A Texas credit union has found itself dealing with the expensive consequences of a third-party vendor breach, it announced to members last week.
The third-party vendor the credit union was using for data analytic services was a victim of a ransomware attack that resulted in thousands of member files being compromised, including Social Security numbers. As a result, the credit union had to notify thousands of members of this data breach and explain the issue with their vendor management program. In addition, the credit union is providing each member identification repair and monitoring services, which is costing them hundreds of thousands of dollars.
While the credit union is now reviewing its third-party risk management practices, agreements, and monitoring capabilities, the damage is already done. It can only hope to put in place a better vendor management system to avoid future problems.
This was an avoidable problem. Unfortunately, too many credit unions assume that there are no issues with vendor management because they passed their last exam. Unfortunately, the lack of exam findings does not protect credit unions from their third-party vendors.