Peripheral vendors leak data
Attackers targeted Healthdaq, a recruitment platform used by health trusts, claiming hundreds of thousands of files were stolen, and OneDigital disclosed a breach tied to Salesforce and Drift that exposed client records including Social Security numbers. Both cases illustrate that sensitive data often sit in peripheral vendors and integrations rather than core systems, creating gaps for third‑party risk management and data‑flow mapping. (bbc.co.uk) (wealthmanagement.com)
The two systems at the center of this week’s breach news were not hospital record software or a bank’s core ledger. They were a hiring platform called Healthdaq and a sales setup linking Salesforce to a chat tool called Drift. (bbc.co.uk) (oag.ca.gov) Healthdaq is used in Northern Ireland by health trusts to handle recruitment, and the company said it identified a cyberattack on March 30. The attackers claimed they stole hundreds of thousands of files from the platform. (bbc.co.uk) The files reportedly included names, contact details, curriculum vitae, qualifications, identification documents, and some health information. That means a breach of a “jobs” system can expose the same kind of identity material people usually associate with a hospital or a government office. (bbc.co.uk) OneDigital’s case followed the same pattern from a different industry. OneDigital Investment Advisors said its own internal network was not compromised, but data stored in Salesforce may have been accessed and copied after a security event involving Drift, an online chat agent tool managed by Salesloft. (oag.ca.gov) (wealthmanagement.com) According to OneDigital’s notice, Salesforce alerted the firm on August 22, 2025, and the suspected access window ran from August 12 to August 18, 2025. The exposed data varied by client, but the company said it included names and Social Security numbers. (oag.ca.gov) State filings reported by WealthManagement.com said the OneDigital breach affected 28,414 people in the United States. The California notice says OneDigital is offering 12 months of credit monitoring and identity protection services through Experian. (wealthmanagement.com) (oag.ca.gov) This is what third-party risk looks like in real life. A hospital trust or wealth firm can harden its main systems, then lose sensitive records through a recruiter, a customer relationship management platform, or the software glue connecting two vendors. (bbc.co.uk) (oag.ca.gov) The hard part is that these side systems collect rich data because they are built for convenience. A recruitment platform needs passports, licenses, and work history to place staff, and a sales platform often holds full client records so advisers can see everything in one screen. (bbc.co.uk) (onedigital.com) Companies usually inventory their crown jewels first, like payroll, patient records, or trading systems. These cases show the map also has to include every vendor that copies, syncs, stores, or enriches that data after it leaves the main system. (oag.ca.gov) (bbc.co.uk) That means asking plain questions with exact answers: which vendor has the file, which other tool receives a copy, how long it stays there, and whether Social Security numbers, identity documents, or health records can be removed entirely. The breach is often not where the organization thinks its most important data lives; it is where the data quietly spread. (oag.ca.gov) (bbc.co.uk)
