Countless organizations continue to suffer breaches for various reasons. One situation that has been occurring far too often is organizations suffering data breaches as a result of third party vendors. An organization that contracts with a third party for whatever purpose can have their own data compromised if that third party is breached. There are numerous recent examples of this, such as our post yesterday in which Google Employee information was exposed due to a cyber attack on a travel agency. Yet another example is an incident a few months ago in which a massive amount of jobseeker’s personal information was exposed due to a third party breach. In the most recent situation, the Erie County, PA. Office of Children and Youth suffered a breach resulting from lacking security of a third party database.
The breach was first discovered back in May when a worker with Pennsylvania child welfare found an online link that led to a client file, which should not have been viewable. It was reported that around 1,800 child welfare cases could have had their identities compromised statewide, with less than 30 of these being located in Erie County. The breach had involved a database of the Child Accounting and Profile System, which is maintained by a company called Avanco International. Based in Virginia, Avanco deals in federal, state and local government consulting and contracting, as well as software integration. Lana Rees, the county OYC Director had said that they enter case files into this database, which includes information like names, dates of birth, and Social Security numbers. Of course, all of this data is quite sensitive and can be used for identity theft and fraud. The information has since been removed from the internet, but it is unclear as to how long it was online. The County Commissioners Association of Pennsylvania has been working with other officials across the state to determine the cause of the breach. On June 30, letters were sent out to those affected or their family members to notify them of the incident.
It appears that the county is addressing the breach quite well, as they are taking full responsibility for the situation, rather than blaming the third party. Rees had said, “We understand our obligation to ensure sensitive information about the people we serve is kept secure, and we take this incident very seriously.” Unfortunately, it is far too common that an organization breached as a result of a third party simply deflects and points the finger at the vendor.
A data breach can be one of the most difficult times for an organization to go through, and there are many actions that they need to take. Not only do they need to address the immediate security vulnerability, but there are also the matters of notifying those affected, determining the cause, tracing the source, and eliminating information that has spread online. If an organization is neglectful or lackadaisical in any of the above points, it can immensely reduce the mitigation and remediation of the incident. In fact, some organizations have even tanked as a result of an improperly handled data breach. Many organizations may not have the resources to complete all of the above tasks, which is why some will recruit outside help with data breach solutions. It is much better to enlist help when needed, rather than doing an incomplete job. Massive Alliance provides data breach solutions that cover all of the above points and much more.