Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. 

Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news. March was particularly an active time for third-party data breaches.

1. General Electric

Announced in late March, a data-breach hit Fortune 500 company GE. According to the announcement made by General Electric, one of its third-party service providers, Canon, experienced a data-leak through unauthorized access to an employee email account. Canon Business Process Services revealed that the breach window took place from approximately February 3 – 14, 2020, and the data exposed include:

  • passports
  • birth certificates
  • marriage certificates
  • death certificates
  • direct deposit forms
  • driver’s licenses
  • medical child support orders
  • tax withholding forms
  • beneficiary designation forms
  • applications for retirement, severance
  •  death benefits with related forms and documents relating to GE employees as well as other beneficiaries

GE systems were not directly impacted by the breach. However, the information harvested might be used by criminals and fraudsters in scams and phishing campaigns. Canon promised to provide financial assistance to those affected by the breach if they notify the company by June 30, 2020. It’s unclear how many people were affected by the data breach.

2. T-Mobile

A T-Mobile data breach in early March affected more than 1 million T-Mobile customers as well as its employees. 

The affected customer information includes:

  • names 
  • addresses 
  • phone numbers
  • account numbers 
  • rate plans 
  • Features
  • billing information 

Under telecom regulations, the last item is considered to be “customer proprietary network information” requiring customers to be notified. The financial information and Social Security numbers were not exposed. 

The attack was targeted towards the third party email vendor of the company.  According to the latest revelation, none of the information has been used to commit fraud or misused in any way.

T-Mobile made the following announcement following the breach:

“Our Cybersecurity team recently identified and shut down a malicious attack against our email vendor that led to unauthorized access to certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees. An investigation was immediately commenced, with assistance from leading cybersecurity forensics experts, to determine what happened and what information was affected. We immediately reported this matter to federal law enforcement and are actively cooperating in their investigation.”

Although not damaging on its own, the exposed data could be leveraged for identity-fraud or to acquire other accounts. Thus, T-Mobile customers are advised to change their passwords and continue to monitor their account details.

3. Entercom

As the second-largest radio company in the United States, Entercom suffered a data breach with regards to its Radio.com domain. An attacker accessed the radio giant’s backup cloud database and possibly exposed sensitive data within. The hosted data in the cloud included Social Security Numbers (SSNs)  and driver’s license numbers. 

The intrusion was discovered in August 2019, immediately beginning a forensic investigation.  The investigation revealed the attacker accessed a third-party cloud hosting service that hosted the exposed information.

The Office of the Attorney General of the State of California was immediately notified of the breach.

Entercom made this announcement following the disclosure: “We have taken and continue to take steps to prevent this type of incident from happening in the future, including by implementing password rotations, enabling multi-factor authentication and stronger password policies for all cloud services, enhancing and broadening auditing based on best practices advised by third party experts, configuring alerts for certain behaviors using the relevant platforms, and providing additional training to staff on data security,” 
Misconfigured cloud services is a common denominator in third-party related attacks. Black Kite lists some of the best practices securing cloud-based assets here.

4. Chubb

Chubb, a global provider of insurance products providing aid to companies affected by data breaches, was also a target of an attack. The officials suspect the incident was the result of a ransomware attack launched by the Maze ransomware group. Recently, the group announced names and email addresses of three senior executives on their website, including CEO Evan Greenberg.

Not only does Maze clone itself across networks, but the group also infiltrates and transfers every critical data worthwhile to its servers.

Due to the fact Chubb is one of the largest cybersecurity companies in the country and provides training to other companies, the attack has garnered attention nationwide.

A company spokesperson recently admitted: “We are currently investigating a computer security incident that may involve unauthorized access to data held by a third-party service provider,” although the third-party service provider’s name is not disclosed at the moment.

Since the announcement, it’s also unclear what data was accessed, as the Maze group has not revealed the contents of the files. It is unknown whether the attack affected Chubb customers or created additional ripple effects.

5. Amazon, eBay, Shopify, Stripe, PayPal

Over  8 million sales records of Amazon UK, eBay and Shopify customers were recently exposed due to a security vulnerability in a third-party app. 

The third-party app was used by small retailers in the EU for calculating value-added taxes for different EU countries.

The exposed data included

  •  sales records
  • customer names
  • email addresses 
  • customer shipping addresses
  • the types and values of purchases
  • the final four digits of credit card numbers

The majority of the personal records exposed were related to the customers in the UK.

Comparitech’s security research team exploited the exposed Amazon Web Services server containing the MongoDB database in early February.  An Amazon spokesperson replied to the warnings claiming stakeholders were informed of the incident.

“We were made aware of an issue with a third party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon. The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.”

The data was exposed for an average duration of 5 days. Experts are now warning the data could be used by bad actors to phish or scam customers with targeted messages.

6. SpaceX, Tesla, Boeing, Lockheed Martin

Visser, a third-party vendor providing precision parts to space and defense contractors, announced a “cybersecurity incident,” in early March.  Although the third party revealed it is “continuing its comprehensive investigation of the attack, and business is operating normally,” initial findings indicate the attack was likely caused by  DoppelPaymer ransomware.

DoppelPaymer, the latest data-stealing ransomware, is a file-encrypting malware that first exfiltrates the company’s data and threatens to publish the stolen files if the ransom is not paid.

The ransomware’s website lists the stolen files from its beneficiaries  including Tesla, SpaceX, aircraft maker Boeing, and defense contractor Lockheed Martin.

Overall, the listed exposed data includes but not limited to: 

  • non-disclosure agreements between Visser and both Tesla and SpaceX
  • a partial schematic for a missile antenna marked as containing “Lockheed Martin proprietary information

A Lockheed Martin spokesperson said the company is, “aware of the situation with Visser Precision and are following our standard response process for potential cyber incidents related to our supply chain.”

Links to relevant news and our updated list can be found at:  https://www.blackkitenew.wpengine.com/data-breaches-caused-by-third-parties/