry Data Security Standard (PCI DDS). As a result, they were not allowed to process card payments until they were found in compliance, which took six months, were required to pay over $145,000,000 in compensation for fraudulent payments, and lost thousands of customers due to their negligence. Now, Heartland is a company capable of weathering such a storm, but if you are a smaller online business, such a breach could wreck your company, and being found out of compliance can carry hefty fines.

For a variety of financial service companies, dealing with the credit history of customers is part and parcel of doing business. Whether its issuing a credit card or financing a small business, banks, lenders, and other service providers and institutions routinely utilize credit data from companies like Experian to make the most appropriate business decisions. But theres just one catch – financial institutions need to be careful (and compliant) in the way they handle private credit history information thats shared with them from Experian data.