3rd Party Vendor Breach Leaves Thousands of People at Risk

Recently, Accreditation, Audit, and Risk Management Security LLC, an online systems vendor for the Pennsylvania Department of Corrections, suffered a data breach that exposed the Personally Identifiable Information (PII)—including names, Social Security Numbers, medical information, and driver's license numbers—of up to 13,000 inmates and 700 corrections employees. According to the Pennsylvania Department of Corrections, there have not been any reports of the exposed PII being misused. However, the actual repercussions of this breach may extend beyond identity theft and fraud.

When you think about a “vulnerable population,” the first thing that pops into your head might be the elderly. Everyone has heard stories of phone calls targeting the elderly, using scare tactics to solicit cash or emails supposedly from a long lost relative needing money. Rarely do you think about inmates or corrections officers inside of prisons, but WJAC’s reporting on this breach sheds light on this class of people.

The affected inmates are a vulnerable population; they have limited access to communication mediums including the Internet, telephone, mail, and in-person visits. They also lack the monetary means necessary to mitigate their exposure to identity theft and fraud. Moreover, if impacted, inmates may not have access to credit upon release, leaving them with fewer resources to manage their life post-prison.

Likewise, corrections officers who have had their PII compromised are potentially vulnerable to blackmail, jeopardizing the integrity of the justice system.

In both of these cases, the implications of third-party data breaches can extend far beyond identity theft.

Organizations need to take a hard look at their business relationships, especially around the risk profile of third party vendors. Simply stated -- the overall security of a company’s data and systems is dependent on the risk controls provided by their vendors.

Prevalent helps enterprises manage risk in third party business relationships. It is the industry’s only purpose-built, unified platform that integrates a powerful combination of automated assessments, continuous monitoring, and evidence sharing for collaboration between enterprises and vendors. No other product on the market combines all three components, providing the best solution for a highly-functioning, effective third party risk program.

To learn more, schedule a demo today.

Shawn Stefanick is a Cyber Threat Analyst at Prevalent, Inc. and an M.A. candidate in Georgetown University’s Security Studies Program. He conducts research on third-party business and cyber risk.