A recent survey conducted by the Ponemon Institute reveals that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.
Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software, hardware or firmware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and January was an active time for third-party data breaches. Here are the January picks.
1.State Governments of US (Birth Certificate Applications)
Around 750,000 birth certificates applications of U.S citizens were leaked through an unnamed third-party service provider. The applications were discovered to be publicly accessible on an AWS cloud platform, with no protection at all.
The applications included highly sensitive and personal data including
- dates of birth,
- current home addresses,
- email and phone numbers.
The accessible information included the names of family members, historical information such as past addresses, or the reason for application as well. The leak affected residents of California, New York, and Texas.
The unnamed third-party responsible for the leak, obtain copies of birth certificates and death certificates from state governments and provide this service on the internet to citizens. The exposed database goes back as early as 2017.
The leak was reported by Fidus Information Security, a UK-based penetration testing company.
Considering the volume and type of the exposed personal information, one can think of it as an open invitation to hackers and scammers. The wealth of information could be harvested by hackers in their phishing campaigns and identity fraud. Left-open AWS buckets is not an unusual configuration mistake leading to data exposures, especially if these are managed by third-parties. Similar incidents took place last year exposing thousands of personal and company-sensitive data to hackers and potential scammers.
Records of more than 900 employees of Regus, owned by IWG, have been published online on a Trello board, after the company assigned a mystery shopping business for an on-site audit.
The third-party, named Applause conducted detailed reviews on the company’s sales staff through camera embedded “pens” filming in and around the office. Some personal information but most importantly job performance details about more than 900 employees were recorded in a Trello spreadsheet that was published accidentally online.
Overall, the exposed data included
- other contact details, and
- job performance details.
“Team members are aware they are recorded for training purposes and each recording is shared with the individual team member and their coach to help them become even more successful in their roles,” one of IWG company officials announced.
“We are extremely concerned to learn that an external third-party provider, who implemented the exercise, inadvertently published online the outcomes of an internal training and development exercise”.The UK’s Information Commissioner’s Office (ICO) did not comment on whether the breach had been reported or not, giving room for discussions. It is wondered whether the parties will be fined by ICO under the GDPR.
3. Mercy Health Lorain (Ohio) Hospital
The Ohio based healthcare group, Mercy Health-Lorain Hospital notified its patients about a potential data exposure this January. The exposure took place through one of its vendors, RCM Enterprise Services.
The third-party vendor, providing revenue cycle management services, discovered that the medical invoices that were mailed to patients included names, street addresses and Social Security numbers instead of only name and address information.
The exposure window is believed to have taken place between Aug. 14 and Oct. 16. Up until now, there is no evidence showing that the Social Security numbers of the patients have been misused.
Mercy Health issued the following statement after the exposure:
“Mercy Health takes the privacy and security of our patients’ information as our number one priority and requires our vendors to do the same. As healthcare continues to evolve, the reinforcement of the highest standards and expectations regarding both privacy and security for our patients, their families as well as our associates must remain at the core of who we are and organizations that we contract with. We are pleased that RCM has taken the necessary measures and will continue to work with our patients to ensure their privacy remains safe and secure.”
4. Mitsubishi Electric
Mitsubishi Electric recently announced that it had suffered a data breach six months ago. The company officials started a forensic investigation after they discovered a suspicious activity on the company network in late June.
“We have confirmed that our network may have been subject to unauthorized access by third parties and that personal information and corporate confidential information may have been leaked to the outside.” announced Mitsubishi.
According to the investigations, the alleged Chinese hacker group, first gained access to a subsidiary company’s network in China and then used this company to get into systems located in key Mitsubishi Electric offices in Japan.
Being a manufacturer of electronics and electrical equipment based in Tokyo, Japan, the company was feared to have leaked defense-related information. However, the company announced no evidence that any sensitive data connected to its business partners or government defense contracts had been stolen or misused.
According to Asahi Shimbun, the Japanese newspaper, the hackers possibly accessed and exfiltrated
- company data on joint projects, negotiations, orders from partners, research documents, etc.
- data of more than 10 government organizations such as Defense Ministry, the Nuclear Regulation Authority, and the Agency for Natural Resources and Energy
- data on private-sector companies in the power, telecommunications, railway and auto industries.
Mitsubishi Electric recently announced that some personal information might have been leaked due the breach; including
- previous employment history,
- telephone numbers,
of more than 8,122 applicants, employees and retirees.
5. Multiple School Districts
An Active Network platform, providing accounting and management software for schools and districts across the United States, has been breached according to a recent report filed to the Office of California’s Attorney General.
Between the time frame Oct. 1, 2019 and Nov. 13, 2019, some illegal activity was detected on the platform, named BlueBear.
Personal information of the parents accessing Bluebear within this timeframe either to pay school fees or buy books and school supplies could have had their information stolen. The personal information at risk include
- payment card number and expiration date
- and security code
- Blue Bear account usernames
- Blue Bear passwords
6.Australian P&N Bank
P&N Bank recently sent its customers a notification letter about a data breach which put the personal and sensitive account information of customers at risk.
Being a division of Police & Nurses Limited and operating in Western Australia, the bank revealed that the breach occurred through its customer relationship management (CRM) platform operated by a third-party hosting firm. The information exposed included
- contact details, e.g. email, phone number,
- customer number,
- account number and account balance.
On top of these, interactions between the bank and its customers were also possibly exposed.
Although details of the attack are unknown for the time being, access to third-party CRM system took place on December 12 when it was undergoing an upgrade. However, as soon as the breach was discovered, the system in question was immediately shut down.
The first Instagram breach of 2020 took place through a Social Media boosting service called Social Captain. Thousands of usernames and passwords were discovered to be in plaintext.
The platform, used by Instagram influencers, claims to help boost the likes and increase a user’s Instagram followers. Users link their Instagram accounts to the service, after entering their Instagram usernames and passwords.
According to a TechCrunch report, “Any user who viewed the web page source code on their Social Captain profile page could see their Instagram username and password in plain sight, so long as they had connected their account to the platform.”
A website bug on Social Captain also allows anyone to access any Social Captain profile without logging in, making things even worse. The exposed personal data included usernames and passwords of 4700 users and only user’s name and email addresses in some other records.
Anthony Rogers, CEO at Social Captain, said: “As soon as we finalize the internal investigation we will be alerting users that could have been affected in the event of a breach and prompt them to update the associated username and password combinations.”
Instagram announced that storing login credentials in plaintext is a serious breach of its terms of service. “We are investigating and will take appropriate action. We strongly encourage people to never give their passwords to someone they don’t know or trust,” said an Instagram spokesperson.
8. Amedicanna Dispensary, Bloom Medicinals and Colorado Grow Company
Another leaky Amazon S3 bucket cost at least 30,000 marijuana users’ records to be exposed. The cloud database, that was holding more than 85,000 files, was first discovered to be publicly accessible on December 24 by vpnMentor. Upon the notification of the team, it was finally closed on January 14.
The exposure was found to have occurred through a point-of-sale software vendor named THSuite.
Ohio-based medical marijuana dispensary Bloom Medicinals, which also runs five shops, is preparing to notify its patients as required by HIPAA. The leaky bucket is also associated with two other dispensaries: AmediCanna Dispensary, a medical marijuana dispensary located in Maryland, and recreational dispensary Colorado Grow Company.
The exposed personal data include:
- full name,
- date of birth,
- phone number,
- email, street address,
- medical ID number,
- cannabis variety and quantity purchased,
- total transaction cost,
- date received, and more.
Photographs of scanned government and employee IDs were also discovered in the breach. This kind of breach could lead to revocation of state-awarded operating licenses according to Ohio laws. Another repercussion could be HIPAA fine due to the violations under the regulation.