A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.

Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and November has taken a big share on third-party breaches. Here are November picks(*).

1. Cryptocurrency exchange market gate.io

Many hackers try to hack cryptocurrency exchange markets to steal some cryptocoins. Some major cyber attacks in the past caused cryptocoin thefts worth to millions of dollars.  In the early days of November, hackers targeted one of the well-known cryptocurrency exchange market, gate.io. But, in this particular attack, hackers inserted malicious code to a Javascript, a Web Analytics tool developed StatCounter. Even though that particular javascript used by many sites, attackers only goal seemed to be steal some BTC from gate.io.


2. Ontario Cannabis Store

Canadian Ontario Cannabis Store, a store that sells recreational cannabis, experienced a third-party data breach because of an online tracking tool developed CanadaPost. As a result, around 4,500 customer’s name and addresses were potentially compromised.

Ontario Cannabis Store

3.      Huntsville Hospital in Alabama and El Centro Regional Medical Center

When a healthcare company is hacked,  patient informations are usually on stake. But the attack that affected Huntsville Hospital in Alabama did not compromise the patient data, but it caused a breach of  Social Security numbers of thousands of individuals who applied for a job at the hospital. The breach originated from a third-party online employment application services run by JobScience, Inc.

Huntsville Hospital

The attack against JobScience did not only affect job seekers at Huntsville Hospital, but also the ones at EL Centro Regional Medical Center.

4. City of Bakersfield

City of Bakersfield has become the latest victim of attacks against Click2Gov, an online payment tool widely used by many US cities. Unfortunately, 2,400 user accounts with payment information were compromised.

city of Bakersfield

5. Nordstrom

Nordstrom, a Seattle-based retail store, got its share from the long line of attacks executed against retail stores in 2018. Personal information of employees including names, SSNs and dates of birth, checking account and routing numbers, salaries, etc. were potentially breached. The details indicate that the breach comes from a third-party to manage direct deposits of wage.


6. City of York Council

City of York in England has started a program called One Planet York with the goal of increasing awareness around recycling. To ease the use of program, City ordered a mobile application called One Planet York App developed by Appware. Unfortunately, a vulnerability on the mobile app exploited by the hackers and potentially almost 6,000 individual’s personal information including name, address, postcode, email, phone, and encrypted password were compromised.

City of York Council

7. Atrium Health at Charlotte

Recently, one of the largest data breach in healthcare industry was revealed. 2,65 million patient including names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information and Social Security numbers were potentially breached. The origin of the attack was a third-party used for billing services managed by AccuDoc Solutions, Inc.

Atrium Health at Charlotte

8. BitPay (CoPay)

The attacks to gate.io was not the only attack to steal cryptocoin this month. With a similar methodology, injection of malicious code to a Javascript, used to steal some bitcoins from users of CoPay mobile, a cryptocoin wallet created by BitPay. This time, attackers exploited a popular Node.js utility package called event-stream maintained by Right9ctrl. Fortunately, the attempt was not successful and nothing has stolen.


9. The Australian Defence Department

A highly classified review by a former federal police chief showed that, in the last 18 months, The Australian Government Defence Department was badly exposed due to poor security postures among many of its small and mid-tier suppliers.

Australian Defence Department

10. Marriott International

Probably the biggest data breach in the entire year of 2018 was experienced by Marriott Hotels. In this massive data breach, personal information of as many as 500 million guests are compromised. The breach hit Marriott’s Starwood branded hotels and it may seem odd why this particular breach is in our third-party data breach list, considering that Starwood is now part of Marriott brand, not a third party. However, if we rewind the events 4 years back, when Starwood was not part of Marriott, it was the time of the leak started. Marriott acquired Starwood in 2016, two years after the beginning of the breach. Lack of due diligence during the M&A process transferred the cyber risk to the Marriott’s system. That’s why it can be classified as a third-party breach and deserves a place in our list.

Marriott International

(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/