UPDATED: So many vendors ... but who's to blame for the breach?

Melissa Stevens | December 12, 2013 | tag: Third Party Data Breach

The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach.  The impact is small -  only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling around while the conference organizers and convention center try to figure out which vendor is to blame.  

cyber-security-fingerprint-Did the breach occur at the Boston Convention & Exposition Center? They say no, and report that some of their employees have been affected, too (somehow proof they aren't to blame?).

Was the weak link the Westin Boston Waterfront Hotel, attached to the Convention Center, where conference attendees stayed? The hotel also denies responsibility, saying they see no evidence of breach in their systems.

Could it be the restaurant chain located in the hotel? Many attendees reported ordering drinks at two of the restaurants owned by the same management company, the Briar Group -- who incidentally paid fines in 2011 for failing to protect customer information in another malware breach.  However, the Briar Group also says they see no problems in their systems.

It has yet to be determined who will ultimately be held responsible, but one thing is certain - future conference attendees may think twice before attending events at the Boston Convention & Exposition Center until this mess is cleared up - making the Convention Center another victim in this breach.

This is a scenario that is sadly familiar to many organizations who outsource sensitive data to vendors and partners.  While the Convention Center does not actually have vendor relationships with any of these companies, the outcome is similar to what other organizations face when their vendors are breached: a data breach in an external network has impacted their reputation (and possibly their bottom line) regardless of "who" is at fault. This highlights the importance of knowing the security risks in your third party networks to reduce your risk of suffering similar consequences!


12/16/13: Updated

The Boston Globe reports that the data breach described above is larger than first imagined, affecting more than just convention attendees.  

Based on initial interviews with credit card companies, Blair said the tally of victims could be “hundreds” more than those who have already reported unauthorized or fraudulent charges on their credit cards after visiting Boston.


The investigation is still underway, with no clear "source" for the breach. Police and investigators believe it is not a skimming incident, but likely the hack of a business or businesses in Boston whose computer systems were compromised.

The city, meanwhile, is taking precautions to assure tourists that their information is safe during a busy travel season, hoping to avoid reputational damage as a consequence of the breach.

Suggested Posts

Cyber-Attack on Indian Nuclear Power Plant Exposes Threat of “Snooping” Malware

On October 20th, 2019, authorities in India confirmed that one of its nuclear power plants had been hacked. The malware attack on the Kudankulam Nuclear Power Plant (KKNPP), first noticed on September 4th, has since been attributed to...


Cloud outsourcing poses new challenges for regulators and Financial Services

Cyber risk and regulatory compliance are two sides of the same coin in the Financial Services sector. Together, they spur Financial Services companies to take action to protect customers, their business and the global financial...


Financial services in Asia Pac face regulatory driven scrutiny of cyber risk management

The evolution of the technology environment and related security threats is so fast paced it often seems businesses and regulators are playing an endless game of catch-up.


Get the Weekly Cybersecurity Newsletter.