We wanted to share a recent experience involving a client we've been working with to raise awareness about the importance of regularly auditing third-party benefits and HR vendors. While there are many valid reasons to use these services and we don’t discourage their use, this story is a reminder that due diligence is critical when working with any third-party provider.

Story Time:

On an early Saturday morning, an ex-employee of a company that we will call Acme Corporation (and if you are unfamiliar with this name, it's from the RoadRunner cartoon) received an email like below"

Dear John Smith,

Your new hire/newly eligible event has been completed and your chosen benefit elections are confirmed. You may access our website at [website] to review your benefit elections at any time. Please allow 2-3 weeks for new ID cards to arrive in the mail. If you have any questions, you may contact Acme Corporation Benefits Service Center at [phone number] from 8:00 AM to 5:00 PM PT, Monday through Friday. 

 Sincerely, 

Acme Corporation Benefits Service Center

At first John Smith thought this was just a weird phishing email since he hasn't worked at Acme Corporation in over three years. But later that day, curiosity led him to investigate further and what he discovered was troubling. Using the “forgot username” and “forgot password” links on the benefits portal, John regained access to his old account. To his surprise, not only was the account active, but he could add dependents, submit benefit selections, and the system accepted the changes for processing. Realizing the seriousness of the situation, John immediately contacted both Acme Corporation and the third-party benefits provider to report the issue.

What this story shows us is that without proper auditing of your third-party vendors, especially one's that deal with sensitive user data could lead to mistakes. Mistakes that could cost both companies a lot of money.

Problems from the story

• John Smith received an email as a new hire for benefits

• John Smith had an 'active' accounts to actually enroll in benefits

What was the third-party company doing that could of caused an email to go out as if this was a new hire? Were they recovering from backups?

How many emails to ex employee's went out that you now have to audit for changes? What if any of the ex employee's were disgruntled, what else could they have done?

Incidents like this aren't just one-off glitches, they're red flags that often point to larger issues in vendor oversight and system hygiene. If you'd like help assessing your vendors or tightening your access controls, don't hesitate to reach out.

At Blue Team Tom Consulting, we emphasize the importance of

• Regularly audits of all third-party vendors

• Routine check-in calls to maintain clear communication and accountability.

• Frequent user access reviews to ensure only the right people have access to the right systems.