Data Breach Exposes Risks of Third-Party Vendor Access to Your Company’s Data

If you shop with Discover, don’t be surprised if a replacement credit card arrives in the mail. The company is replacement cards after data breach compromised an undisclosed number of customer accounts, according to a recent filing with the State of California.

While the breach was initially detected in August 2018, news of the intrusion didn’t reach the general public until Bleeping Computer reported the filing of an incident notification with the state’s attorney general’s office January 28.  California law requires the reporting of any data breach affecting more than 500 residents.

Discover Financial Services said the breach did not occur within its own systems. It is believed that the card information was either stolen by hackers from third-party merchants or that the data was discovered for sale on the black market after being stolen via skimmers or data-hijacking malware.

Along with issuing new cards to affected customers, Discover advised cardholders to watch for fraudulent activity on their accounts and assured them that they would not be held responsible for unauthorized charges.

The incident underscores recent regulatory changes on the international, federal and state levels designed to protect customer data.

“New legislation, such as the EU’s GDPR, the pending California Data Privacy Act coming into force in  2020, and the new national bill proposed by Marco Rubio, the American Data Dissemination Act, create a regulatory barrier only met by the end-to-end use of encryption within these financial systems,” CipherCloud chief strategy officer Anthony James recently  told SC Media. “You must ensure that your data is encrypted in the database, in transit (e.g. middleware, API) and in use. Similarly, your business partners must be held to the new standards you require internally.” 

Experts responding to news of the breach stressed that companies handling sensitive payment information must broaden their approach to data security to protect customers.

“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup,” Felix Rosbach, product manager with comforte AG, told SC Media. “Implementing data-centric security, which means at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.”

Third-party breaches across multiple industries have come to light through recent filings with the California Attorney General’s office. In addition to the Discovery Financial Services, Verity Medical Foundation, Verity Health Systems and Allen Chern LLP made routine security incident filings in accordance with state law.

At Valeo Networks, we embrace the Center for Internet Security’s Top 20 Controls as a “Defense in Depth” philosophy for all customers. This approach can help your organization reduce and mitigate 80% to 90% of cyber risk exposure.  Should your organization need a Cybersecurity Risk Assessment, contact us today.