Can you trust your partners not to leak your data?

Clare Hopping

Tuesday 27 September 2016

Many companies target their employees when searching for the source of a data leak, but are they missing the real problem? Looking at recent data breaches, it seems partners working on behalf of your company could be to blame.

Although your company might have all the policies and safeguards in place to prevent hackers breaking in and stealing data, it’s hard to guarantee your business partners have the same stringent attitude towards their security, which can cause real problems if they have access to your customer data.

Research reveals insider threats are responsible for 43 per cent of data leaks, and recently there have been several cases where partners or contractors, working on behalf of your company but not directly employed by it, were responsible for major data leaks. As a result, both the company and their partner have come under the microscope.

Some of these incidents have been deliberate leaks, while others were accidents. What is similar across the board however is that these hacks had a lasting impact on the company and its customers.

Thomson Reuters

In early July, Thompson Reuters announced its database of 2.2 million records relating to terrorists and organised crime individuals was leaked following an accidental database error. The World-Check database provides groups including banks, law firms and intelligence agencies with information about these people to prevent them getting credit or committing further crimes such as fraud.

The company revealed that its partner, London-based financial services firm SmartKYC, was to blame, leaking the information by accident. The two companies were able to work together to take the outdated content offline.

Thomson Reuters issued a statement saying the “third party” has been “spoken to” and there “will be no repetition of this unacceptable incident”.

Vodafone Germany

Although not directly a partner, a hack by a contractor working for Vodafone Germany saw the theft of customer names, addresses, bank account numbers and birth dates, all because the individual was given the same access rights as the company’s direct employees.

Because passwords, PINs and credit card details weren’t stolen, it’s unlikely much could be done with the information, Vodafone said, but the company reacted by changing the passwords and certificates of all administrators and completely reset the affected server to ensure more data could not be stolen.

“This attack could only be carried out with high criminal intent and insider knowledge and was launched deep inside the IT infrastructure of the company,” Vodafone Germany said in a statement. “Vodafone deeply regrets the incident and apologises to all those affected.”

How to boost partner security

It’s a fact of life that partners and contractors don’t have the same incentive to be as security-conscious as your employees. It’s not necessarily their fault – they don’t know your company’s policies and haven’t undergone the same security training as your staff.

It’s therefore important you teach them your company policies as best you can. This could be achieved through training, only giving them access to certain non-confidential information, or enabling an extra layer of security before they can download sensitive data.

They should also formally agree to the terms and conditions of your company’s security policies, so if anything does go wrong and they leak your data, you have evidence they were aware of the processes and you can take legal action.


Building the next-gen data centre

Where traditional and web-scale apps co-exist