Data sent to a third-party vendor that was not authorized to receive it led to a data breach involving 16,500 people associated with student loans. The affected company is Access Group Education Lending, and the company became aware of the situation on March 23.
What Kind of Information Was Leaked?
The public doesn’t know the third-party vendor’s name, but the company is reportedly a student loan lender. That vendor got data containing student names, Social Security numbers and driver’s license numbers.
The Data Was Reportedly Destroyed
Nelnet, a company that processes data for Access Group, is the entity at fault for distributing that sensitive information to the unnamed outside vendor that shouldn’t have seen it.
Representatives from Nelnet say they don’t believe inappropriate data use occurred following the leak. Instead, they clarified the data traveled to the third-party vendor through an encrypted channel. Also, that company recognized the data transfer happened in error, then got rid of the information.
According to details released in SC Magazine, a relevant manager for the third-party vendor agreed to sign a sworn document confirming the destruction of the information with nothing retained.
A Year of Credit Monitoring Offered
When making a statement about the issue to the press, Access Group said the exposure of personal details was “limited.”
Even so, the company will provide a year of complimentary credit monitoring to affected parties who want to ensure the data leak won’t have negative repercussions. It notified those individuals in writing, and provided the same disclosure to the respective attorney generals at the state level.
A survey of more than 10,000 people around the world indicates a growing concern among consumers regarding data breaches. The results found 69 percent of respondents don’t think enterprises take data protection very seriously, and two-thirds feared becoming victims of future data breaches.
Preventing Similar Future Events
Access Group monitors its vendors and will continue to do so as a preventive measure against other data breaches. Furthermore, it will mandate written data transfer protocols for third-party companies and double-check the recipients before starting to send files.
Data leaks can happen externally, as well as from inside organizations. Efforts to reduce internal threats require carefully screening individuals who have access to a company’s data, issuing role-based permissions for sensitive information and establishing clear, documented employee expectations.
This breach did not originate within Access Group, but since the company works with third-party vendors, it must continue to treat those representatives as if they were employees working onsite.
Plus, tightening up internal security measures would be a smart move, since Access Group already attracted negative publicity with this breach and wouldn’t want to be associated with other problems.
The Three-Week Delay Before Notifying Customers
Access Group didn’t get word of the incident until five days after the mistaken data transfer. It has also emerged that the company did not begin letting customers know about what happened until three weeks after learning the details.
That delay is in line with a trend that causes concerned individuals to assert that affected companies aren’t being sufficiently prompt and transparent.
For example, Facebook waited two years before notifying customers about data obtained by Cambridge Analytica, also a third-party company. Then, there’s Equifax, the credit monitoring company that didn’t alert consumers until weeks after one of the most massive breaches in recent history happened.
It’s important to realize, though, that U.S. laws require companies to tell consumers about breaches, but don’t get specific about timeframes. Abnormally long delays put companies at risk of scrutiny by federal authorities and queries about why disclosures didn’t happen more efficiently.
The Potential Risk of Data Breaches as Companies Depend on Partnerships
The Access Group incident illustrates how it can become more challenging to maintain control of data when using external providers to take care of some aspects of a business.
Although none of the involved companies engaged in malicious actions, that won’t always be the case for future data-related mishaps.