From January 25 to 28, 2019, multiple organizations, including Discover Financial Services, Verity Medical Foundation, Verity Health Systems and Allen Chern LLP, have made routine filings in accordance with California state law, reporting cybersecurity incidents that may or may not be data breaches, according to the office of the Attorney General (AG).
The AG’s website notes, “In some cases the organization that sent the notice is not the one that experienced the breach,” and each of the companies that have filed in the past five days has asserted the information was compromised as a result of some unauthorized activity of a third-party vendor.
“Discover was not breached in this incident and our information and data systems were not compromised. This incident was the result of a merchant data compromise, and not the result of any action by Discover or an intrusion of our customer information systems,” a Discover spokesperson wrote in an email.
“We re-issued cards out of an abundance of caution for our cardholders. Our notices to all customers state that 'this breach did not involve Discover card systems.'”
According to Colin Bastable, CEO of Lucy Security, third parties are the CISO’s Achilles' heel. “It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.”
Health records and payment card data are some of the most highly sought-after data for sale on the dark web, and “these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network,” said Felix Rosbach, product manager at comforte AG.
“It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data-centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.”
Still, enterprises continue to trust that their data is secure when put in the hands of its partners, often without having done a thorough review of the security practices of their downline vendors.
“Until the market adopts a more sophisticated approach to third-party cyber-risk management that provides visibility at scale and with cost efficiency, these incidents will continue to occur frequently," said Fred Kneip, CEO, CyberGRX.