So first it was the deal with Sweden, and now this with Wells Fargo. Let today be a lesson in how not to outsource certain business functions. In this case with Wells Fargo, it seems 1.4 GB of data involving about 50,000 individuals was accidentally sent in response to a request from an attorney for some banking documents on an individual. Wells Fargo is blaming a third-party for not properly screening the data on the disk.
While I get that, it’s important to understand that when you outsource any of your processes, that does not mean you’re totally off the hook. In this case obviously Wells Fargo is the one ending up in the headlines as opposed to the contracted company. On the other hand, I personally don’t think that is undeserved. To send 1.4 gigabytes worth of data in response to a rather limited request for a single individual seems a bit excessive to me. Why couldn’t they have limited that considerably prior to sending it to the third-party? We may never know.
Just remember this when you’re hiring outside parties to handle sensitive information. “Regulators, meanwhile, have started a probe into the data breach…” is not something you want to hear or read about in the paper.
Erich Kron is the Security Awareness Advocate at KnowBe4, and has over 20 years’ experience in the medical, aerospace manufacturing and defense fields. He is the former security manager for the US Army 2nd Regional Cyber Center-Western Hemisphere.