Third-Party Risk Mgt.- Major Breaches and Bankruptcy Part I

What topics are covered in the vendor risk management series?

• Drivers of Risk Management
• Alignment and Governance
• Categorizing Vendors
• Analyzing Vendor Risks
• Monitoring Vendor Risks: The Vendor Management Organization
• Communicating Vendor Risks
• Optimization and Standards

Which major breaches led to corporate bankruptcy?

Many organizations are not aware but intellectual property (IP) breaches can be a recipe for bankruptcy. Below are a few examples of the businesses which failed and went bankrupt because of an intellectual property breach.

• AMCA's lost four largest clients include Quest, LabCorp, Conduent and CareCentrix, and numerous class action suits were filed after the breach. The enormous penalties for noncompliance led to bankruptcy.
• Westinghouse Nuclear went bankrupt in large part because they lost their competitive advantage due to IP theft.
• The leading cryptocurrency exchange Mt. Gox was hacked leading to its insolvency.
• Promo Marketing Magazine reported the closure of Colorado Timberline's management citing a ransomware attack.
• You Bit went bankrupt after that attack that compromised the exchange's assets.

What major third-party breaches were reported in 2019?

The target area for the hackers is third parties and the focus is on Personally Identifiable Information (PII). The hacker's new strategy is in the form of targeting vendors instead of going after a large company. They collect more data by attacking a vendor who works with multiple large companies. Below are the examples of major breaches reported in 2019:

• American Medical Collection Agency (AMCA) is a third-party provider of billing services was hacked over 8 months till April 2019 and lost PII data for 20 million citizens. They provided services to companies like Quest, LabCorp and OPKO Health subsidiary BioReference Laboratories.

As a result of the breach, AMCA's lost four largest clients include Conduent and CareCentrix, and numerous class action suits were filed, and the company faced enormous penalties for noncompliance with HIPAA lead to bankruptcy.

• The reported in April 2019 Facebook lost 540 million user PII data due to failure by the third party in securely storing data. A digital media company called Cultura Colectiva, based in Mexico lost 540 million PII records of user IDs though the publicly accessible server.
• The TechCrunch reported that a misconfigured unprotected server of a third-party vendor exposed 24 million of bank loan and mortgage documents that belong to Ascension, a data and analytics company for the financial industry. The documents contain sensitive information for many major financial institutions including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne, etc. The third-party involved, OpticsML, provided OCR (Optical Character Recognition) services to convert paper documents and handwritten notes into computer-readable files.

In addition to the misconfiguration of the server's security settings, according to The Washington Post, the database allegedly did not have a password, meaning that anyone could have accessed the sensitive information.

• Humana notified its customers in early 2019 about a third-party data breach that compromised name, address, date of birth, partial social security numbers, and some info about policy type of an unknown number of customers. The incident was discovered while conducting an internal review on Feb. 14, 2019. The breach caused by one of Humana's business partners, BankersLife.

Major 2019 third-party breach examples at a glance

Part II of the series will cover the vendor categorization, alignment, and governance.