Delta, Sears and Best Buy reported at the beginning of April that a data breach may have leaked the credit and debit card information of hundreds of thousands of their customers. The breach occurred at an online support service company, 7, which these businesses use for their online chat platforms.
7 experienced a malware attack from September 26th to October 12th of 2017. They reportedly knew about this breach, but they didn’t notify Sears, Best Buy, Delta, or any of their other clients using their platform, about the breach until mid-March of this year; six months after the breach occurred. Researchers indicate that, based only on the relatively scant information provided so far, customers who made online purchases from Sears, Best Buy, Delta and the other 7 clients during that time period could have also had their credit card information obtained through that security flaw.
What do these Delta, Best Buy and Sears breaches have in common?
It is important to consider a few significant points:
- The breaches all occurred within their third-party services provider, 7.
- They did not hear from 7 about the breaches until many months after the breaches had actually happened.
- Credit and debit card data was exposed for anyone on the internet to obtain.
- Other data included in those online chats may have also been accessible.
This is a significant third-party vendor breach and based on information that continues to be reported about it, a large number of mistakes were made by 7.
What do clients of 7 need to do?
Delta, Best Buy, Sears, and other clients of 7 need to follow a documented response procedure to this incident. If they do not have such a procedure, they are going to have much more difficulty responding appropriately.
All impacted organizations need to answer the inevitable questions from their customers. The likely customer questions include:
- Was my credit and/or debit card part of the Delta/Sears/Best Buy/other breach?
- Please provide me with a report of all activity for my credit/debit card. How will I be able to tell if my card has been used inappropriately by looking at that report?
- Do you have any triggers in place to keep my debit or credit card that was obtained during these breaches from being used inappropriately?
- I want to have my credit and/or debit card replaced. Can you do that for me, please? And, I don’t need to pay for a replacement, since this is a breach you caused, do I? NOTE: In the customers’ views, YOU are indeed the one that caused the breach, because they view you as the one that allowed it to happen to the data your customers entrusted to you.
Does your organization have procedures in place to deal with these types of questions? Have you provided training to those who communicate with your customers so they know how to accurately, and effectively, answer these questions, and then get any necessary replies supported by actions, such a credit and debit card replacements? If you don’t, you are long overdue to get these established as soon as possible. Breaches are increasing in frequency, and you will be hit with one; perhaps you have already and just don’t know it.
What do organizations have in common with Delta, Best Buy & Sears in relation to their breaches?
Virtually all organizations use at least some contracted services providers that involve the collection, transmission, storage or other type of handling of their customers’ financial and other types of personal data. Increasingly more are using such contracted entities to support those chat services, which were breached.
Breaches within contracted entities generally must be reported as soon as possible to their business clients to meet a wide range of legal requirements. Here are just a few:
- The EU GDPR breach response requirements (Articles 33 and 34)
- The Australia breach notice law
- The Philippines Data Privacy Act (Sections 29 and 30)
- The 54 U.S. State and Territory breach laws
- The U.S. Health Insurance Portability and Accountability Act (HIPAA) HITECH Act
- All associated legal requirements for the organizations, such as those established by their web site privacy notices, their contracts, etc.
There are many more. You need to know the laws that exist for every location where your organization collects, stores, processes, or accesses in any other way personal data for your customers, patients, employees, contractors, and any other individual.
Third-parties must be bound by contractual requirements
Every organization should have well established breach response requirements within their contracts they have with their contracted entities. If they do not, they are opening themselves to significant risks; from legal non-compliance, regulatory fines and penalties, civil suits, significant brand damage and customer loss, and more.
Organizations cannot allow their contractors to wait many months before letting them know of a breach of the personal data that the organization entrusted to them. Your third parties should be legally bound to contact you as soon as possible if they experience a breach involving, or potentially involving, your data entrusted to them.
Remember, your organization is ultimately accountable and responsible for that personal data. So you need to ensure your contractors have performed all due diligence activities possible to be able to demonstrate you’ve tried to address the security and privacy risks of your contractors.
More information on key vendor management
I’ve written about this topic often over the past two decades. For example, here are just a couple of my articles, “Will Your Contractors Take Down Your Business?” and “Don’t Let Third Parties Bring You Down.” I’ve also designed the architecture for my SIMBUS Tracker service to simplify and automate, as much as possible, such vendor security and privacy oversight management activities.
If you have any questions on this topic, just let me know. I will be covering this at my Data Privacy Asia sessions this September in Manila, Philippines.
Please get in touch!
I look forward to covering the wide range of privacy issues that must be addressed by every business, and every individual, in the coming months within this blog feature!
If you have a topic to suggest, just let me know. I always appreciate knowing the topics that are at top of mind for our readers.