On July 25, ZDNet reported that a number of local Brazilian banks had had an estimated 25 gigabytes of their customers’ personal exposed to public access via an unprotected server of a third-party financial services provider. The types of personal data exposed include scanned identification and social security cards, “as well as documents provided as proof of address and service request forms filled out by customers based in the capital city of Fortaleza, in the Brazilian state of Ceará.”
Although the data exposure pertains to multiple banks, a substantial amount of the exposed data relates to one local Brazilian bank, Banco Pan. Banco Pan issued a statement in which it reported “that the server is not owned by Pan and that no intrusion into the bank’s infrastructure has been found.” It also promised to “take appropriate measures if any misuse of this data is identified,” and stressed that security is a key priority for the firm and that it complies with data protection best practices as well as local regulations.
Note: This latest incident is a reminder to financial institutions’ compliance and information-security teams that they need to remain vigilant in maintaining their due diligence on critical third-party providers. Servers that have misconfigured cybersecurity software or, in this case, are wholly unprotected are an open invitation to malicious actors.
Third-party providers remain a critical vulnerability for many businesses. A November 2018 Ponemon Institute survey of U.S. and United Kingdom Chief Information Security Officers and other security and risk professionals found that 59 percent of all respondents, and 61 percent of U.S. respondents (a five percent increase since 2017), stated that that they had “experienced a data breach caused by one of their vendors or third parties.” More troublesome were the survey findings that 22 percent of respondents indicated that they did not know whether they had had a third-party data breach in the preceding 12 months, and more than three-quarters of respondents “think that third-party cybersecurity breaches are increasing.”