Major Third-Party Data Breaches Revealed in January 2021
Written by: Black Kite
Data breaches in 2020 proved to be just as costly as they were high profile. According to IBM’s Cost of a Data Report 2020, an average breach cost organizations $3.86 million. As if that isn’t devastating enough, many factors contributed to an even higher price tag. A company’s location and industry can play just as big of a role as root cause and response time when identifying the overall financial impact of a breach.
One of the most common—yet less talked about—data breach amplifiers is third-party involvement, which increased the total cost of a breach by over $200,000 in 2020. Hackers know that third parties often have access to, share, and/or maintain data critical to your everyday operations. They’re considered “weaker links” and are often leveraged as a means to infiltrate major organizations.
With a new year comes new breaches. As we continue to update our list of third-party breaches in real time, we’ve also rounded up the largest third-party breaches from January. (Note: Several of the breaches are still being substantiated as more data is collected.)
1. The New Zealand Reserve Bank and Australian Securities and Investment Commission (ASIC) Data Breaches Were Caused by File-Sharing Services
The most striking third-party breach news this January came from New Zealand when both its central bank, responsible for creating monetary policy, and the ASIC disclosed breaches one after another.
A statement issued by the bank read, “A third-party file sharing service used by the Bank to share and store some sensitive information, has been illegally accessed… We are working closely with domestic and international cybersecurity experts and other relevant authorities as part of our investigation and response to this malicious attack. The nature and extent of information that has been potentially accessed are still being determined, but it may include some commercially and personally sensitive information.”
According to the New Zealand Reserve Bank, its file transfer application service, provided by California-based Accellion, was illegally accessed.
2. Social Media Management Company Leaked Sensitive Facebook, Instagram, LinkedIn User Data
A massive leak was also detected from Chinese social media management company Socialarks. Four-hundred gigabytes of exposed data was discovered open without password protection on an ElasticSearch server.
A vast organization with more than ten regional branches spread across southern China including famous locations like Beijing, Shanghai, Shenzhen, Guangzhou, Ningbo, and Suzhou, the company leaked sensitive information including:
- Biographies
- Phone numbers
- Email addresses
- Follower count
- Comments, most used hashtags, etc. Whatever activity these users were doing on their social platforms, some of that information was present in this database
This scraping of user activity is absolutely against the social media platform’s terms and conditions.
3. A Vendor of Major Auto Retailers Audi, BMW, Mercedes, Porsche, Saab, Volkswagen, and Volvo Was Hit by a Ransomware Attack
The latest ransomware attack wreaked havoc on the automotive industry. NameSouth, a U.S. auto parts shop servicing major retailers like Audi, BMW, Mercedes and more was targeted by NetWalker last month.
Days after the company assumingly did not pay the ransom, the group published its data which included financial and accounting information, credit card statements, personally identifiable employee information, and various legal documents.
4. Seven Million Bonobos Customers’ Data Exposed from a Cloud Backup Hosted by a Third-Party Provider
U.S. men’s clothing retailer Bonobos suffered a data breach that included up to 7 million customer names and telephone numbers, 3.5 million credit card records, and account information for 1.8 million customers which included passwords.
Caused by an undisclosed third-party vendor, the breach was caused by Bonobos’ cloud backup data it was hosting. Threat actors were able to penetrate the third-party vendor’s systems and stole 70 GB worth of customer data. A vendor that stores valuable data of a company and has a poor cybersecurity posture is the one big gray rhino in the company’s digital ecosystem.
5. A Healthcare Provider Caused Data Breaches of UPS and Norfolk Southern Railroad Employees
Taylor Made Diagnostics, an occupational healthcare provider in Virginia, also experienced a data breach last month. Some sources reported that “among the more than 3,000 TMD files leaked on January 8 were multiple health records for employees at both UPS and Norfolk Southern dated as recently as December 2020.”
Healthcare providers are major targets for threat actors due to the valuable, personal health information (PHI) they possess, as well as their mediocre cybersecurity postures. Even with regulations forced by institutions like HIPAA, many healthcare providers suffer from cyber incidents.
6. Military Defense Institutions in India Experienced a Data Breach Caused by a Tech Service Provider
ELCOM Innovations, a technology solutions provider to India’s defense forces, was also allegedly hacked. According to the Indian police, the threat actors stole confidential and classified information that might be related to the company’s contracts with defense forces, paramilitary forces, and the country’s intelligence agencies.
Mission-critical departments such as public defense institutions should perform due diligence while onboarding any vendor to their digital ecosystem. After onboarding, continuous monitoring of such vendors is a must to maintain the safety of the data shared with third-party vendors.
To avoid becoming the next victim of a supply chain attack, it’s critical to assess not only your organization’s cybersecurity measures but also the cyber hygiene of your third parties. Understanding your weaknesses, or “gray rhinos” enables your business to prioritize vulnerabilities and adjust accordingly.
Download Our 2021 Third-Party Breaches Report