🪙 Federal Bank Regulatory Agencies in the US release a guide to assist Banks in the development of Third-Party Risk Management practices
On May 3, 2024, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency announced in a press release that they issued a guide to assist and support community banks in the management of the risks presented by their third-parties. This guide does not substitute the previous Interagency Guidance on Third-Party Relationships: Risk Management (TPRM Guidance), issued in June 2023.
Banks are responsible for the risks associated with the third-party relationships they engage in. It is important for banks to identify, assess, monitor, and control risks. They have the responsibility to comply with laws and regulations. Which is why this guide can prove to be very helpful for Banks to conduct their relationship with third-parties in a safe manner.
The guide includes factors, examples, resources and suggestions for community banks. It is divided into four sections: risk management, third-party relationship life cycle, governance, and appendix. The section on third-party relationship life cycle includes considerations on: planning, due diligence and third-party selection, contract negotiation, ongoing monitoring, and termination.
It’s a comprehensive and highly useful guide for community banks and other types of financial institutions as well.
To read the full guide see: https://www.federalreserve.gov/publications/files/third-party-risk-management-guide-20240503.pdf
🍽️ Hospitality venues in New South Wales involved in third-party data breach
Several venues around New South Wales, Australia, use the same IT provider named Outabox which offers many services, including sign-in systems. The hospitality venues that use Outabox include restaurants, clubs, hotels, casinos, among others. Licensed venues in New South Wales are legally required to ask for customer’s IDs or licenses upon entrance.
Outabox was the victim of a cyberattack that resulted in a data breach that could affect up to 1 million customers. It is unclear when the attack happened.
In a press release on May 2, Outabox stated: “Outabox has become aware of a potential breach of data by an unauthorized third party from a sign-in system used by our clients. We are working as a priority to determine the facts around this incident, have notified the relevant authorities and are investigating in cooperation with law enforcement.”
A website was created anonymously which includes a search bar where you can check if your information was affected by the breach. The affected data allegedly includes personal information, facial recognition, IDs, licenses, and signatures. The website also includes accusations against Outabox on the mismanagement of private information.
The New South Wales government and the ClubsNSW organization also issued statements with useful information for those who might have been affected by the incident.
🪖 UK military victim of third-party data breach
Shared Services Connected Limited, a company that provides payroll services to the UK military, Government and Police, was victim of a cyberattack which led to a data breach that affects the information of an undisclosed number of UK’s military personnel and veterans.
The leaked data reportedly includes bank details and personal information.
There is no indication that any Ministry of Defence operations have been compromised.
The Defence Secretary, Grant Shapps, stated that there is “evidence of potential failings” by the third-party which “may have made it easier for the malign actor to gain entry”.
Reportedly, the system will remain offline until further information on the incident.
The identity of the perpetrator remains unknown.
🩺 US healthcare provider Kaiser Permanente involved in data breach
Kaiser Permanente, a large US healthcare provider that operates around 40 hospitals and more than 600 medical facilities, was involved in a data breach that may have affected around 13.4 million users. The conglomerate reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights, all companies covered by HIPAA (Health Insurance Portability and Accountability Act) are legally required to do so when patient information is involved. The report was submitted on April 12, 2024, but was made public at the end of April by the Office. Kaiser’s data breach is listed on this report as the largest in 2024 so far.
The leak occurred through third-party tracking and analytics technologies installed on their website and mobile apps which shared patient information with advertisers such as Google, X (formerly Twitter), Microsoft, among others. These tools have now been removed, according to Kaiser Permanente. However, it is unclear what has happened with the data.
In a statement shared with TechCrunch, the company said “the data shared with advertisers includes member names and IP addresses, as well as information that could indicate if members were signed into a Kaiser Permanente account or service and how members interacted with and navigated through the website and mobile applications, and search terms used in the health encyclopedia.”
This breach comes as a substantial blow after another major healthcare provider, Change Healthcare, suffered a significant third-party data breach in February 2024.