AT&T Hack Highlights Web Site Vulnerabilities.
But that's not the reason I'm blogging it. The part I'm finding interesting was that the AT&T website in question was actually being operated by an undisclosed third-party (how fortunate for them). Not AT&T. With organizations of any size its a common practice to contract with a partner to manage a portion or even a feature of a web presence. Web Banks do it with bill-pay, Online Stores with checkout, News Agencies host images with Akamai, etc. Few of any major web presences anymore can be considered pure.
For many reasons outsourcing specific pieces makes sound business sense. No need to build the infrastructure, software, staff, and figure out everything else you might now consider ahead of time. Pay a monthly/annual fee and your good to go with better ROI. However, what's commonly forgotten from a security perspective is that its YOUR NAME on the front of the website, not your partners. When that third-party run website is hacked, your the one getting the nasty customer calls and negative headlines! You should at least be monitoring the security of the vendor hosted website as often as your own.