Major Third-Party Data Breaches Revealed in October 2020 – Part 1
Written by: Black Kite
Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost by $207,000.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for the month of October. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. Lazada
Recently, Southeast Asian e-commerce firm Lazada announced a data breach that compromised the personal details of many users in Singapore. On Oct. 29, Lazada ‘s cybersecurity team found unauthorized access to a consumer database for RedMart, the city state’s online food delivery service. Lazada is currently owned by Alibaba.
The security team declared the database exposed had been out-of-date for more than 18 months, with the last update in March of 2019. In a declaration to customers, RedMart’s parent company Lazada said the breach led to unauthorized access to a “RedMart-only database” hosted on a third-party service provider. Data contained personal information such as names, phone numbers, encrypted passwords, and partial credit card numbers.
Lazada revealed plans for the incorporation of the RedMart app into its e-commerce platform in January 2019, more than two years after RedMart was acquired in November 2016. It also plans to expand the online food service to other Southeast Asian markets.
2. JM Bullion
Recent Magecart breach news came from JM Bullion, an online retailer of gold, silver, copper, platinum, and palladium products, including coins and bullion. JM Bullion is the latest victim of a Magecart attack, after their site was hacked to include malicious scripts that stole customers’ credit card information.
JM Bullion’s website was compromised in the middle of February 2020, when a malicious script was introduced to the site, according to a ‘Notice of Data Protection Incident’ sent to clients. The breach window is thought to be between February 18th, 2020, and July 17th, 2020 and any payment information submitted within this time frame was sent to a remote server under the control of the attacker.
“On July 6, 2020, JM Bullion was alerted to suspicious activity on its website. JM Bullion immediately began an investigation, with the assistance of a third-party forensic specialist, to assess the nature and scope of the incident. Through an investigation, it was determined that malicious code was present on the website from February 18, 2020 to July 17, 2020, which had the ability to capture customer information entered into the website in limited scenarios while making a purchase,” JM Bullion’s data security incident stated.
The information leaked included:
- Names
- addresses
- payment card information (the account number, expiration date, and security codes)
This form of a vulnerability is known as a ‘MageCart attack’ and consists of hackers inserting malicious JavaScript scripts into different parts of the website by compromising that website. These scripts wait for the user to submit payment information, which is then intercepted and sent to a remote server under the control of the hacker.
The Magecart group became famous with British Airways (BA) and Ticketmaster hacking cases, where eventually BA was issued with a £20m fine by ICO (Information Commissioner’s Office), in connection with the data breach affecting more than 400,000 customers.
3- RADY CHILDREN HOSPITAL, SONOMA VALLEY HOSPITAL
Blackbaud-related breach news continued in October, with the Rady Children Hospital becoming another victim of a ransomware attack. The hospital recently announced that Blackbaud, which offers fundraising and donor management software for the hospital, alerted them of a compromise between Feb. 7 and June 4, 2020. In that time frame, according to the information given in a news release, an “unauthorized group” had access to backup files for Blackbaud’s fundraising software. The data compromised included:
- names
- addresses
- physicians
- department of service
- procedure name and date of births
and also a financial account number for one particular individual.
“Blackbaud has informed us that it has no indication that any of the information actually was viewed, and that it has no reason to believe that any of this information has been or will be misused, or will otherwise be made available publicly,” the hospital said.
Hospital officials have already taken steps to protect personal information, which involves tracking records of financial accounts, setting a credit report fraud notice, and freezing credit data.
Another victim of the Blackbaud breach, Sonoma Valley Hospital in California, is currently operating under EHR downtime procedures after the incident. The hospital declared in a notice [1] that it took all electronic systems offline immediately after the incident. The hospital added that no financial information was leaked due to the breach.
4-Google
A data breach at immigration law firm Fragomen, Del Rey, Bernsen & Loewy revealed that an unauthorized third party accessed personal information related to a “limited number” of employees at Google, one of its clients. The company filed a petition reporting the data breach to the office of the California Attorney General, claiming it was discovered last month when the company was investigating suspicious activity inside its network.
“While we have no evidence of any further misuse, we have taken steps to remediate the incident and have verified it was an isolated incident that did not involve our general client data systems,” the firm added.
It is not currently clear how many employees were affected by the breach. If a data breach affects more than 500 California-based workers, their employer is expected to file a notice of the incident with the attorney general’s office.
The Form I-9 files kept at the Law firm, ensure the conditions employees are legally allowed to work in the country and can contain sensitive information such as:
- passports
- driver’s licenses
- ID cards
5- Business Customers of NITRO: Apple, Google, Amazon, Citibank
Recent data breach news came from NITRO Software, a PDF service used extensively by its business customers such as Google, Apple, Microsoft, Chase, and Citibank. Nitro is an application used to create, edit, and sign PDFs digitally. As part of its cloud services, users of NITRO can share a document with their coworkers or other partners from different organizations. Although NITRO’s initial statement says it was a low impact incident and no customer data was leaked.
According to [2], a threat actor is allegedly selling the ‘user_credential’ database table for a starting price of $80,000. The database supposedly holds 70 million user records, including:
- email addresses
- full names
- bcrypt hashed passwords
- titles, company names
- IP addresses, and other system-related data
13,772 accounts and 195,547 documents are from Amazon, Apple, Citi, Chase, Google, and Microsoft are believed to be in the compromised databases [2].
6- Government Departments and the Australian Stock Exchange
Media-monitoring giant Isentia reported that several online platforms are ‘currently facing a threatening security incident’. In a news release with the Australian Securities Exchange (ASX) yesterday, the Sydney-based company, which operated in eight markets, unveiled the news.
“Isentia is taking urgent steps to contain the incident and conduct a full investigation into what happened and how to avoid a repeat occurrence in the future,” said CEO, Ed Harrison in a statement to the ASX. “Our priority is to restore full service as soon as possible but until that occurs, we have put processes in place to support our customers.”
Many of the Isentia customers are government departments. Although the name ransomware was not mentioned, the incident is known to have disrupted its SaaS Mediaportal platform. Mediaportal is the all-in-one application of Isentia used by communications professionals in both the public and private sectors through media coverage and recognized journalists.
Isentia has not declared the volume and type of data leaked as part of the incident.
References
[1] https://www.sonomavalleyhospital.org/systems_disruption/