A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.
Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
Major Third-Party Data Breaches Revealed in September 2019
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and September was an active time for third-party data breaches. Here are the September picks.
1. GitHub And Bitbucket
The software integration company CircleCI has informed of a data breach that exposing login information for their GitHub and Bitbucket accounts.
According to CircleCI, no authorization data, build artifacts, build logs, source code, any other production data, financial info was affected by this incident. Some user data which was exposed included the following:
- Usernames and email addresses
- IP addresses and user agent strings
- organisation name, repository URLs and names, branch names, and repository owners associated with GitHub and Bitbucket
Also, CircleCI said and it does not collect social security numbers or credit card information and the incident affected customers who accessed our platform between June 30, 2019, and August 31, 2019.
2. Yves Rocher
vpnMentors’ researchers were able to access an unprotected Aliznet database including data on 2.5 million Canadian Yves Rocher customers, containing first and last names, phone numbers, email addresses, date of birth and zip codes.
A French retail consultancy Aliznet, which specializes in digital transformation, provides consulting services to tech giants and big brands including Yves Rocher.
vpnMentor found internal Yves Rocher data including in addition to customer information:
- Stats on store traffic
- Turnover and order volumes
- Product descriptions and ingredients for over 40,000 products
- Product prices and offer codes
Aliznet made the following explanation:
“Competing cosmetic and beauty companies could use this information to create highly effective advertising campaigns targeted at Yves Rocher customers. This could lead to Yves Rocher losing customers to competitors.”
3. Malinda Air
Malindo Air confirmed exposing millions of passengers’ data included passport details, home addresses, and phone numbers. The airline company said this breach occurred due to malicious actions by two former employees of the GoQuo. E-commerce service provider GoQuo, also works with the following customers:
- The travel booking company
- Etihad Airways
- Bangkok Airways
- 18 other airlines
According to Malindo Air no payment details have been compromised in this breach.
GoQuo spokesperson said:
“Recent news about a breach of passenger data on one of our products is being investigated by the police and relevant cybersecurity agencies in Malaysia and India. We cannot comment further about the identities of the alleged perpetrators until the relevant authorities have concluded their investigations. In the meantime, GoQuo has lent its fullest support to all investigations and continues to provide uninterrupted service to all current and future clients. We wish to reiterate that the investigations are ongoing and are unable to comment further. What we can confirm is that none of our current employees are involved and the integrity of our systems is intact.”
The Malindo Air data breach highlights the risk that can come with working with third parties and reminded us of the British Airlines data breach.
DoorDash, a meal delivery service, announced that hackers accessed the company’s data system and breached the personal data of4.9 million customers’ restaurants and delivery workers. The information included driver’s license numbers, partial bank, and credit card information, as well as names and addresses of customers. Doordash said, the hackers didn’t access full credit card information and retrieved the last four digits of bank account numbers, but that 100,000 delivery workers had their driver’s license numbers leaked.
DoorDash spokesperson Mattie Magdovitz blamed the breach on “a third-party service provider,” but the third-party was not named.
Click2Gov, self-service bill-payment portal, has been attacked. The software was developed by CentralSquare Technologies which is used by utilities and community development organizations in the United States. Eight cities confirmed a breach in their Click2Gov utility payment portals.
The cities affected the breach:
- Deerfield Beach, Florida
- Palm Bay, Florida
- Milton, Florida
- Bakersfield, California
- Coral Springs, Florida
- Pocatello, Idaho
- Broken Arrow, Oklahoma
- Ames, Iowa
Representatives with CentralSquare Technologies, the company that markets Click2Gov, made the following statement:
“We have recently received reports that some consumer credit card data may have been accessed by unauthorized or malicious actors on our customers’ servers. It is important to note that these security issues have taken place only in certain towns and cities. We have immediately conducted an extensive forensic analysis and contacted each and every customer that uses this specific software, and are working diligently with them to keep their systems updated and protected. At this time, only a small number of customers have reported unauthorized access.”
(*) Links to relevant news and our updated list can be found at: https://www.blackkite.com/data-breaches-caused-by-third-parties/