Your private information can no longer be considered safe when you do business with any organization. Thanks to the ever-present interconnectedness of our digital economy, your private information travels through many organizations. From suppliers to service providers to third-party, cloud-type vendors, your personal information moves around quite a bit as it is accessed and used by that many different entities to help them complete their respective business transactions. 

While all businesses benefit from increased efficiency due to this sharing of personal identifying information with so many other entities, the reality is that cybersecurity professionals have declared third-party risk management as one of the top challenges for organizations today.

And the illumifin data breach exemplifies this risk. Unlike data breaches that happen directly within an organization when they lose their own customer's data, breaches involving a third-party service provider that is acting on behalf of multiple organizations is another significant risk that results in breaches of customers of other organizations but never had direct engagements with the servicing entity itself. 

Third-party administrators manage massive volumes of sensitive information (such as financial and protected health information) to provide services to consumers through many different industries, including the insurance industry. These organizations serve as data processors and typically will contract to providing services to dozens or hundreds of different clients. Therefore, when one organization experiences a data breach, it is not uncommon for multiple organizations to experience the same breach at the same time.

A major issue with third-party breaches has to do with visibility; customers may not even know their information will be stored or processed by a different company, so when a third party does experience a breach, the notifications may come from companies the customers have never heard of - causing confusion about what action is required or when to take action.

There are many third parties that are complex because they connect to multiple systems, share data through multiple networks and multiple security protocols. The complexity of these types of environments increases the potential for vulnerabilities, especially if the third party is not enforcing the same level of security measures as all of its partners.

The data that is compromised in these situations can also be very sensitive, particularly when combining financial data, medical data and personal information. This makes them valuable to cybercriminals because they can use that information for identity theft, insurance fraud and/or targeted scams.

This all means businesses need to start looking at the security of their partners and require them to commit to strict vendor risk management policies. Simply securing the internal network of an organization is not sufficient; organizations need to require that their partners implement effective cybersecurity measures including ongoing auditing, established contractual obligations, and ongoing surveillance.

Individuals need to realize that they have a data footprint that extends into many other organizations that they do not directly interact with, and the most important action to take following an unexpected breach notification is to remain vigilant.

As the online world grows larger, third-party risk is increasing as an area of high concern for cybersafety. In addition, cases such as illumifin demonstrate that the area of risk is often where we least suspect it.