Data breaches in 2018: contractor negligence

CYBERSLEUTH

As 2018 draws to a close, disasters of all types dominated the news, from devastating wildfires, floods and volcanic eruptions to man-made problems such as cybercrimes and massive data breaches. While the cause of natural disasters is beyond our control, and stopping foreign governments' malicious cyberattacks is daunting, many of the serious data breaches in 2018 were due to good old fashioned sloppiness and inattention.

In its annual survey of information technology professionals on data breaches released this month, the Ponemon Institute found that 61 percent of U.S. companies had experienced a data breach caused by a third-party contractor in the last 12 months, an increase from 56 percent in 2017 and 49 percent 2016. The Beazley Insurance Company found similar results in its annual data security survey. Beazley reported that 28 percent of all data breaches were caused by accidental disclosure -- almost as many as the 34 percent of breaches caused by hacking or malware. The Beazley report does not distinguish between data losses due to contractors as compared to losses due to employees.

Despite the obvious problem with leaky contractors, Ponemon reports that 66 percent of U.S. companies lack a comprehensive inventory of all contractors with whom sensitive data is shared and only half of the respondents reported any active management efforts, such as reviewing contractors' security policies and programs to ensure adequacy. Even more alarming, respondents reported to Ponemon that they believe 41 percent of their contractors are sharing sensitive and confidential information with subcontractors with whom they have no direct legal relationship. Not surprisingly, the vast majority, 88 percent, of IT respondents reported no confidence that they would learn if their sensitive data was lost by a subcontractor.

There are plenty of real world examples proving these surveys right. Earlier this month, the Seattle Times reported that Nordstrom suffered a breach that exposed the names, Social Security numbers, dates of birth, checking account and routing numbers, and salaries of current and former employees. The breach was blamed on a contractor that allegedly "improperly handled" Nordstrom employee data. Nordstrom reported that the unidentified contract worker no longer has access to its systems, but did not indicate whether the contractor was still employed. Nordstrom's security team discovered the breach.

In August, the Wall Street Journal reported that PG&E was fined $2.7 million dollars for losing control of sensitive data about its electric facilities. The breach was blamed on mishandling by a PG&E contractor who downloaded the data to its own network but failed to employ any security measure at all, according to an investigation by the North American Electric Reliability Corporation. The contractor's error exposed 30,000 sensitive asset records, including IP addresses and server host names that include user data, for 70 days on the internet. The data could be accessed without use of an ID or password. NERC, which reported the breach to the Federal Energy Regulatory Commission did not identify PG&E as the utility nor the contractor at fault. PG&E's identity was revealed months later only after the Wall Street Journal and a consumer group each filed requests under the Freedom of Information Act. The contractor still has not been named.

Even the U.S. military isn't immune. In October, the Associated Press announced that a breach of Defense Department travel records has compromised personal information and credit card data of US military and civilian personnel. Up to 30,000 military and civilian workers are estimated to be affected by this breach, which reportedly was caused by a commercial vendor used by the agency. The contractor was not identified, supposedly for security reasons, but a DoD spokesman stated that the contractor was still under contract.

Data breaches such as these raise serious questions about the apparent inattention and/or inability of companies and the government to properly vet and monitor the contractors they hire. The Ponemon survey found that an overwhelming majority of IT professionals -- 76 percent -- acknowledge that the number of cybersecurity incidents involving contractors' vendors is increasing, but only 46 percent report placing a high priority on managing contractor relationships. Obviously, there is a lot of room for improvement. Ponemon recommends that companies raise the profile of contractor security issues by forming an oversight committee or adding oversight by the company's board of directors. Even assuming that such steps would be effective, they are likely beyond the reach of small to mid-sized companies that lack formal committees or engaged boards.

There seems to be a much more straightforward and effective technique that no one has tried. The cavalier attitude of contractors toward data security has been exacerbated (if not encouraged) by the cone of silence surrounding the identity of contractors whose sloppy or non-existent security practices caused the data breach. Why are the contractors being protected if, in fact, their apparent negligence caused the breach? State and federal law makers should refine data breach disclosure laws to require companies to publicly report the names of contractors that have been determined to have caused data breaches as part of data breach reporting obligations. Even without changes in the law, companies should be more forthcoming about the identities of such contractors. Perhaps the threat of public disclosure would encourage contractors to change their behavior -- sort of like the grassroots effort a few years ago to photograph the license plates of cars parked at brothels and post the photos on the internet.