Monday, 5 February 2024

Controversy surrounds the recent case of a German freelance IT service provider fined $3,265 for the unauthorised access of data.

He was hired to resolve logging issues and happened to find a plain text password on the client’s system that enabled him to access the details of 700,000 customers unrelated to the original issue. 1

It’s a similar case to that of Nissan North America in which a third-party software developer contractor moved the personal details of 18,000 clients to the cloud where it was publicly accessible.2

In both cases, the contractor was there to help with an IT issue but ended up unwittingly causing a cyber breach. Contrast this with LandMark White, a NSW property valuation company, whose 170,000 customer records were deliberately exposed to the dark web by a contractor.3

The controversy is the question of intent. Did the contractor mean to access confidential data? From the point of view of the organisation who hired the IT contractor, that’s not the issue. Their issue is that, unintended or otherwise, they now have the impacts of a breach to deal with. These can range from reporting to the regulators and stakeholders as required by privacy laws, to the potentially serious legal consequences of data theft. Not something they contemplated when they hired a contractor to undertake a task they thought was unrelated to cybersecurity.

The point is the organisation remains the responsible entity when it comes to the security of the data they hold. When you hire a contractor to work on your system, it’s like giving them the keys to parts of your house but they find a separate window open. The German contractor took it upon himself to have a good look around where he shouldn’t have, even if he didn’t take anything. The American contractor left all the valuables on the street while he made repairs inside because he didn’t know any better. And whether he was looking for it or not, the Australian contractor found something he could make money from so he took it away.

So, when your system needs attention from an IT specialist, do some research to make sure you avoid an unintended cyber breach. Make sure you know two things. Firstly, do they have the requisite skills not only to do what is needed, but not to cause harm along the way? Some contractors say they have skills their experience only touches on, and this is a risk. Secondly, are they reputable? Can you trust them with the keys to your system and your data?

How to tell these things? Check whether the IT company you are looking to use as a third-party supplier has a trusted reputation and appropriately qualified operators with relevant experience. A couple of extra things to look for might be whether they offer a Chief Information Security Officer (‘CISO’) service. Or they hold an ISO 27001 Certification, which is the internationally recognised standard for information security management systems. If the evidence is not clearly displayed on their website, you can ask about it in person.

Otherwise, you may as well just leave your door open.

We know we’ve said it before. Third-party suppliers bring lots of risks. This is one many people don’t consider because the supplier comes in for a potentially unrelated purpose. Some more risks posed by third parties are discussed in our article: Transport – is your risk in the third party?

1 Bill Toudas, Court charges dev with hacking after cybersecurity issue disclosure, Bleeping Computer, January 20, 2024
2 Vilius Petkauskas, Nissan data breach exposes clients’ full names and dates of birth, cybernews, November 15, 2023
3 Michael Bleby, LandMark White data breach trial to put firm under spotlight, Financial Review, March 7, 2021