Brand monitoring service Mention has blamed a third-party supplier for a data breach. The breach occurred in July and Mention has informed both customers and CNIL, the French ICO. This is a quick response and one that is in line with its obligations under the General Data Protection Act (GDPR).
The data lost is believe to include the data held in a customer’s account profile. This includes names, email, plan and other brand monitoring data. Mention is reported to have told customers that payment data, passwords and logins were not part of the data breach.
The big unknown at the moment is how many users are affected by the breach.
Focus on third-party suppliers once again
Mention has not yet named the third-party supplier. Instead, it has said that it is not the only company affected by this breach. That has caused eyebrows to be raised among security vendors who are scrambling to see who else is involved.
What is especially important here is that this is a post GDPR breach. Everyone will be watching to see if there is evidence the attack initially occurred pre May 25th. If it did, then the impact on all parties will be limited. If not, then there are some difficult times ahead for the third-party and all of its customers.
For example, how much data from European citizen is involved? Where was the data stored? What checks did Mention and other customers make on the security of the third-party supplier?
Under GDPR, the data processor and data owner are jointly liable for data loss. This could lead to a significant problem for the data supplier. It will also put the CNIL on the spot. Will it come down hard on all concerned? How will it assess liability? If the third-party is a non-EU entity, how will CNIL enforce fines and other claims against it?
According to Fred Kneip, CEO, CyberGRX: “Companies need to understand that the growing reliance upon and interconnectivity with third parties, while critical to compete in a global marketplace, also poses significant cyber risk.
“No matter how well you are able to safeguard data within your own four walls, it can be all for naught if hackers target a third-party vendor, contractor or partner with access to your network, which is what happened with the Mention breach. The information security posture of third parties must be measured, monitored and viewed as part of their extended ecosystem of responsibility.“
What does this mean
Companies have been waiting for the first GDPR fines to be levied. This case will be watched carefully. Mention claims to have over 650,000 companies using its services every day. That means that the size of this breach is significant. If data from other companies has been lost, as Mention claims, then there will be a lot of concerns as to how wide the attack goes.
For now, all customers of Mention need to be aware that they are at a much increased risk of cyber-attack. With details of accounts, usernames and email addresses, they can expect phishing attacks in the next few weeks if not already.
Last month Enterprise Times talked with Tom Turner, CEO, BitSight about the issue of third-party breaches. Turner talked about the need for Security Risk Ratings that would allow companies to understand the threat from their partner and supplier ecosystem. Maybe it is time for Mention to take a closer look at its suppliers.
[Note: Enterprise Times contacted the
PR support team at Mention to no avail. It has also contacted Matthieu Vaxelaire for comment]
Mention has asked us to update our article to correct a mistake. In our original article we stated that we had contacted the PR team. This was done by emailing the Support Team using the email account on the website. As such, we were unclear in what we said. Our email to Vaxelaire is still showing in LinkedIn as unread and apart from asking for that to be corrected, Mention has still not provided any comment on this story.