Reviewing yet another data breach in the news, I was struck by the phraseology of the news report. Specifically, the article on MassMutual brought a point to mind that I keep using with companies and organizations I work with: You can transfer risk, but you are still responsible for your data in the public eye.
Reading the article, I was struck by the fact that nowhere in the article was the name of the third-party vendor mentioned. MassMutual is taking it on the chin (and quite defensively, I might add) because, ultimately it is their data. They picked out the third-party vendor – I wonder how good their contract with the vendor is.
And the parties affected by this breach? Their employees, and their families.
The company announcement: “The vendor engaged a highly respected forensics team to investigate, and at this time we believe that no misuse of the information or fraudulent activity involving the data has occurred,” is disingenuous at best. We looked, but found nothing right now – so everything is OK!
Here’s the reality, however:
According to a recent report published by Javelin Research, (for which you must pay $1250.00, so you won’t be seeing me offer THAT as a download) individuals whose personal information has been compromised in a corporate breach are four times more likely to suffer identity theft or fraud.
This result runs contrary to MassMutual’s defensive statement, and is very commonly used from breached companies, who often state that they have no indication that the compromised data has been used by criminals.
No vendor name, no information on how or when it happened, but trust us, your data is fine!