These days, data is king. It is a commodity unto itself and with the rise of advanced data algorithms, machine learning, and increased processing power, its value is only increasing.
So, whenever we enter our details into those online forms with the little red asterisks for mandatory fields (rarely, if ever, reading the terms and conditions) we’re placing our trust in that vendor to keep our details secure.
It is in their best interest to keep our data secure and most consumers only sign up to brands they implicitly trust. But what happens when that service provider takes that data and sells it or transfers it to another party? While the original vendor might have robust security procedures in place, we can’t be guaranteed that the companies they provide that data to have the same policies.
Enter third-party data sharing.
Whether for profit or convenience, data sharing can pose incredible risks – both to the consumer and the primary service provider.
Consider Alteryx Inc. a US data analytics company which “provides analysts with the unique ability to easily prep, blend and analyze all of their data”. Customers use their platform to perform analysis beyond their in-house computational abilities. The customer uploads data to the Alteryx platform, and this data is compiled in a special file type which allows their software to perform analytical techniques.
In December last year, had their data leaked when Alteryx inadvertently made their client’s (Experian and the U.S. Census Bureau) data publicly accessible via Amazon Web Services.
The leaked data was rather personal, too. Categories in the database included addresses, phone numbers, and even whether the households preferred cats or dogs. Also included was information that could very easily be leveraged by scammers such as whether the household donated to political parties or charities and, if so, which causes they were likely to support.
In this case, consumers trusted Experian or the US Census Bureau to keep their data safe – but ultimately an analytics company the vast majority of those households had never heard of published their personal data for the world to see.
When a customer agrees to share data with a company, an implicit trust bond is created between the customer and business. The customer is aware that the company they do business with has collected data during their transaction, and hopefully is reasonably certain that data will be protected. The company itself may boast top-notch cybersecurity on their networks, double-down on protecting sensitive data, and guarantee the protection of their customer’s data.
However, as soon as the company outsources or sells this data to a third party, all bets are off. The third party might even transfer the data to a fourth, fifth, or even tenth party. There’s no guarantee any of these companies have great network security, and as the number of businesses your data travels to increases, so too does the risk.
Personal details can be extraordinarily helpful to hackers attempting to answer security questions or guess passwords. And, as previously mentioned, scammers can carry out personalized, targeted attacks based on user preferences, using the same data as highly-effective personalized advertisements. All the while, the customer thinks their data is secured with the primary company.
Experian and the U.S. Census Bureau aren’t the only companies who have lost data to third-party breaches. Target, Goodwill, Verizon and Home Depot have all suffered significant leaks due to third-party data sharing.
So, what can your business do to protect your customer data? First, make sure you know all the third parties you share data with. Make a list of them, starting with the companies who receive your most sensitive data. Check their website or get in touch to see what sorts of cybersecurity provisions they have in place. If you’re thinking about outsourcing to a new company, make sure you know what they’re doing to protect your data. If you can, run your own annual audits on them as well as penetration tests on third-party networks; if you find a vulnerability, let them know, and don’t outsource data until the security issue is fixed.
Above all, remember your customer’s data is only as secure as your weakest link’s weakest link.