A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.

Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and October was an active time for third-party data breaches. Here are the October picks.

1. Uber, Shopify, Airbnb, Slack, and FCC

Customer support ticketing platform Zendesk announced this month a security breach dating back to November 2016. Zendesk Breach affects 10,000 Corporate Accounts which may be including big organizations like Uber, Shopify, Airbnb, Slack, and FCC. This breach, exposing  information from all categories of Zendesk users, customers, agents, and end users which includes;

  • Email addresses, names, and phone numbers of agents and end-users 
  • Agent and end-user passwords that were hashed and salted
  • Transport Layer Security (TLS) encryption keys 

Zendesk stated that they “have found no evidence of impact” to customer accounts, but “are notifying all customers with an account prior to November 1, 2016”.

2. GW community members

Chegg, a popular educational technology company experienced a data breach that includes thousands of GW community members’ information. 5,000 members of the GW community and 40 million users were globally affected by this breach. The incident did not involve a breach of any University systems according to Chegg. The exposed data possibly including;

  • Usernames
  • Passwords
  • Addresses

Chegg said “Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts” and they reset 40 million user passwords after a data breach.

3. CenturyLink

A security incident accidentally exposed 2.8 million customer information of CenturyLink due to a misconfigured MongoDB database affiliated with a third-party vendor. The name of the third-party vendor is not disclosed but it is a notification platform used by CenturyLink. The exposed data may include;

  • Names
  • Addresses
  • Phone numbers
  • E-mail addresses
  • CenturyLink account numbers 

but the incident did not involve financial information.

CenturyLink stated CompariTech saying: “Since becoming aware of this situation, we have worked to confirm that the security issue has been addressed and we are conducting a thorough investigation of the incident. The data involved appears to primarily contact information and we do not have reason to believe that any financial or other sensitive information was compromised. CenturyLink is in the process of communicating with the affected customers. 

4. The Clark County School District

In August, a data breach occurred on the web platform AIMSweb 1.0, a performance assessment tool used by educators around the globe and operated by Pearson Clinical Assessment. The breach’s effects are still in progress. The Clark County School District was added to the list of affected school districts. 

According to Pearson, no sensitive data was affected by this incident. The specific data accessed could potentially include the following:

  • Students’ first and last names
  • Students’ dates of birth
  • Teachers’ first and last names
  • Teachers’ email addresses

The Clark County School District says “560,000 students who were enrolled between 2008 and 2019 along with a “smaller number” of staff members who were employed in the time period are also affected”

5. Geisinger Health Plan

Magellan National Imaging Partners,  a third-party vendor hired to manage radiology benefits of the Geisinger Health Plan, was exposed to a phishing attack.  Through the attack, hackers were able to send out commercial emails through the infected email account and gained access to the employee’s login credentials. In this attack, patient data of Geisinger Health Plan that may have been exposed included 

  • Names
  • Patient identification numbers
  • Types of services
  • Authorized identification numbers and diagnoses

Geisinger made the following explanation:

“We worked closely with Magellan to make sure all affected members were identified and properly notified. Although all evidence points to the fact that the intruders only intended to issue spam emails, in an abundance of caution we are offering all of our affected members complimentary credit monitoring and encourage them to sign up by following the instructions in the letters they received.”

6. NordVPN

NordVPN announced one of its third-party servers, located in Finland, was hacked in March 2018. An unauthorized user accessed server in a data center that NordVPN was renting from an unnamed provider. In this attack, exposed some of the browsing habits of customers who were using the VPN service to keep their data private. 

NordVPN, made the following statement:

“The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either.” They also mention that the “service as a whole was not hacked, the code was not hacked, the VPN tunnel was not breached and the NordVPN apps stayed unaffected. The company ended its contract with the provider.” 

7. UniCredit

UniCredit has been a victim of two suspicious events that took place between September-October 2016 and June-July 2017, affecting 400,000 Italian customers. The bank said the attack was conducted through an external commercial partner.

(*) Links to relevant news and our updated list can be found at: https://www.blackkite.com/data-breaches-caused-by-third-parties/