In today’s digital era, businesses share more and more corporate information with their partners and therefore should pick service providers with great care and subject to confidentiality agreements. This is a digest of data leaks by contractors, prepared by InfoWatch Analytical Center.
In late summer, Chinese news media reported the arrest of five individuals who stole data using a publicly listed online marketing firm they set up, Ruizhi Huasheng Technology Corp. The criminals signed marketing contracts with telecom operators and got the remote login permissions for these companies’ servers. After that, they installed malware, which automatically collected user data and then exported it to Ruizhi Huasheng’s multiple servers at home and abroad. The criminal group is estimated to have earned more than $4 million a year and stolen data from 96 internet companies, including industry giants Baidu, Alibaba, and China Unicom.
Recently, Reality Winner, the former contractor of the U.S. National Security Agency, was sentenced to more than five years in prison for leaking classified information. Arrested in summer 2017, Winner admitted to printing a classified cybersecurity report and mailing it to an online news outlet.
Another common threat today is data leaks due to human errors. Thus, in Missouri (USA), healthcare data of close to 20,000 children was exposed when WellCare Health Plans, which administers the Missouri Medicaid plan, sent letters to the wrong addresses.
TCM Bank, a company that helps small and community U.S. banks issue credit cards to their account holders, said an accidental misconfiguration of a website managed by a third party vendor exposed personal data of up to 10,000 consumers.
Even unintentional data compromising by a partner may lead to severe regulatory penalties. For example, an unnamed U.S. power company was hit with a hefty $2.7 million fine after it was discovered that protected information of some 30,000 customers was posted online and exposed on the internet for 70 days. The company determined that a third-party contractor improperly copied protected company data to its unsecured network.