A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018 and 2019, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.

Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software, hardware or firmware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and December was an active time for third-party data breaches. Here are the December picks.

1. Ministry of Defence and the Singapore Armed Forces

ST Logistics, a contracted third-party of  Singapore Armed Forces (SAF) and Ministry of Defence (Mindef) have been breached by malicious software, this December. The breach is a result of a series of  e-mail phishing attacks sent to employees’ e-mail accounts, ST Logistics announced. A total of 2,400 Mindef and SAF records may have been leaked due to the breach.

Potentially exposed data include:

  • the full names and NRIC numbers, 
  • contact numbers, 
  • e-mail addresses or residential addresses. 

The time window for the breach remains unknown for the time being. ST Logistics is providing eMart retail and equipping services to SAF and Mindef. 

In an unrelated incident that has also affected SAF; 120,000 records have been potentially exposed, the officials revealed. The server of HMI (Institute of Health Sciences), a third-party providing healthcare training services to SAF, has been infected with ransomware.  The encrypted file on the server contained personal data of 98,000 SAF servicemen including

  •  full names and NRIC numbers of MINDEF and SAF personnel have taken cardiopulmonary resuscitation and automated external defibrillation (AED) courses.

The Personal Data Protection Commission (PDPC)  has been notified of both of the incidents and is currently conducting investigations. Mindef and SAF are also analyzing the root-cause of the incidents.

“Mindef and the SAF take a serious view on the secure handling of personal data by our vendors. The security of their IT systems is an important factor that will be taken into account in the award of contracts,” the ministry said. 

2. City of Sioux & City of Marietta

The breaches associated with Click2Gov, one of the most widely-used online utility payment software in the USA, have been continuingly  affecting the cities. Latest news came from the City of Sioux and City of Marietta. 

The breach, associated with the third-party, has a potential to affect 3,500 City of Sioux City customers who used the city’s Parking Ticket System and Utility Billing System. 

Click2Gov mentioned that the malicious code inserted into Click2Gov’s site, made it possible for hackers to capture  payment card information of Sioux City customers.

The breach window is believed to be between Aug. 26, 2019 and September 18, 2019, according to the investigations being conducted by the city. 

The forensics claim the following information could have been captured during payment transactions:

  • names, 
  • addresses,
  • payment card number, expiration date, and CVV.

For the case of City of Marietta, the breach window is believed to be between Aug. 26 and Oct. 26, 2019. 

“Only customers who entered their credit card number manually during those dates would be at risk” announced IT Director Ronnie Barrett. Customers  registered to the auto-pay system or those who paid in person were not affected by the breach.

Marietta IT Director also revealed that customer data was dumped onto the dark web. “The transaction on the dark web had six fields of information on it, it was the credit card number, the first name, the last name, the address, the city, the state and the ZIP code,” he said. “And there is a strong linkage between that data with other customer data. … The FBI is assuming that all of that data was related to the Click2Gov. So there was no direct linkage, but they believe that’s where the linkage is. They have not verified that yet.”

3. NYPD Fingerprint Database

A recent ransomware attack affected the fingerprint database of the New York Police Department. The attack was due to a third-party vendor installing video equipment at one of the NYPD training centers, officials say. 

The ransomware was detected almost instantly and the database was taken immediately offline. Nevertheless within a couple of hours it propagated  to more than 20 other machines connected to the fingerprint tracking system.

Regarding doubts whether the attack was targeted or not,  NYPD concluded that it was due to an infected device (NUC mini-PC ) plugged into the network and unintentional.

Mounir Hahad, Head of Juniper Threat Labs at Juniper Networks, commented on the attack vector: “The fact that the malware has worming capability, meaning it can spread from one computer to the next, is reminiscent of the WannaCry attack. We do not know if this attack is WannaCry, but we should all remain cautious about the leftover infections. Threat researchers continue to see a healthy background noise of previously infected computers that continue to infect other devices using the EternalBlue exploit over the SMB protocol. Fortunately, they rarely trigger the encryption routines because of the presence of the kill switch domain.”

According to officials, the ransomware had never executed, thanks to proper implementation of technical controls. 

Ransomware attempts against public institutions are not new. A ransomware incident hit the city of Atlanta in 2018 where hackers demanded a ransom of $51,000.

4. Nasdaq, Xerox, CenturyLink, General Electric, Forever21, Dunkin Donuts

IPR, a PR company that provides CM software and marketing services to top-name brands,  exposed customers’ sensitive data through a publicly-accessible Amazon S3 bucket database. Among the sensitive information leaked through the bucket, there were details of 477,000 clients’ media contacts, business account information, 35,000 hashed user passwords, various documents, and admin credentials for Google, Twitter, and MongoDB. The data belonged to some high-profile customers of IPR Software including Xerox, CenturyLink, Nasdaq, General Electric, Forever21, and Dunkin Donuts. 

The researchers found the bucket to be publicly accessible in mid-October. Only after a full month following the notification of the researchers, the owner fully secured the database.

The bucket contained a large collection of files reaching terabytes, suggesting it was likely serving as the backend for IPR’s content management system. Among the files accessible,  there is internal documentation regarding the administration of IPR’s platform as well as IPR users’ accounts and client data, such as management of their digital marketing. 

Personal Data:

  • Clients’ Media Contact information 

IPR’s data:

  • IPR’s Twitter account 
  • A password for a MongoDB 
  • Google API access key

Company-specific data:

  • Customers’ marketing strategy.