Earlier this month, electronic bill paying service provider CheckFree, who controls a majority of the market in online bill paying services, incurred a security breach. Though Checkfee was diligent about the problem, rectifying the issue in a matter of hours, it again raises the subject of how important an effective vendor management program is, especially for financial institutions.

What Happened:

  • An external hacker somehow stole the credentials of a CheckFree administrator and edited the CheckFree site.
  • Instead of coming to the expected web page, CheckFree end users were redirected to a Ukranian web page that automatically attempted to install malware on end user computers.
  • If the computers did not have up-to-date antivirus provisions, a Trojan may have been installed to gather usernames and passwords from the infected computers.

Within five hours, CheckFree fixed the problem and was already well underway toward investigating what happened and how many users were affected and reversing the effects of the hijacking. The firm is a third-party service provider for a very large share of the financial industry.

The CheckFree incident is a perfect reminder of how important a vendor management program is. Banks and credit unions are among the most strongly-regulated businesses in the world, as it is crucial that they keep customers’ and members’ information safe from malicious outsiders.

In addition to banks and credit unions taking the security of their systems seriously, third-party vendors and service providers must be held to the same tough standards. It does not matter whether information is compromised in the hands of the financial institution or the hands of the service provider—if a customer or member has his information stolen, the financial institution will inevitably take the blame. This hurts the reputation of both the service provider and of the financial institution, and ultimately costs both a tremendous amount of money.

A vendor management program is a crucial program to have, as it enables financial institutions to make sure their vendors, like CheckFree, are doing their business with as much attention to security detail as they are. This kind of program is in the best interests of the customer/member, the financial institution’s bottom line, and the financial institution’s regulatory compliance.

GraVoc Associates, located 18 miles from Boston in Peabody, MA, is very much willing to help both existing and new information security customers develop and maintain their vendor management programs. As the new year approaches, many experts predict a 2009 characterized by attacks such as the ones incurred at the beginning of December. It is up to financial institutions to safeguard their information, and GraVoc can help them ensure that third-party vendors and service providers are holding themselves to the same standards.