When Your Vendor Says ‘Your Data Was Breached—Six Months Ago.’

What’s worse than a vendor that suffers a data breach that exposes your sensitive customer information? The answer: A vendor that waits almost six months to tell you about it.

That’s the issue that both Sears and Delta Air Lines are facing after a malware attack on each of the company’s online chat services vendors. Hundreds of thousands of customers’ payment information was accessed, including payment card account numbers, expiration dates, names, and addresses, reports Gizmodo. Sears and Delta weren’t made aware of the breach, which happened in September 2017 and took two weeks to contain, until mid-March of this year.

That’s not just inconsiderate. It can also create legal issues. Several states, including Massachusetts and California, have strict timelines for notifying consumers when data is accessed by unauthorized parties. This is especially true for sensitive data like account and Social Security numbers. An institution needs to know about a breach as soon as possible so it can follow notification protocol. Just because an institution doesn’t have bricks and mortars in another state doesn’t mean it’s exempt from those rules. It needs to follow the notification laws where a customer resides.


  • As hackers and cybercriminals become more inventive (see the casino that was hacked through its Internet-connected “smart” thermometer), data breaches are becoming increasingly common. Third-party vendors remain a viable entry point for those looking to steal sensitive information. This is why having a plan for dealing with vendor data breaches before they happen is essential. Another essential part of effective strategy is to structure agreements with vendors to ensure that you’re notified in a timely fashion.

    Regulators don’t distinguish between your actions and the action of your vendors. Vendor breaches create a unique set of issues that require attention. Make sure your vendor is required to notify you promptly of any breach so that you can take action.

    Assess your cyber risk with an online FFIEC cybersecurity assessment tool.