4th Party Vendor Breach Strikes Again
Security can’t be looked at only inside the firewall; it must be accounted for throughout an organization’s entire business network
Last week’s Ticketmaster breach is a classic example of the challenges companies face to effectively manage vendor risk. Very few companies manage their online ticket sales. That job is left to companies like Ticketmaster who specialize in this service. In fact, I recently renewed my season tickets to the North Carolina’s Blumenthal Performing Arts Center using Ticketmaster. Now I read where 5% of Ticketmaster’s entire database has been compromised.
I say that this is a classic example of how third party risk can spread because it wasn’t Ticketmaster that was compromised, it was one of the many companies that they outsource to – Inbenta. Inbenta provides live chat widgets to Ticketmaster, who deploys them on their sites worldwide. So, companies who outsource to Ticketmaster find themselves in the position of trying to determine the extent that their customers’ information has been compromised by a breach at one of Ticketmaster’s vendors (i.e. their 4th party).
How organizations should approach third party risk
Companies taking a mature approach to third party risk would have included in their assessment of Ticketmaster questions concerning Ticketmaster’s use of third party service providers, and the efforts Ticketmaster uses to protect access to their systems and customer data. Best practices also suggest that Ticketmaster should have been required to identify any third parties they rely on to deliver their services to customers and to demonstrate that they have processes in place to make sure those vendors maintain proper IT and data security controls.
Did Ticketmaster properly manage their outsourced risk? Did companies (like Blumenthal Performing Arts) assess Ticketmaster to ensure it was managing its outsourced services? The answer to these questions will certainly be revealed over time. In the interim, this serves as a perfect example of why everyone’s third party risk program must include processes to identify and manage the risk of vendor outsourcing – and the 4th Party, 5th Party……nth Party risk this presents.
Now if you’ll excuse me, I’ve got to check and see if the credit card I used to renew my season tickets has been compromised…again.
Read our latest Third Party Risk Management White Paper
What does a comprehensive approach to Third Party Risk Management look like?
How can you and your Third Parties work collectively to improve efficiency and streamline the Risk Assessment process?
What tools are available to support this multi-faceted approach?
Download our latest White Paper – A Comprehensive Approach To Third Party Risk Management – to learn more.
About the author: Brad Keller, JD, CTPRP, Prevalent Inc.
Brad Keller has been developing and leading risk management programs for more than 25 years. Currently, Brad is the Sr. Director of 3rd Party Strategy at Prevalent, Inc. where he focuses on the delivery of Prevalent’s Third Party risk management and assessment solutions.
Article shared with kind permission by Prevalent Inc.