Business process outsourcing (BPO) service provider Genpact left customer information at Scottrade Bank vulnerable through a cloud server that did not have the right level of security.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
According to Scottrade Bank, information about 20,000 people and businesses in its small business-to-business (B2B) unit was not fully secured.
Genpact has admitted the mistake and secured the information as soon as it was alerted and discovered the origin of the error.
“Genpact works exclusively with the B2B bank unit and has no access to any other information at our firm,” said Scottrade in a statement. “This appears to be a case of isolated human error by the supplier in handling the dataset.
“It is important to note that we hold all of our third-party suppliers to rigorous information security standards. The supplier has acknowledged responsibility for this incident. This is a discrete issue with no link to any other aspect of our business. Our own systems remain secure and were not involved in this matter.”
Genpact is currently trying to find out whether the data was accessed and has hired a forensics firm to help it.
The case fires a warning to enterprises to be prepared to deal with problems caused by service providers.
In the UK, the Information Commissioner’s Office can impose a maximum fine of £500,000. In October 2015, TalkTalk was hit with a record £400,000 fine over the cyber attack in 2015 that exposed personal details of more than 150,000 customers. But the reputational damage for businesses can be far greater.
This is a particularly important issue for UK companies, which are highly dependent on BPO and IT service providers, yet may be unprepared for disruption caused by supplier mistakes.
According to research from Deloitte, 80% of UK businesses are very dependent on services from outsourcing providers. The same research found that one-third of businesses in the UK have experienced major disruption or complete failure due to the actions of an outsourced service provider in the past three years, but also revealed that only 11% were prepared for this.
It is essential to ensure cloud contracts protect the customer’s business against data loss. Talking to Computer Weekly in February, outsourcing consultant Bob Fawthrop cited a case he was involved in where a cloud-based financial transaction supplier that was going to move data from one system to another would not take responsibility for data loss, despite the fact that it was moving the data.