The legal fees and paperwork keep piling up for BPOs, which seem to be having a rough time shielding their systems from cybercriminals.
Over the past couple years, several BPO vendors have found themselves embroiled in PR firestorms and lawsuits over hacks that exposed the personal data of tens of thousands of customers and employees.
Some of these lawsuits are on their way to being settled out of court. Nevertheless, the rising wave of cybercrime effectively guarantees more successful hits, putting in jeopardy the personal data of potentially hundreds of thousands of people, as well as the financials and reputation of big-time BPOs.
Breach, File a Suit and Repeat
At this point, data breaches have become a relatively common occurrence among BPOs. Over the past two years, some of the top names in the business were successfully hit by cyberattacks which compromised the integrity of their systems and put the data of thousands of customers and employees in jeopardy.
Teleperformance reported a breach in early December 2022. The total number of persons affected by the breach has yet to be determined, but the Texas Attorney General estimated then that the number reached 2,631.
Atento reported a hack to its systems in October 2021. The breach ended up costing the company $US42 million in revenue due operational disruptions and “protection, detection and remediation measures”.
While some BPO providers have had to deal only with bad press, others have been taken to court over the breaches. Startek, TTEC and TaskUs are some of the names in the industry facing class action lawsuits resulting from data breaches.
TTEC was battling class action lawsuits launched by former employees in three different jurisdictions, though all three are on their way to being settled out of court. Startek is also close to a settlement, which will be reviewed by the courts in April of this year.
“Companies that are subject to federal data security laws are required to impose the same legal obligations on their outsource vendors […] Outsource vendors are also directly liable under some federal rules”—John Walter, COO at ZMAXINC
The circumstances vary. Nevertheless, the lawsuits launched against all three BPOs mentioned make similar allegations. In general terms, the companies were accused of gathering personal data as part of their terms of service and employment without taking the proper measures to secure such data. In other words, they were allegedly negligent and noncompliant with basic data security measures.
“TaskUs had access to Ledger customers’ PII [personal identifiable information] and failed to secure the received PII or implement any security measures or even screening procedures to ensure that its agents, support representatives, and other individuals to whom Ledger and Shopify entrusted the Private PII data would ensure secure handling of the data”, reads the complaint against TaskUs, in which Ledger and Shopify are listed as defendants also.
Remember the @Ledger data breach through Shopify and TaskUs?
When people suddenly received extortion mails just because they bought a hardware wallet once?
— CR1337 (@cryptonator1337) April 5, 2022
To boot, the complaint alleges that the breach which affected TaskUs was perpetrated by “rogue employees” of the company.
In a web page advertising its security services, TaskUs claims that it “leverages the absolute best in people, processes and technology to give our clients’ users a world-class, full 360-degree experience in the areas of security, accessibility and CX.”
T-Mobile is another relevant case. While not in the BPO industry per se, the telecom giant depends on third-party providers of business services, which often handle sensitive customer data.
Over the past three years, T-Mobile has suffered at least six data breaches: one in 2018, another one in 2019, two in 2020, one in 2021 and one more in 2023. Between the 2021 and 2023 hacks, the data of over 100 million persons was compromised.
T-Mobile had to pay US$500 million for the 2021 data breach and has promised to ramp up investment in cyberdefenses. Nevertheless, there have been questions regarding the effects of that investment. It was also reported that the company paid US$200,000 to the hackers in an attempt to keep its data away from the digital marketplace.
Although T-Mobile has been the focus of the lawsuits and bad press resulting from the data breaches, and while there have been no reports on any of its vendors being affected, that doesn’t mean that third-party providers are entirely safe.
“Companies that are subject to federal data security laws are required to impose the same legal obligations on their outsource vendors. This must be accomplished through written contracts. Outsource vendors are also directly liable under some federal rules”, explained John Walter, COO at ZMAXINC and an attorney that provides advice to BPOs. “Even if a nearshore or offshore vendor is outside of U.S. jurisdiction, they still must contractually agree to comply with federal requirements in order for them to qualify to receive the outsource work”.
“Imagine a circumstance where a data breach occurs with a company’s customer support outsource vendor”, he added. “The customers who had their data stolen have potential claims against both the company and the outsource vendor. The company will also have a claim against the outsource vendor, but the strength of that claim will depend on the terms of the contract between the company and the vendor”.
Given the risk of data breaches among third-party providers, Walter recommended the following for any company doing business with BPO vendors who will handle sensitive information: 1) establish very specific privacy and data security obligations; 2) include an indemnification clause which would require the vendor to pay for all company expenses (attorney fees included) which may result from a breach in the vendor’s security systems; 3) require the vendor to maintain an insurance policy to help recover data lost to a breach.
The impact of third party data breaches doubled in 2022 when compared to 2021, according to a report by cyber risk intelligence firm Black Kite. On average, per every vendor hit by a cyber attack, 4.73 companies were affected. In 2021, the number of businesses affected was 2.46.
NEW RESEARCH REPORT: 2023 Third Party Breach Report – Dive deep into the cybersecurity industry’s changes from 2021 to 2022. These findings are thanks to the collective effort of Black Kite Researchers. https://t.co/56tjzHrDCA #cybersecurity #thirdpartyrisk
— Black Kite (@BlackKiteTech) February 1, 2023
“Today’s cyber landscape is riskier, costlier and more complicated than ever before. Bad actors are capitalizing on global disruption with destructive third-party breaches, allowing them to compromise multiple victims in one fell swoop”, warned Bob Maley, CSO at Black Kite, in the report.
On average, 108 days passed between the attack and the disclosure by the companies affected, a 50% increase compared to the year prior, according to the report. The documenta adds that such a delay “[gave] threat actors more time to cause significant damage with stolen data”.
More Danger on the Horizon
This is the worst of times for BPOs to rest on their laurels. Cyber criminals seem to be growing bolder, and the changes in delivery models have opened vulnerabilities in which hackers will most likely find a new playground.
“The Pandemic has presented additional operational and cybersecurity risks to our IT systems due to work-from-home arrangements at the Company and our third-party service and equipment providers”, warned T-Mobile in its 2021 annual financial report.
“We expect to continue to experience cyberattacks and other incidents involving our supply chain and in relation to third-party products and services (including cloud services) that are used in our IT environment and business,” it added.
Cybersecurity intelligence firm CrowdStrike recently warned of a phishing deployment campaign by hacker group Scattered Spider, which took place in January of this year. According to the firm, TaskUs is in the list of targets, alongside several tech and video game companies.
The digital landscape, while ripe with opportunities, is also turning more threatening for BPO vendors. Not only are cybercriminals apparently emboldened, but the general public is growing suspicious of companies’ handling of their personal data. Also, cybersecurity compliance is gaining relevance in contract negotiations and in regulators’ agendas.
If the negligence allegations against several BPOs hold water, then they need to step up their game. Not doing so will bring multiple and terrible consequences for the industry, which has no shortage of bad press to deal with.