Protecting Company data from third-party data risks
Just last week, millions of Australians were impacted by yet another cyber incident and data breach which infiltrated two major ticketing sites – Ticketek Australia and Ticketmaster. Do you know who has access to your company data?
At this stage, Australian data has not been identified in the Ticketmaster incident, however in the case of Ticketek, the data breach originated from a third-party provider holding Australian data and customer information in a cloud-based platform.
Third-party providers a weak spot for customer data
As cyber threats continue to increase in Australia and globally, third-party vendors are proving to be a point of vulnerability in data breaches.
In an email to customers, Ticketek advised that it had been made aware that Australian account holder information including full names, date of birth and email addresses may have been compromised in the cyber incident. The information was stored in a cloud-based platform, hosted by a reputable third-party supplier.
Ticketek reassured customers that their Ticketek accounts had not been compromised and that they have secure encryption in place to handle credit card information. Additionally, Ticketek advised that transactions are processed via a separate payment platform which had also not been impacted. Yet, through a cyber-attack on a third-party provider with access to select customer information, the data privacy of countless Australians has been compromised.
It would seem that Ticketek appropriately followed protocol, assembling resources to complete an investigation and communicating with stakeholders as quickly as possible. It also notified the Australian Signals Directorate‘s Australian Cyber Security Centre (ACSC) and began liaising with the Office of the Australian Information Commissioner (OAIC) and the National Cyber Security Coordinator on the investigation, remediations and response to the cyber incident.
This example begs the question: while an organisation may have reasonable data governance controls in place for the storage, handling and protection of data, can you be confident that third-party providers are meeting those obligations and Privacy Act compliance requirements?
““We're absolutely seeing a rise in third party suppliers being the source of data breaches,”
Carly Kind
Australia’s new Privacy Commissioner
Company data questions for business leaders
Boards, directors and senior business leaders must be able to answer these questions about the storage, handling and protection of its data:
-
Where is your data stored?
-
Who has access to your data?
-
Who is responsible for your data?
-
What data do third parties have access to?
-
Which third party providers can access your IT platform directly?
-
How long do third parties hold data for? What data do they hold?
-
What data storage, handling, protection, data privacy and data governance controls and measures do you have in place?
-
What policies and procedures do third-party providers have in place to govern and protect data security?
-
How are third-party providers vetted to understand the data and privacy protections that are in place?
-
How are third-party providers assessed for compliance with data governance and privacy controls?
Data governance implications for Australian Boards & Business Leaders
Australia’s privacy landscape is preparing for an overhaul with reforms to the Privacy Act expected to be introduced from August 2024, and for Australian boards and business leaders there are several crucial areas of focus.
Compliance and risk management are top priorities. Board directors must ensure the company has robust privacy policies and procedures in place to comply with privacy regulations. This might include stating the primary purpose in privacy notices, the provision of privacy policies around ‘Right to Erasure’, data encryption and anonymisation and ethical use, categorisation of Personal Identifiable Information (PII), Data Protection Impact Assessments (DPIA) and having Incident Response Plans (IRP) ready to go.
Critically, boards and management should consider the appointment of a Data Protection Officer (DPO) or similar to oversee all data protection activities and ensure the company stays compliant. Regular audits and assessments of third-party compliance is essential to maintain data security controls, and agreements should outline obligations and responsibilities for all parties.
Ultimately, the board is responsible for undertaking due diligence to protect the company’s data and privacy of individuals and that responsibility extends to overseeing third-party obligations.
Get in touch
If you need assistance navigating the privacy landscape or the current privacy and data governance posture for your organisation, please get in touch. We’d love to help.