Previous Topic

DIM-07-01 Service Provider Risks and Prevention

Service Provider Data Breaches

We subscribe to many services online. For each of these services we have an identity, and authenticator(s) to prove our identity when accessing the services. Each of these service providers stores our information to enable them to check we are who we claim to be when authenticating.

How secure are the service provider records? What is someone gained access to the service provider records for hundreds, thousands, or even millions of subscribers?

Service provider systems can be accessed over the internet and may be vulnerable to attacks aimed at gathering information or disrupting services. This would be considered a data breach. Service providers must ensure our records are safe and eliminate the risk of data breaches. Even if the information leaked or accessed during a breach does not include your password, other information about you could be used to build a view of your personal profile and put you at risk.

Even if information is encrypted during transfer from your device to the service provider, and your information is encrypted in their storage, you may still be at risk as a result of your service providers’ policies.

Service provider policy risks

What are the policies of your service providers with respect to sharing your information with other parties?

Each service provider has terms and conditions of privacy. When you subscribe to a service, and accept the terms and conditions, you may be giving the service provider permission to use your information.

Most service providers’ terms and conditions allow them to use and share your information within their organisation, group of companies, and even with other outside parties as they deem necessary to optimise their services to you.

The service providers may also change the terms and conditions without consulting subscribers.

Service provider data risks prevention

To minimise the risk of service provider data breaches, you should be aware of the level of data security your service providers offer:

  • Ensure all services you use are supporting encrypted transfer of passwords (https://…)
  • Ensure all services providers encrypt your stored information on their systems and do not keep your information ‘in the clear’.

Service provider policy risks prevention

To minimise service provider policy risks, specifically the disclosing or sharing of your information with others:

  • Read and understand your service providers’ terms and conditions
  • Familiarise yourself with the control the service provider gives you in terms of what information of yours can be shared
  • Apply privacy controls that are available to you to restrict what you share, and what the service provider can do with your information
  • Assess the risks and decide if using the service is worth the risk