A recent survey conducted by Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.
Third-parties include broad range of entities a company directly worked with, such as data management companies, law firms, email providers, web hosting companies, subsidiaries, vendors, sub-contractors; basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.
Major Third-party Breaches Revealed
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and January was an active time for third-party data breaches. Here are January picks.
A misconfigured server of a third-party vendor exposed millions of bank loan and mortgage documents that belong to Ascension, a Texas-based a data and analytics company for the financial industry. The documents contain sensitive information for many major financial institution including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments. The third party involved, OpticsML, provides OCR (Optical Character Recognition) services to convert paper documents and handwritten notes into computer-readable files.
2. 141 Airline Companies
A critical flaw in online booking system managed by Amadeus allows attackers to reach flight information of individuals if reservation (PNR) number is known. The system provides service for 141 airline companies. The security researcher, Noam Rotem, who discovered the bug, shows that the system does not have a brute-force protection, a lack of security that allows unlimited number of trials with randomly generated PNR numbers.
3. European e-commerce Sites
4. City of Saint John, NB and Hanover County
The cities of Saint John in New Brunswick, Canada and Hanover County of Virginia have become the latest victims of attacks against Click2Gov, an online payment tool widely used by many U.S. and some Canadian cities. Unfortunately, payment information of 6,000 citizens in Saint John and thousands in Hanover County were compromised.
Humana, a health insurance company, notified its customers about a third-party data breach that compromised name, address, date of birth, partial social security numbers, and some info about policy type of an unknown number of customers. The breach caused by one of the Humana’s business partners, BankersLife.
6. Companies that use PHP Pear
A company may suffer third-party data breach
if anyone in the company has downloaded PHP PEAR package manager from its
official website in the past six months The maintainers at the PHP Extension
and Application Repository (PEAR) found that original PHP PEAR package manager
(go-pear.phar) has been replaced with a modified version that has a malicious
Open-source libraries like PHP PEAR are common in developers community and used for adding functionalities into their websites such as encryption or authentication. It is important to note that many hosting providers allow their users to install and run PEAR. Thus, the extent of the incident may be larger than expected.
7. Highmark BCBS, Aetna, Emblem Health, Humana, and United Health
Five Delaware companies, Highmark BCBS, Aetna, Humana, and United Health, experienced data breach caused by a third-party administrator for health insurance companies, BenefitMall. Benefit Mall provides online payroll, benefits, tax compliance & HR services and, as a result of data breach, 650 consumers’ data has been exposed.
LocalBitcoins, a peer-to-peer cryptocurrency exchange portal, announced a theft of almost 8 bitcoins ($28,200) from five victims. The portal claims that the theft caused by a third-party service used in its forum sites.
Sources: Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/