4th Party Vendor Breach Strikes Again

by Brad Keller

Security can’t be looked at only inside the firewall; it must be accounted for throughout an organization’s entire business network

The recent Ticketmaster breach is a classic example of the challenges companies face to effectively manage vendor risk. Very few companies manage their online ticket sales. That job is left to companies like Ticketmaster who specialize in this service. In fact, I recently renewed my season tickets to the North Carolina’s Blumenthal Performing Arts Center using Ticketmaster.  Now I read where 5% of Ticketmaster’s entire database has been compromised.

I say that this is a classic example of how third party risk can spread because it wasn’t Ticketmaster that was compromised, it was one of the many companies that they outsource to – Inbenta. Inbenta provides live chat widgets to Ticketmaster, who deploys them on their sites worldwide. So, companies who outsource to Ticketmaster find themselves in the position of trying to determine the extent that their customers’ information has been compromised by a breach at one of Ticketmaster’s vendors (i.e. their 4th party).

How organizations should approach third party risk

Companies taking a mature approach to third party risk would have included in their assessment of Ticketmaster questions concerning Ticketmaster’s use of third party service providers, and the efforts Ticketmaster uses to protect access to their systems and customer data. Best practices also suggest that Ticketmaster should have been required to identify any third parties they rely on to deliver their services to customers and to demonstrate that they have processes in place to make sure those vendors maintain proper IT and data security controls.

Did Ticketmaster properly manage their outsourced risk? Did companies (like Blumenthal Performing Arts) assess Ticketmaster to ensure it was managing its outsourced services? The answer to these questions will certainly be revealed over time. In the interim, this serves as a perfect example of why everyone’s third party risk program must include processes to identify and manage the risk of vendor outsourcing – and the 4th Party, 5th Party……nth Party risk this presents.

Now if you’ll excuse me, I’ve got to check and see if the credit card I used to renew my season tickets has been compromised…again.

Join us for ESRM UK

Established in 1999, DVV Solutions have become one of the UK’s leading providers in the design, implementation and management of Cyber Security, Third Party Supplier Risk and Governance, Risk & Compliance (GRC) solutions. As Shared Assessments’ only UK-based recognised Assessment Firm we are uniquely positioned to to support any organisation’s TPRM requirements utilising globally recognised industry-standard practices and procedures.

Prevalent Inc. is a leader in Third Party risk management. They help global organisations manage and monitor the security threats and risks associated with Third and Fourth Party vendors. With increasing regulatory pressure, their solutions help reduce risk and cyber exposure to global organisations of all sizes, across industries. Since its founding in 2004, Prevalent has introduced the only unified platform for Third Party risk management and the first vendor evidence sharing portal that enables collaboration between enterprises and vendors. And their innovation continues as they work to deliver comprehensive and powerful solutions for our mutual customers.

The DVV Solutions and Prevalent team will also be available throughout the event to offer advice and guidance on building and delivering best-practice TPRM programs for executives and managers responsible for Risk and Security Assurance, Supplier Relationship Management, IT Security and Procurement.

Written by Brad Keller, JD, CTRPP, Prevalent Inc.