TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.
TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.
“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.
“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”
Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.
The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.
The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.
“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.
“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”
Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.
“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.
“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.