Vendor data breaches: What credit unions need to know about three recent breaches

It feels like we’re constantly hearing about yet another data breach involving a financial institution’s third-party provider. There’s the statement-printing vendor responsible for leaking the personal information of 100,000 credit union members. Or the bank that discovered its mortgage insurance monitoring vendor exposed an unknown number of borrowers’ Social Security and account numbers. The list of data security breaches keeps growing.

These third-party provider data breaches are a significant concern for both credit unions and members. While each breach shares the common theme of compromised security, each incident comes with its own unique challenges and lessons to be learned.

Here are three.

  1. Delays in breach notification

In February 2023, hackers found a weakness in a California bank’s third-party file transfer service (an event very similar to the Accellion breach in 2021). Around 140,000 customer names and Social Security numbers were exposed. Security blog TechCrunch reported that the vendor found out on January 29, but only gave the bank a heads up on February 3 after a security blogger pointed out the flaw.

This breach is a reminder of two important lessons:

  1. Keep an eye on negative news about your vendors.
  2. Make sure your third-party provider agreement covers incident notification.

Regulatory agencies have been setting stricter rules for breach notifications. In February 2023, the National Credit Union Administration (NCUA) passed a final rule saying credit unions have to tell the NCUA about a data breach within 72 hours.

The tricky part about third-party provider breaches is that credit unions rely on their vendors to tell them about it. If vendors drag their feet, it puts credit unions in a tight spot.

That’s where negative news monitoring comes in. By including it in your vendor management program, credit unions can hear about a problem before the vendor even notifies you, allowing you to contact the vendor to find out what is going on. In this case, negative news alerts might have tipped off the bank about the blog post discussing the security issue. Sure, it’d be great if vendors always told you about breaches before you found out from another source, but that’s not always how it goes. Negative news alerts make a difference.

Another useful tool is the third-party vendor agreement. Don’t just assume vendors will let you know about issues. Make it a requirement in the contract. Be specific, defining what an incident or breach is and set a response timeline. That way, the vendor is legally bound to report cyber incidents to you.

  1. Multiple breaches from the same vendor

Okta, a service for customer authentication, announced two data breaches in 2022 caused by third parties.

  • The first time, hackers gained access to the Okta network through a customer support vendor.
  • The second time, a communication vendor exposed customer phone numbers to hackers.

This is a strong example of third-party risk, or the risk that a vendor’s vendor will expose you to a data breach. Okta’s financial services customers must be left wondering if two breaches in just months is an indication of a problem in Okta’s vendor management or just bad luck.

The smart move here is to reassess vendor risk with an eye on fourth-party risk. Does the vendor’s third-party vendor management program have the necessary controls in place? Is it strong enough to fall within your credit union’s risk tolerance?

It’s a question examiners might ask too.

  1. A growing third-party data breach

Back in June 2022, Diligent Corporation, which provides governance software to financial services, reported a data breach that took place a month earlier. Initially, it said it affected just over 1,000 people. However, in February, reported that the company revised its numbers by a whopping 5,000% to nearly 50,000 consumers.

Turns out, the breach originated from one of Diligent’s subsidiaries. In an update, Diligent mentioned it discovered the extent of the unauthorized access when the third party posted the acquired files on an external site. It seems they got hold of personal data that wasn’t initially believed to be accessed.

So, what can we take away from this breach? It’s crucial to not underestimate vendor follow-up and breach investigation. It’s not enough for a vendor to simply promise to look into a breach. They need the resources to thoroughly understand the root cause and the full scope of the breach, so affected institutions can inform regulators and consumers.

People trust credit unions to safeguard their data. Dealing with a data breach is bad enough, but having to admit you made a mistake and underestimated the breach’s size makes it even worse.

When checking out vendors, be sure to ask if they have a solid plan for investigating data breaches, including identifying the cause and determining the scale.


Credit unions and their third-party providers are popular targets for hackers, and the cost of third-party vendor data breaches is increasing.

Protect your credit union and its members from data security risk with proactive, effective vendor management. Engage in regular due diligence, assessing the vendor’s data security practices. Invest in cyber-monitoring to identify potential problems as early as possible.

A strong vendor management program is your best defense.

Michael Berman

Michael Berman

Michael Berman is Founder & CEO of Ncontracts. Web: Details