Last week’s Ticketmaster breach is a classic example of the challenges companies face to effectively manage vendor risk. Very few companies manage their online ticket sales. That job is left to companies like Ticketmaster who specialize in this service. In fact, I recently renewed my season tickets to the North Carolina’s Blumenthal Performing Arts Center using Ticketmaster. Now I read where 5% of Ticketmaster’s entire database has been compromised.
I say that this is a classic example of how third party risk can spread because it wasn’t Ticketmaster that was compromised, it was one of the many companies that they outsource to – Inbenta. Inbenta provides live chat widgets to Ticketmaster, who deploys them on their sites worldwide. So, companies who outsource to Ticketmaster find themselves in the position of trying to determine the extent that their customers’ information has been compromised by a breach at one of Ticketmaster’s vendors.
How organizations should approach third party risk
Companies taking a mature approach to third party risk would have included in their assessment of Ticketmaster questions concerning Ticketmaster’s use of third party service providers, and the efforts Ticketmaster uses to protect access to their systems and customer data. Best practices also suggest that Ticketmaster should have been required to identify any third parties they rely on to deliver their services to customers and to demonstrate that they have processes in place to make sure those vendors maintain proper IT and data security controls.
Did Ticketmaster properly manage their outsourced risk? Did companies (like Blumenthal Performing Arts) assess Ticketmaster to ensure it was managing its outsourced services? The answer to these questions will certainly be revealed over time. In the interim, this serves as a perfect example of why everyone’s third party risk program must include processes to identify and manage the risk of vendor outsourcing.
Now if you’ll excuse me, I’ve got to check and see if the credit card I used to renew my season tickets has been compromised…again.
Brad Keller has been developing and leading risk management programs for more than 25 years. Currently, Brad is the Sr. Director of 3rd Party Strategy at Prevalent, Inc. where he focuses on the delivery of Prevalent’s third party risk management and assessment solutions.
GE has disclosed a data breach originating at one of its third-party service providers.
When Marriott acquired Starwood in 2016, the company inherited a compromised reservation system platform that resulted...