A recent survey conducted by Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies.

Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and May was an active time for third-party data breaches. Here are May picks.

1.   Forbes Magazine

Forbes Magazine

Magecart attackers inserted card-skimming scripts into the subscription website for the Forbes print magazine. The affected site was brought down not long after the issue was found; and stays down while Forbes works with outsiders to tidy up the site. Magecart group is infamous for using third-party Javascripts. In 2018, they inserted their malicious code to a Javascript of a web-development company Inbenta to steal credit card information of TicketMaster. We see the same pattern in credit card breaches of British Airways and Newegg.


2.   Websites using Alpaca Forms

web site forums

Hackers have breached analytics service Picreel and open-source project Alpaca Forms developed by Cloud CMS, which provides free CDN hosting. Servers of at least seven companies that used this project compromised to deliver malicious code to thousands of sites. Cloud CMS is presently examining the episode and explained “there has been no security break or security issue with Cloud CMS, its clients or its items.” Reporters states that, currently, there is no proof to recommend this claim, except if Cloud CMS clients utilized the Alpaca Forms content for their locales all alone.

3.   Companies Using Asus’s Webstorage

Hackers attacked Asus’s webstorage system by using man-in-the-middle attack method. It is believed that BlackTech hacker group is behind the attack. Security firms also found that the malware was being distributed through a code-signing certificate stolen from D-Link. Attackers trigger the update by replacing using their own data.

4.   Bank AXIS, ICICI, IndusInd, RBL

credit card

Cyber criminals leaked credit-card data from a third-party data-management firm. City Bank, Axis, ICICI, IndusInd, RBL, and others’ confidential customer data were exposed. The data was stolen into scammers and they employed female telecallers to call as a bank official and request OTP of clients guaranteeing that bank is redesigning the security of their card. The money was sent on online wallets like PayTM and Mobikwik, which were opened using fake details and SIM.

5.   Instagram

instagram logo

A database of a huge number of Instagram influencers, big names, and brand records containing their own data including contact subtleties was found openly available on the web.

It is stated that the database of users on Facebook’s photo-sharing platform, hosted by Amazon Web Services, was found online which left exposed and without a password. It had over 49 million records of Instagram users and was traced back to Chtrbox.

6.   U.S. Customs and Border Protection

us Customs and Border Protection

U.S. Customs and Border Protection (CBP) has announced a digital assault on a subcontractor that gathers duplicates of plate pictures and pictures of travelers influencing under 100,000 individuals.

Based on the given information, CBS database, passports or other travel document photographs were not affected. Congress and law enforcement agencies were informed by CBS about the cyber incident.

(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/