When sensitive data is exchanged between a major company and its third-party vendors, the source company can take on information-security risks it wouldn't otherwise face. After all, its security measures become only as strong as that of the weaker partner. Such scenarios can cause big consequences: just ask PG&E, which was hit with a major fine when one of its third-party vendors neglected to follow some basic security policies.
In May 2016, a cyber risk researcher named Chris Vickery happened upon a major trove of sensitive data belonging to an unnamed energy utility company.
Numbering 30,000 records in all, the data could have been discovered by just about anyone and, given the light password encryption, easily used for any number of malicious ends. Moreover, the data had been sitting exposed for nearly 70 days by the time Vickery discovered it—an eternity in the world of cybersecurity.
This year, after two years of speculation, the source of the breach finally came to light. A regulatory filing confirmed what industry observers had long suspected: the company who owned the data was PG&E, also known as Pacific Gas & Electric. As punishment the publicly-traded, San Francisco-based energy utility was slapped with a $2.7 million fine.
“The publicly exposed database appeared to be PG&E’s asset management system,” Vickery explained. “Among other things, it contained details for over 47,000 PG&E computers, virtual machines, servers, and other devices. All of it completely unprotected. We’re talking about IP addresses, operating systems, hostnames, locations, MAC addresses, and more.”
The breach arose, he continued, when a “third-party contractor exceeded its authorized access by improperly copying certain data from [the company’s] network environment to the contractor's network environment, where it was no longer subject to visibility or controls.”
In non-IT security speak, a third party vendor copied all that data onto an unsecured network and left it published on the internet—with easily decoded passwords. Big problem.
“This would be a treasure trove for any hostile nation-state hacking group,” Vickery added.
The incident reveals the risks companies take on when their sensitive data is used by third parties. Without strong oversight and controls frameworks, companies face legal consequences, millions of dollars in fines, and, most dangerous, the risk that sensitive data could fall into the wrong hands.
How a Robust ERM Solution Could Save You Millions
In its own defense, PG&E stated the third-party vendor broke with policy and downloaded the sensitive information onto a personal computer—despite ample training and rules designed to prevent such activity. However, the responsibility of security always lies with the company that owns the data.
For companies of any size that handle sensitive information, it’s critical to use comprehensive risk-mitigation technology that can be employed across the enterprise. A robust Enterprise Risk Management program helps companies verify third-party access and ensure that every stakeholder follows proper procedures. Timely and accurate certifications and attestations are small but effective steps to ensure appropriate parties follow the right protocols every time.
LogicGate’s Third-Party Risk Management software is an agile solution that adapts and grows with your organization and its needs. Putting a robust, automated system in place to manage your company’s compliance standards can help significantly reduce the risk of fines and reputational damage. Just ask PG&E. Check out our relevant blog on why companies are Moving Beyond the Spreadsheet for Vendor Risk Management.
For more on Vendor Risk Management, check out LogicGate's eBook below on Third-Party Risk: Driving Cross-Functional Alignment Across the Vendor Lifecycle.
Download eBook