A recent survey conducted by the Ponemon Institute reveals that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.

Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software, hardware or firmware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and February was an active time for third-party data breaches. Here are the February picks.

  1. NedBank

The South African based NedBank notified its customers about a breach in mid-February. The breach is believed to have affected the personal details of 1.7 million users, who are current and past customers. The notification of the customers took place via an SMS, saying the affected information includes

  • names, 
  • ID numbers, 
  • home addresses, 
  • phone numbers, and 
  • email addresses.

The breach occurred at the bank’s marketing partner Computer Facilities (Pty) Ltd, that was utilized for sending out marketing and promotional campaigns to customers.

The breach was discovered during NedBank’s routine monitoring process of its partner’s system. Since the third-party vendor was not granted direct access to the bank’s systems, the scope of the breach stayed isolated to the vendor’s network.
The officials of the bank announced no financial data was exposed during the breach. Australian P&N Bank also had a breach this January through its customer relationship management (CRM) platform operated by a third-party hosting firm.

2. RUTTERS Store

Rutters, US-based convenience store chain, disclosed a security breach that affected its customers shopping through POS devices in company’s stores in Pennsylvania and West Virginia. The malware that hit Rutters’, targeted  the POS devices; collected customers’ payment card details inside convenience stores and several of the company’s fuel pumps. 

The affected customer information includes

  • names, 
  • card numbers, 
  • expiration dates, and
  • internal verification codes.

Although different stores were affected by the malware at different periods of time, the effective breach window is believed to be between October 01, 2018 and May 29, 2019. 
The malware collected data from payment cards swiped through point-of-sale (POS).

3. Health Share of Oregon: Adventist Health, CareOregon, Central City Concern, Clackamas County, Kaiser Permanente, Legacy Health, Multnomah County, Oregon Health & Science University, Providence Health & Services, Tuality Health Alliance and Washington County

An announcement made by Health Share of Oregon in early February revealed that a breach at one of its vendors led to an exposure of  Medicaid member data. A stolen laptop from GridWorks, the transportation provider for Metro Area for Medicaid patients, affected about 650,000 patients.

Health Share of Oregon, giving service to more than 300, 000 people through Oregon Health Plan, revealed that Gridworks was aware of the breach in November 2019, but did not notify Health Share until early January . 

“The member information located on the laptop includes members’ names, addresses, phone numbers, dates of birth, social security numbers, and Medicaid ID numbers,” Health Share said in a statement. “Members’ personal health histories were not exposed,”

The breach that put 650,000 patients PII (personally identifiable information) at risk, occurred when a GridWorks’ office was broken into and a laptop stolen. For the time being Health Share of Oregon could not confirm whether the stolen information have been utilised in any criminal activity or whatsoever.

The affected patients are currently being notified of the incidents through letters and offered a year of free credit monitoring.

4. Idaho Central Credit Union

Idaho Central Credit Union notified its customers of a data breach possibly exposing possibly finance-sensitive data of its customers early this February.  The beach was discovered through an unusual activity on its third-party mortgage portal in November 2019. Upon the investigation, the breach was confirmed but this time unveiled a totally unrelated second incident associated with a staffer’s email account. The details regarding the second breach are not disclosed, as the investigation is still ongoing. 

The first breach possibly exposed

  • exposed name, 
  • date of birth, 
  • Social Security number, 
  • financial account information, 
  • tax identification number, and 
  • information on borrowers, liability, assets, employment, and income.

Other details on the breach such as the number of affected customers has not been announced. 

“ICCU notified all individuals who may have been impacted by either of these situations. We regret the concern and inconvenience created by these situations and are fully committed to continual efforts to help prevent similar situations from occurring again” announced ICCU Director of Public Relations.

5. Carson City

Another Click2Gov breach that hit the news this February came from Carson City.  According to the announcement made by City Manager Nancy Paulson, financial information of the residents who paid their bills online, was compromised. 

An unauthorised code implanted onto the third-party vendor’s online payment system has led to the breach, according to the findings of the investigation launched by the city. The malicious code captured payment card data and other information between the dates of Aug. 1, 2019 and Sept. 12, 2019. The third-party vendor, CentralSquare cooperated with Carson City and a forensics firm to remove the malicious code in due time.

The affected personal  information (PII) includes

  • names, 
  • addresses, 
  • email addresses, 
  • payment card numbers, expiration dates, card security code (CVV) information,
  • bank account numbers and routing numbers

of the Carson city residents.

6. Community Care Physicians

A malware infection on a New-York based accounting firm in December revealed that some PHI (Protected Health Information) might also have been leaked. The network of the third-party vendor, BST was holding data from some of its clients including Community Care Professionals (CCP). Although CCP’s systems were not impacted by the malware, PHI of  some of the CCP’s patients are currently at risk.

The third-party accounting and tax provider, BST sent-out this announcement to news channels:

“BST provided notification to individuals out of an abundance of caution, including furnishing those who may have been impacted with identity monitoring at no cost. We deeply regret any inconvenience to those who may have been affected. Unfortunately, data security incidents have become increasingly common and are impacting organizations both large and small, public and private. We are committed to ensuring the security of all data under our care, and encourage all to remain vigilant about the growing occurrence of cyber threats.”

The personal data that might possibly be exposed during the malware infection includes:

  • personal health information for some clients, 
  • financial data, billing codes
  • names, dates of birth, billing codes, 
  • insurance description, and 
  • medical record numbers. 

The affected patients are being offered a year of free identity monitoring.

7. Brunswick County Schools

A phishing attack on a third-party service provider to the Brunswick County schools resulted in  a potential exposure of PII (Personally Identifiable Information) of 658 employees. Interactive Medical Systems Corporation, which provides administering  services for Flexible Spending Account plans to Brunswick County Schools’ employees, started a forensic investigation right after the breach was discovered.

The breach window is believed to be July 19 and December 31, according to the investigation. 

A recent announcement made by the third-party service provider reveals that potentially exposed data varies from one person to another but might include:

  • First and Last Name, 
  • Last Four Digits of Social Security Number, 
  • Transaction Date and Amount, 
  • Plan Sponsor/Employer Name, 
  • Address, 
  • Social Security Number, 
  • Email Address, 
  • Mailing Address, 
  • Date of Birth, 
  • Plan Coverage Dates, and 
  • FSA Election.

8. TQL Carriers

Another third-party related breach news came from Total Quality Logistics, one of US’ largest freight brokerages. The company announced a data breach in which their online portals for carriers have been hacked.

Being the second largest “freight brokerage” service provider to carriers across US,  TQL was hit through a phishing attack according to the latest investigations. The attack compromised its carrier portal, potentially exposing the “carriers’ accounts”, including

  • tax ID numbers and
  • bank account numbers.

There have been around 20 carriers identified where payment theft may have involved.

 [The carriers] are being contacted and their account will be updated to reflect any unpaid invoices,” TQL says. “We are asking all carriers to assume their bank account and tax ID information was at risk at some point and take additional steps as a precaution.”The company  recommends carriers to notify their banks and to place a fraud alert on credit file s by calling one of the three major credit bureaus: Equifax, Experian or Transunion