Early last year, Imperva published a report analyzing a breach that Yahoo had suffered via a vulnerability on their astrology site. As a reminder, back then Yahoo’s astrology site was operating with data coming from a platform provided by a third party company. When that third party server was breached, Yahoo got the bad headlines.
Today, Yahoo disclosed a breach that effected their own mail system that apparently resulted from a third party hack. And while Yahoo definitely responded very fast to the incident, it raises questions for any company out there.
Companies should ask themselves:
- How are we securing our users information and ourselves when we use third party services (which could be hosting, SaaS, call centers, authentication providers, website plugins and more)?
- How much do we know about the security measures implemented by the third party companies we obtain services from?
- If we provide a service to others, how secure is it?
Often, companies seem to put their trust in code and services that are not homegrown without knowing if they have the ability to monitor and secure said services.
What is the industry doing about it?
PCI v3.0 is a very good example of one regulation that addresses this issue, as it just added a mandate for service providers to secure their client information, making them accountable for the security of that data.
Where can I learn more?