Security Risk Management

UPDATED: So many vendors ... but who's to blame for the breach?

Melissa Stevens | December 12, 2013

The local news is abuzz with a story of Boston convention attendees being victims of a credit card data breach.  The impact is small -  only about 300 people have been affected - but there seems to be a lot of finger pointing and shuffling around while the conference organizers and convention center try to figure out which vendor is to blame.  

cyber-security-fingerprint-Did the breach occur at the Boston Convention & Exposition Center? They say no, and report that some of their employees have been affected, too (somehow proof they aren't to blame?).

Was the weak link the Westin Boston Waterfront Hotel, attached to the Convention Center, where conference attendees stayed? The hotel also denies responsibility, saying they see no evidence of breach in their systems.

Could it be the restaurant chain located in the hotel? Many attendees reported ordering drinks at two of the restaurants owned by the same management company, the Briar Group -- who incidentally paid fines in 2011 for failing to protect customer information in another malware breach.  However, the Briar Group also says they see no problems in their systems.

It has yet to be determined who will ultimately be held responsible, but one thing is certain - future conference attendees may think twice before attending events at the Boston Convention & Exposition Center until this mess is cleared up - making the Convention Center another victim in this breach.

This is a scenario that is sadly familiar to many organizations who outsource sensitive data to vendors and partners.  While the Convention Center does not actually have vendor relationships with any of these companies, the outcome is similar to what other organizations face when their vendors are breached: a data breach in an external network has impacted their reputation (and possibly their bottom line) regardless of "who" is at fault. This highlights the importance of knowing the security risks in your third party networks to reduce your risk of suffering similar consequences!

 

12/16/13: Updated

The Boston Globe reports that the data breach described above is larger than first imagined, affecting more than just convention attendees.  

Based on initial interviews with credit card companies, Blair said the tally of victims could be “hundreds” more than those who have already reported unauthorized or fraudulent charges on their credit cards after visiting Boston.

 

The investigation is still underway, with no clear "source" for the breach. Police and investigators believe it is not a skimming incident, but likely the hack of a business or businesses in Boston whose computer systems were compromised.

The city, meanwhile, is taking precautions to assure tourists that their information is safe during a busy travel season, hoping to avoid reputational damage as a consequence of the breach.

Suggested Posts

3 Ways to Ensure Best-in-Class Third Party Cyber Risk Management

An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...

READ MORE »

Cyber Risk Should Be A Growing Concern to the Municipal Bond Market

Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...

READ MORE »

Takeaways from the 2017 Gartner Security & Risk Management Summit

This year marked another great Gartner Security & Risk Management Summit with over 3,000 attendees, bringing together CEOs, CIOs, CISOs, IT Directors, Risk Managers, and other risk and security professionals to National Harbor, MD from...

READ MORE »

Subscribe to get security news and updates in your inbox.