6 min read

Palo Alto Networks Employee Data Breach Highlights Risks Posed by Third Party Vendors

Graham Cluley

November 29, 2019

Palo Alto Networks Employee Data Breach Highlights Risks Posed by Third Party Vendors

As Business Insider reports, Palo Alto Networks has suffered a data breach.

The personal details of some past and present employees - their names, dates of birth and social security numbers - have been exposed online.

According to the report, Palo Alto Networks confirmed to Business Insider that the personal details of seven current and former employees had been "inadvertently" published online by a "third-party vendor" in February.

Details have only now become public due to a tip off to the press by a former employee who wished to remain anonymous.

Now, let's take a moment to keep things in perspective.  In a week when the security news is writing about the private details of 1.2 billion people being found on servers left wide open to anyone on the internet, a breach involving the details of seven workers cannot be considered comparable.

However, that's not much consolation for the seven individuals concerned, and the resulting headlines are still damaging to the reputation of an enterprise security company such as Palo Alto Networks.

But is it really the company's fault?

After all, it wasn't their company which leaked the data and placed it on the internet.  Instead it was an external company, contracted to provide a service to Palo Alto Networks, which was careless with the sensitive information.

Palo Alto Networks has declined to name the vendor concerned, or provide details of where on the internet the data appeared, but it has said that it has terminated the contract of their careless vendor.

We would all like to think that the companies we work for would put robust demands on those external firms that provide products and services that they will be careful with our data - whether it be information about our products and services, intellectual property, customers, or employees.

But however much you may demand in a contract that your providers have proper security measures and practices in place to reduce the chances of a breach or hack, you can never have 100% certainty that accidents and goofs won't happen.

All you can do is limit the amount of sensitive data that your external providers have access to, ensuring that they can only access the information that they absolutely need to do their job and no more.

That way, if a breach occurs, at least the nature of the data exposed online or stolen by hackers might be limited.

And then, of course, you need to decide what you're going to do with that service provider.

Do you continue to work with them, accepting their assurances that they have mended their ways and a similar breach won't happen again in future?

Or do you have a scorched earth policy of if a breach ever occurs, that's the end of your business relationship?

Palo Alto Networks clearly took the latter approach - and that's understandable as it wants to send a clear message to its own staff and future external contractors that it simply will not accept a sloppy attitude to security.

But there is one other step that Palo Alto Networks could take, which they have chosen not to take.  They could choose to name the vendor who leaked the details of its employees.

That may feel to some as a harsh response, especially as the breach has happened - and there's not much to gain by naming the guilty service provider.

But let's not forget that if a third-party is providing services to Palo Alto Networks there's a good chance that they are also providing similar services to other firms.

And don't those companies deserve to know which external providers have been careless with senstive data, and given an opportunity to choose a different provider rather than unwittingly run the gauntlet that they might be the next to suffer?



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like