Wipro, the India-based technology services provider, confirmed that it encountered a data breach on April 16.
The breach, which Wipro indicates is being remediated, may potentially affect certain of Wipro’s customers’ data.
Wipro’s customers should act quickly to implement operational strategies to respond to the breach and should review their contracts with Wipro to understand their underlying rights.

Wipro, the Bengaluru, India-based ITO and BPO services provider, confirmed on Tuesday, April 16th, that it fell victim to a data breach—specifically, an advanced and persistent “zero-day” malware attack. The attack may have begun in March as a phishing incident (an unauthorized attempt to access a target’s information systems, usually via fraudulent emails or other communication) involving one Wipro employee, and it has apparently led to a broader infiltration of Wipro’s email systems.

Initial reports have indicated that the attack may have impacted more than a dozen of Wipro’s customers, but the ongoing investigation has yet to uncover whether, and to what extent, those customers’ data are at risk.

While Wipro’s internal investigation of the breach apparently continues, Wipro has publicly stated that it has identified the affected employee accounts, taken remedial measures, and informed a number of its customers who engaged with the affected employees. Wipro has also apparently communicated signifiers of the attack, known as “indicators of compromise” (IOCs), to its affected customers. Such indicators may give customers insight into the methods used to effectuate the Wipro intrusion and could help such customers take appropriate measures to protect their own information systems.

Wipro is not the first—and unfortunately will not be the last—technology or outsourcing service provider to encounter a major security intrusion. In today’s world of sophisticated and seemingly ubiquitous state- and commercially-sponsored cyberattacks, what is an institution to do in the wake of a data security incident affecting a service provider?

Below we include a list of some helpful measures, both operational and contractual, that an institution should consider both to respond to, and to hopefully contain the effects of, a data security incident involving an outsourced service provider. While every data security incident is different, and every service provider relationship requires its own tailored data governance and incident response regime, the following provide some helpful starting points for consideration.

Operational Considerations

Specifically, when an incident does occur:

  • Limit the amount of information potentially exposed to the service provider. Silo access points or data that might relate to the service provider’s environments, systems, or applications such that only the business-critical functions for which the service provider is responsible continue to run on the service provider’s platform and/or may be accessed by its resources during the incident.
  • Monitor the systems access that must remain available to the service provider during the event for potentially anomalous activities, and investigate accordingly. Report any findings to your service provider point of contact in support of the service provider’s larger investigation and response, as well as your own internal investigations and response that may now be required in your environment.
  • Leverage the intelligence the service provider has discovered regarding the attack. A customer can import IOCs, like those issued to Wipro’s clients, into its security solutions to scan current and prior events for signs of related attacks in the customer’s environment.
  • Assume that service provider email accounts have been compromised and that any communications with the service provider over email can be intercepted. Use other forms of communication (e.g., a live call) for sensitive discussions or information sharing.
  • Undertake a retrospective review of the service provider’s activities on your organization’s systems, as well as any general security issues or risk indicators recently recorded at your organization. Request detailed confirmation that any risk indicators or security issues are contained and unrelated to the service provider’s breach.
  • Even before a breach occurs, safeguard access to sensitive systems and applications using (and requiring the service provider to adhere to) multi-factor authentication, and prevent unauthorized use of privileged accounts (e.g. domain or system administrators) using Privileged Access Management (PAM) capability.
  • If PAM capabilities are not in place prior to the service provider breach, consider retaking temporary ownership of highly privileged accounts that, if falling into the wrong hands, could significantly impact your operations and/or brand. Reassign the highly privileged access to the service provider only after you’ve received assurance that the incident has been fully investigated and marked as closed.

Contractual Considerations

Perhaps just as vital as an organization’s operational response in the face of a service provider’s security breach are the contractual obligations put in place before the breach occurs to mitigate the occurrence of an incident and manage risks in the wake of an incident. Agreements with service providers should include robust security provisions that account for the sensitivity of the customer’s data being handled, and the documentation should clearly outline the rights of the customer and obligations of the service provider in the event of an information security breach.

Following a security incident, an institution will want to quickly review the applicable agreement(s) and related attachments to confirm the security representations and requirements that the service provider agreed to in the contract, as well as the measures the service provider must take in the wake of a data security incident (e.g., providing certain information, cooperation, and data access to the customer; indemnifying the customer for certain employee- and third party-related costs or claims incurred by the customer in responding to the breach) are being followed. A customer may also need to consider its contractual audit rights, particularly in the event that its own information security practices require the customer to perform a review of (or obtain specified information regarding) the service provider’s systems following a data security event.

In more extreme circumstances, a customer may need to consider the contract’s limitation of liability and risk allocation regime, in the event that the data security incident causes harm to the customer that can only be addressed through recoupment of damages or termination.


In the face of a breach, both parties to a services agreement have a shared interest in working together to promptly contain the breach, and to remediate its potentially damaging effects as soon as possible. The attorneys and consultants in Pillsbury’s Global Sourcing & Technology Transactions practice are well versed in both the operational and contractual issues that emerge following a data security incident and are happy to schedule a phone consultation to discuss the Wipro breach and its potential implications for your organization.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.