PageUp and the 3rd Party Liability Problem
3rd Party Liabilities
The tech world was thrown into frenzy over the recent hack of international HR service provider PageUp.
In late June, chief executives reported “unusual activity” in its IT infrastructure. An investigation was launched and emergency notifications were distributed to PageUp’s broad client base.
The industry quickly understood: the implications of this hack were potentially devastating.
PageUp specializes in storing personal details of workforce personnel. The company boasts two million active users across 190 countries. All of this data was now suspected of being compromised.
The most recent news on the PageUp damage report was the leaked data of the UK food and hospitality giant Whitbread. The hotel and coffee shop operator acknowledged that some current and prospective employees’ data may have been compromised during the PageUp hack. Whitbread sent a message to individuals potentially affected stating that personal detail collected during recruitment processes “may have been accessed and could potentially be used for identity theft.”
Whitbread has reportedly suspended its use of PageUp’s services.
The Third Party Liability
The PageUp breach and its subsequent fallout highlight the ever present–and increasingly risky–threat to data posed by third party outsourcing.
Third party contractors are extremely attractive targets for cyber criminals. As one industry leader put it: “information like dates of birth and even maiden names […] gives cyber-criminals all that they need to successfully monetize the hack, from phishing attacks to identity theft.”
The risk of third party vendors is especially true in the era of heightened compliance demands set by current data regulations. Laws like the EU GDPR put all the responsibility on companies when it comes to who they trust to handle their data. In the medical industry, HIPAA requirements also extend to any outside service provider dealing with personal data of patients.
Handle on the Data
Enterprises need to take control of their sensitive data, whether it is on their own networks, or being managed via outsourcing.
This means companies need to vet their digital-service supply chains more seriously. Managers must get clear answers from service providers on very important questions:
- What are the security standards for personnel data?
- How up to date are the company’s data loss protection tools?
- How does the contractor deal with regulation compliance?
Ensuring the tight standards of contractors is the only way for companies to safely employ third parties to handle their most sensitive data.