Framing Third Party Risk: The PNI Photo Hack
The attack on an obscure photo printing vendor underscores the risk that third parties pose in the age of outsourcing.
For ambitious companies that are looking to quickly build out new services for their customers, it truly is the best of times… and the worst of times.
First: the best of times. The advent of massively scalable and astoundingly cheap storage and computer power from the likes of Amazon and Rackspace has made it easier than ever for new companies to spring up offering all manner of online services, from social networks to dirt-cheap storage for individuals and businesses like Box, Dropbox and so on.
That’s engendered a slew of cool startups – Instagram and Pinterest among them. But the impact on the B2B market is even bigger (if harder to notice). Platforms like Salesforce, Hubspot, Marketo and Mailchimp have empowered tens of thousands of small firms with their platforms and subscription services, which are both more powerful and far cheaper than anything that could been had a decade ago.
Now for the “worst of times” bit: all these third party providers are sources of cyber risk for their customers, who trade away oversight and control for the benefit of powerful, plug-and-play offerings.
The latest example: this week’s news about a breach at a little known Canadian photo services firm that has ensnared some of the biggest names in retail in the U.S.
I’m talking, of course, about the plight of PNI Media, the Vancouver-based company that was acquired by office supply giant Staples last year, and that counted many of the nation’s top retail outlets (including many Staples competitors) among its loyal customers.
PNI provided a host of services that you have probably used: web sites for uploading and printing photos, making photo albums and ordering mugs and t-shirts festooned with photo images. Among the companies that white labeled PNI’s services: CVS, which used PNI to power its CVSPhoto.com web site. The company also was the back end for Costco’s costcophotocenter.com web site, as well as similar sites operated by Rite-Aid, Sam’s Club and TESCO.
That was all well and good, until PNI found itself on the wrong side of as-yet unidentified hackers, who compromised PNI’s web-based platform and used it to harvest information from unwitting shoppers at those web sites and others.
The breach first came to light in mid July, when CVS, Costco and others abruptly shuttered their online photo services citing an incident at a third party provider. In the last week, more details have emerged not via PNI, but through PNI’s clients. Specifically: both CVS and Costco informed their customers that some of their data was exposed in the incident. CVS said that personal and account information used to log into CVSPhoto.com was exposed to hackers. Costco acknowledged that credit card numbers as well as personal information typed into the costcophotocenter.com site during the period of the breach – which lasted more than three weeks – may have been stolen by hackers. In neither case were customer photos exposed.
But the full extent of the breach at PNI is still unknown and what we do know – mostly by reading between the lines of the official communications from affected firms – isn’t encouraging. What started out as a loosely defined “security incident” now looks like a sophisticated hack that lasted almost a month and that involved the use of some kind of key logging technology on PNI’s web based platform.
And those official statements vary greatly. While companies like CVS, and Costco have admitted that customer data was stolen, others, like Sam’s Club maintain that no customer data was exposed. Firms like TESCO are mum on the issue. Another affected firm: Rite-Aid, has not updated its web site since the breach was first discovered in mid July.
The picture that emerges is muddled, to be sure. But one thing that is clear is that sophisticated, public facing companies need to do a better job vetting the security of third party firms with whom they contract. We’ve already had ample evidence for the risk that naive adoption of such platforms and services poses.
In July, for example, the Indiana Attorney General revealed that four million patients of more than 230 hospitals, doctors offices and clinics had patient data exposed in a May hack of Fort Wayne, Indiana firm Medical Informatics Engineering (MIE) and its NoMoreClipBoard electronic health records system. That breach affected healthcare organizations across the country, ranging from prominent hospitals to individual physicians’ offices and clinics. Among the victims were 1.5 million residents of Indiana – fully a quarter of the state’s population.
Updated regulations, including the PCI DSS Version 3.0, already enshrine third party security assessments as a best practice, but companies struggling to get their own IT house in order may find that such assessments are easier said than done.
What’s the solution? Thorough vetting of would-be providers that includes third party security assessments and pen tests of web-based applications and services are a good place to start. While imperfect, such routine screening can help spot the most egregious errors and, perhaps, expose companies that are paying lip service to security.