A recent survey conducted by Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies.

Third-parties include a broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and June was an active time for third-party data breaches. Here are June picks.

  1. Quest Diagnostics, Laboratory Corporation of America, and Opko Health
Quest Diagnostics

A breach occurred at the American Medical Collection Agency (AMCA), a provider of billing services for the US healthcare industry. The companies that use AMCA’s portal affected by the data breach and has exposed information of over 20 million Americans.

Diagnostics companies affected by the data breach include Quest Diagnostics (11.9 million patients), LabCorp (7.7 million patients), BioReference Laboratories (Opko Health subsidiary, 422,600 patients), Carecentrix (500,000 patients), and Sunrise Laboratories (undisclosed number of patients).

The breached data may include patient names, dates of birth, addresses, phone numbers, dates of service, providers, and balance information as well as credit card and bank information.

  1. Komodo
komodo

A serious vulnerability has been discovered in the cryptocurrency wallet app (Agama) developed by Komodo because of a third-party JavaScript library called electron-native-notify JavaScript Library.

After discovering the vulnerability, Komodo used the same exploit to gain control and hacked its customers and unauthorisedly transferred nearly 8 million KMD (10 million $) and 96 Bitcoins (1 million $) from their cryptocurrency wallets to a new address owned by the company to protect its customers’ funds.

This is not the first time a cryptocurrency exchange is targeted by hackers using third-party JavaScripts. In January, gate.io experienced BTC theft through malicious code embedded in an external JavaScript. Third-party Javascripts are part of the software supply chain and they increase the cyber risk of a company as much as other software used in the supply chain. While 3rd-party cyber attacks are on the rise, the use of third-party Javascripts seems to be one of the top methods to do it by the hackers. While mitigating the cyber risk due to software supply chain, 3rd-party Javascripts should also be taken into consideration. 

  1. Westpac Bank
Westpac

Customers of an Australian bank, Westpac Bank, impacted a cyber attack caused by a third party vendor, PayID, which serves as a payment portal allows the instant transfer of money between banks. Almost 100,000 Australians’ personal information has been breached. Westpac confirmed the attack, “Westpac can confirm we had detected misuse of the PayID functionality and we took additional preventative actions which did not include a system shutdown.” This attack also affects customers from other banks in Australia.

3rd party risk management is important for banks. Because, the weakest link of the system is no longer the employees, but 3rd parties which are have recently become increasingly the main causes of cyber attacks and data leaks. Therefore, 3rd party cyber risk management has become a growing need and banks are required to periodically assess the risks of 3rd parties

(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/