All organisations rely on third-party vendors, suppliers, and service providers to handle essential business functions—from IT services and data storage, to payroll and marketing. While outsourcing can improve efficiency and reduce costs, it also introduces significant data privacy and security risks.
Third-party data breaches occur when external organisations entrusted with personal information experience a privacy or security incident, exposing the primary organisation. As a result, reputational damage, regulatory penalties, and loss of stakeholder trust can and does occur for the primary organisation.
Australia has seen several major third-party breaches that underscore these risks and they go back as far as the Australian Red Cross privacy breach in 2016. The Red Cross (now known as Lifeblood Australia) had a third-party working on their website and a database which contained sensitive information was published, in error by the supplier, to the internet.
In 2023, personal information belonging to millions of Latitude Financial customers was stolen following a cyberattack on one of its service providers. The breach exposed information including licence and passport numbers, and demonstrated how a vulnerability in a third-party can compromise an entire organisation’s data ecosystem.
The Qantas third-party breach which occurred on 30 June this year, involved unauthorised access to a third-party customer servicing platform used by a Qantas call centre in the Philippines. The incident has now resulted in legal action.
So, to mitigate the risk of third-party data breaches you can:
1. Conduct thorough due diligence before engaging any vendor.
This includes assessing their cybersecurity practices, data handling protocols, and compliance with relevant standards such as the Australian Privacy Principles (APPs). Organisations should ask critical questions: Do vendors conduct regular penetration testing? Do they encrypt sensitive data at rest and in transit? What incident response plans do they have in place?
2. Establish strong contractual controls.
Data protection clauses in contracts should clearly outline the third party’s obligations regarding data security, including breach notification time frames, audit rights, and requirements to comply with Australian privacy laws. For example, the Office of the Australian Information Commissioner (OAIC) expects entities to take “reasonable steps” to ensure third-party service providers protect personal information in accordance with the Privacy Act 1988 (Cth).
3. Conduct continuous monitoring and regular reassessment of third-party risk.
Cybersecurity threats evolve rapidly, and a one-off assessment is insufficient. Regularly updated third-party risk policies and procedures, or ongoing security scorecards can help organisations detect emerging vulnerabilities.
In addition, organisations should consider limiting the amount of personal or sensitive information shared with vendors to the minimum necessary for service delivery thereby reducing the potential impact of a breach.
In a climate of increasing data breaches, Australian organisations must recognise that their third-party risk posture is only as strong as management of the supply chain.
As more regulatory scrutiny falls on how entities manage third-party risks, especially in the health, finance, and government sectors, embedding third-party risk management into broader privacy and information security governance is no longer optional. It is a critical safeguard for reputation, trust, and compliance.
We can assist you to conduct a third-party risk audit, and develop your third-party risk policy and procedures. Please contact us for support.
Call 1300 264 946 or use our contact form to provide your details and we’ll contact you.