5 Lessons Learned from the Largest Third-Party Breaches in 2020
Written by: Black Kite
COVID-19 shook up the world as we once knew it. “Business-as-usual” was replaced with a struggle to innovate and overcome 2020’s many challenges, especially for the cybersecurity landscape. As supply chains weakened due to the pandemic’s impact, cybercriminals took advantage of the perfect storm—causing it to become the year of major third-party attacks and breaches. While the year (finally) coming to an end calls for celebration, we can’t neglect to reflect on those cyber attacks.
Which factors do cyber attackers consider before making a move on bigger prey? How can organizations avoid becoming the next target? Our research team examined the largest breaches that cluttered 2020’s headlines to find out.
An overwhelming amount of factors combined to create the perfect storm for cybercriminals in 2020, causing 80% of firms to witness and increase in cyberattacks.[1] To avoid falling victim to such a scenario this time around the sun, our research team analyzed the top-5 largest data breaches caused by third parties and their root causes. In turn, we’ve uncovered five resolutions to make your cybersecurity strategy healthier than ever in 2021.
Before we dive in, it’s critical to understand exactly where a potential cybercrime begins.
Which Third-Party Vendors Are Targeted Most?
It’s no secret that hackers are extremely intelligent, which is why no two attacks are ever the same. While we determined payment software as a frontrunner on our 2019 list, we observed attacks towards a diverse set of third-party software systems in 2020. From banking and payment software to employee communications and channel managers, payment software to channel managers, hackers gained a trove of personal information and company confidential data in the attacks cast on software vendors. Not surprisingly, IT Service Vendors ranked second among the vendors targeted in supply-chain attacks. Keep in mind that although less common, IT service-related attacks are far more dangerous given the fact that most are granted internal by their customers.
What About the Root-Causes?
There are also a few lessons to learn from the major root causes of these third-party attacks. Presumably not a shock to most, unsecured and/or misconfigured servers, ransomware attacks and APTs secured the top-3 factors on our list.
- Unsecured databases including S3 buckets: Misconfigured servers have been high on our radar for quite some time. While there are great advantages to using cloud servers to store company data, misconfigured buckets expose sensitive information. Consider it an open invitation to hackers to dump and use a company’s data for their malicious activities, as we saw many times in 2020.
- Ransomware: The rise of remote workforces and virtual offices have created an enticing vector for cybercriminals to execute ransomware. From 2019 to 2020, the average global cost to remediate a ransomware attack was over $760,000.[2] With two in every five SMBs claiming to have been a victim of a ransomware attack, it’s no surprise that it’s still No.1 on insurance claims. The BlackBaud breach which started with a ransomware attack created a ripple event for the healthcare and charity community. We observed a growing ransomware attack on the financial sector as well, mostly targeting software systems as in the case of ABS attack.
- APT: An APT establishes an illicit, long-term presence on a network in order to mine highly sensitive data. APT groups and their attacks on supply chains heightened again in 2020. In fact, placing a malicious backdoor on a vendor enables expansion through software updates and toolkit downloads, reaching handfuls of organizations through one vector.
1. As told by SolarWinds: It’s just as critical to be diligent with your third parties as you are with your own organization. Start by identifying gray rhinos in your supply chain ecosystem.
Potentially impacting over 250 companies, SolarWinds was the protagonist of the largest supply-chain hack in the last decade. Beginning with FireEye, victims also included governmental organizations such as the U.S. Departments of Defense, State, Treasury, Homeland Security, and Commerce. Major tech companies also took a big hit as hackers targeted Intel, Cox Communications, Deloitte, Cisco, SAP, Nvidia, Fujitsu, Lukoil, Rakuten, Check Point, and Digital Sense.
The more we learn from the attack, the worse it gets. One thing we know for sure, however, is that you’re only as strong as your weakest link. Hackers will continue to gain access to major companies through their suppliers whenever possible.
2. As told by BlackBaud: Disclose breaches in real-time to prevent any further damage.
Transforming into a ripple effect, the ransomware attack on BlackBaud affected more than 200 organizations– mostly impacting the CRM’s healthcare and education customers.
While the strike happened in May, the aftermath beneficiaries weren’t notified until July, two months after the initial discovery. Although nearly half a million students at different campuses were affected, the toll on the healthcare industry was much worse. More than 6 million patients’ personal information was disclosed, including bank account information, social security numbers, and usernames and/ or passwords.
GDPR requires that notifications are made within a 72-hour window upon discovery of a qualifying breach. As a result, Blackbaud has been recently accused of failing to timely notify breach victims of the incident and its impact, as well as “failing to properly monitor the computer network and systems that housed the private Information; failing to implement appropriate policies; and failing to properly train employees regarding cyberattacks.” At least 10 class-actions lawsuits have been filed against them since.
Companies incur different costs due to breaches. Financial penalties and legal costs make up a big portion of these cost items. Disclosing breaches as quickly as possible can not only help other vendors in your ecosystem contain the breach but also save you from further penalties.
3. As told by American Bank Systems (ABS): Patch, patch, patch!
A severe blow to the finance sector, ABS experienced a ransomware attack that impacted over 350 banks and financial systems in 35 states including First Federal Community Bank, Rio Bank, and more. Avaddon, the ransomware group behind the attack, gained access and leaked 53 GB of data after ABS presumably did not pay a requested fee. The compromised data in the published dump included loan documents, business contracts, private emails, invoices, credentials for network shares, company confidential files, and other personal information. Recently, the software vendor was faced with a class action for not taking security measures to protect customer data.[4]
More than half of the most common exploits are more than a year old– not zero days. IT teams become overwhelmed and miss critical updates under the sea of bugs, CVE codes, severities, patches, and workarounds. A security automation tool with risk prioritization will always help these teams not to miss critical updates and help reduce the risk.
4. As told by Cognizant: Take business continuity and crisis management seriously, as it’s key to providing services in times of crisis.
As one of the largest IT-managed service companies in the world with close to 300,000 employees and over $15 billion in revenue, Cognizant was targeted by the Maze ransomware attack in April.
The attack disabled some of its internal systems and forced it to take other systems offline. Although Cognizant has not disclosed how the attackers were able to access its systems, security researchers identified five devices with Citrix vulnerability in Cognizant’s Trizetto healthcare solutions.
Given that Cognizant manages its clients through end-point clients, or agents, that are installed on customer’s workstations for remote support. Although customers quickly cut off access, the company was left scrambling and expects to pay further legal and consulting fees, as well as incur costs for restoring services and remediating the security breach.
“…Some clients opted to suspend our access to their networks. Billing was therefore impacted for a period of time. Yet, the cost of stopping these projects remained on our books,” explained the company’s CFO Karen McLoughlin.
5. As told by ViewMedia: Know where your data resides throughout your entire ecosystem.
Major news groups were affected by a leak through an online marketing vendor, ViewMedia, an online marketing company that services American publishing brands including Tribune Media and Times Media Group with targeted marketing services.
An unsecured AWS bucket that belonged to the company contained nearly 39 million U.S. that included full names, email and street addresses, phone numbers, and ZIP codes. In addition to these records, the bucket contained tens of thousands of various marketing files like banner advertisements, newsletters, and promotional flyers. Although the information discovered was not financially sensitive, it can still be leveraged through phishing emails to the victims and identity fraud.
Despite their great advantage, misconfigured servers may expose sensitive data. Consider it an open invitation to hackers to dump and use a company’s data for their malicious activities.
Organizations should be able to pinpoint misconfigured servers, which commonly feature:
- Factory default system credentials (username/passwords)
- Enabled directory and file listings that are easily available through search engines
- Excess information such as pages returned to users with error messages
- Unnecessary pages such as sample apps, old privileges, and user accounts
- Outdated software, use of legacy systems, expired patches
Although organizations are experiencing unprecedented data challenges, they must remain cognizant of where data resides throughout the entire ecosystem. It’s the most valuable input to the entire risk management program.
Discover the latest third-party data breaches here.
Download Our 2021 Third-Party Breaches ReportReferences
[1] https://www.idagent.com/10-essential-facts-about-cybercrime-in-2020