Last week we reported on the Ticketmaster breach, which might have affected Irish customers. This breach was caused by malicious software located on a customer support product hosted by an external third-party supplier, Inbenta Technologies.
Since the breach was announced by Ticketmaster on 23 June, it has emerged that the company may have been warned about the breach as far back as April, according to digital bank Monzo.
The UK-based online bank, which was granted permission to operate in Ireland in February 2018, said it replaced the bank cards of 50 British customers who had reported fraudulent transactions on 6 April. Monzo’s own investigation found that 35 of those 50 customers affected had used their cards with Ticketmaster in the previous five months.
This Ticketmaster breach shows that the weak spot in many organisations’ cyber security strategy may be their supply chain. The EU GDPR (General Data Protection Regulation) makes it clear that organisations are accountable for data breaches caused by their third-party service providers.
Given that third parties pose such a large security risk, organisations need to protect themselves.
What you need to do
When reviewing your relationship with third parties, communications technology company 8×8 says:
- Don’t assume your third-party vendors take security and compliance seriously, let alone are GDPR compliant.
- Clearly define all of the areas and activities in which GDPR is in scope, and have your third-party vendors agree and provide signed contractual assurances they will achieve all the GDPR compliance intricacies by 25 May 2018.
- Agree that your third-party vendors will not outsource any GDPR-relevant scoped services without written approval.
- Do your due diligence and regularly audit your third-party vendors’ processes.
- Make sure your third-party vendors provide thorough background checks for all staff and contractors – including credit, employment and criminal records.
- Know where your third-party vendors’ employees are located, and decide whether you’re happy working with vendors employing staff and contractors in countries where hostile state actors are employed and/or are known for supporting, tolerating or ignoring cyber-criminal activity.
IT Governance Europe is committed to helping organisations in Ireland and throughout Europe with their GDPR compliance projects. Learn more about the importance of vendor management on our certified GDPR training courses.
For a limited time only, we are offering 15% off our certified GDPR training courses. Book your place today >>