Trusted third-parties are security holes. Especially with PII. Got reminded of this again today.