Blogpost

Goodwill’s Third Party Due Diligence… “And it Makes Me Wonder”

Like everyone else glued to the media outlets this past week regarding the Home Depot breach I was softly sobbing to myself “here we go again” particularly after I just made a visit and a purchase with my credit card. However, this discussion isn’t about the Home Depot breach, but rather a less-than recent breach (with new information) that hasn’t drawn nearly as much attention as it should have.

You may or may not recall much press on the Goodwill Industries breach back in July, as it was reported that numerous banks informed them of a possible breach of customer credit and debit card data. The security website Krebs On Security further noted that “Goodwill later confirmed that the breach impacted a portion of its stores, but blamed the incident on an unnamed third party vendor. This week, the third party vendor in question turned out to be C&K Systems, a huge player in the management and deployment of Cloud based retail point-of-sale environments for small to medium specialty retailers, based in Chesapeake, VA.

Further research into the breach indicates Goodwill is turning a blind eye to the situation. As C&K Systems perform their suite of services in the Cloud, Goodwill’s vice president of marketing and development for Southwestern Pennsylvania reportedly remarked, “we don’t hold any of [our customer’s] credit card information in our computers…we’re feeling like this is a situation that’s not going to involve us, and we hope it stays that way.”

Note the comment “…it’s not going to involve us, and we hope it stays that way”. Uh oh…

Allow me to quote the great 20th century English scribe Robert Plant “…And it makes me wonder…” with regards to whether industry best practices were indeed followed in the third party/vendor selection process. Let’s remember that any company making such a claim needs to be aware that this truly has an impact on “us” (that is, the company) with regards to reputational risk. In this example, no one is going to remember this as the “C&K Systems” breach, rather they’ll remember the “Goodwill” breach.

When it comes to third party risk (TPR) I’ve preached often that you simply cannot turn a blind eye to your third party service providers, pointing over to them and explaining to someone “it’s their fault”. Be aware that such inaction can do more harm to your organization then you could ever realize. And if you’re regulated to provide oversight on your third party providers; let’s not even discuss the puzzled look that will be seen on a regulator’s face upon hearing such a comment.

Be sure to use TPR best practices in performing your due diligence. Don’t simply review a third party service provider (TPSP) SOC2 report or a PCI-DSS Report of Controls (ROC) and say “this looks ok – I trust them with our data,” for that is never enough. Regardless if you are a regulated entity or not, you should still perform a thorough analysis of their performance and handling of security, change control, network management and any other components as identified in the Shared Assessments SIG questionnaire. And perform this analysis periodically, to ensure you’re comfortable with the effectiveness of their policies and procedures. Establish clear guidelines regarding their handling and notification should a breach occur to your data. This should help you to accept any risks associated with using this vendor.

Remember, when dealing with any TPSP, to always assess controls with the same level of care and due diligence you would if it were an internal department handling critical and confidential data. TPSP’s should be treated as if an extension of your organization and watchful eyes should always be kept.

By adhering to these principles you will get a detailed understanding of your TPSP’s handling of your data. It’s one less thing to worry about as you continue to (again, to quote Robert Plant) “ramble on” and do what you do best: service the needs of your customers.

Shared Assessments Senior Director, Tom Garrubba, is an experienced professional in IT risk and information controls, most recently in developing, maintaining, and consulting on third party risk (TPR) programs for Fortune 100 companies. A nationally recognized subject matter expert and top-rated speaker on third party risk. Connect with Tom on LinkedIn

Sources:

    1) http://krebsonsecurity.com/2014/09/breach-at-goodwill-vendor-lasted-18-months/#more-27835

    2) http://www.post-gazette.com/business/2014/07/23/Amid-Goodwill-s-probe-of-possible-data-theft-local-branch-said-no-evidence-of-breach/stories/201407230030