The recent Ticketmaster, PageUp and PEXA data breaches have taught us one important lesson. Cyber criminals aren’t just petty thieves chasing the cash in the till; their targets are being carefully chosen for maximum impact and maximum return.
Only just a few years ago, hackers were targeting the Points of Sale of businesses with a high transaction volume. It was a simple and successful approach. However, as these criminals become increasingly sophisticated they are moving to more lucrative prey in the form of third-party technology solutions.
You might not have heard of a company called Inbenta Technologies before. It is a third-party supplier to Ticketmaster, responsible for hosting the live-chat window on the Ticketmaster website. Inbenta hit the headlines this week when Ticketmaster discovered malware had infected the software hosted by Inbenta, causing a potential customer data breach.
The breach serves as a cautionary tale to businesses when it comes to managing third-party cyber risk. It is not enough to simply trust that a well-known or credentialed technology supplier has the appropriate systems and processes in place to protect its customers’ data (not that I am suggesting Ticketmaster did).
Companies have a responsibility to vet suppliers and request assurance that they have the necessary frameworks and policies in place, not just to pray and hope that they do. It is something the banks have been doing for years, however other businesses across a range of sectors are only just starting to realise the need.
Media reports suggest ties have been severed between the two businesses as Ticketmaster begins the all too familiar process of communicating to customers that their data may have been compromised.
While the usual debate will ensue about where the blame ought to lie, the customer-facing business will still shoulder some responsibility in this scenario at least in the public eye. They also face the very real risk to brand reputation and trust; the cost of which can be even more significant than the dollar value of any theft, if not managed appropriately. All the more reason for businesses to take proactive action to obtain adequate visibility of cyber risk in their own supply chain.