Many large organizations and enterprises have been heavily investing in cybersecurity since the beginning of the digital era. Adversaries have also improved their attack methodologies to infiltrate the systems of their target organization.

In the last decade, we have seen that companies experienced a cyber incident or a data breach due to a vulnerability or misconfiguration on their third parties, e.g., vendors, suppliers, partners, etc. Research reveals that the ratio of companies that experienced a data breach caused by a third party increased to 58%. Some of the major types of third parties that caused a data breach are cloud/data providers, online payment systems, and external JavaScripts. 

There are many major data breaches caused by a third party in the last decade. We picked the top 10 for the countdown based on the number of records exposed, their impact on certain industries, their coverage on media, etc. 

10- Financial institution, 24M bank documents, January 2019

A misconfigured server of a third-party vendor exposed 24 million bank loan and mortgage documents that belong to Ascension, a Texas-based a data and analytics company for the financial industry. The documents contain sensitive information for many major financial institutions including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments. The third-party involved, OpticsML, which provides OCR (Optical Character Recognition) services to convert paper documents and handwritten notes into computer-readable files.

9-Health  Institutions in the US, 25M customers, June 2019

The data breach experienced by American Medical Collection Agency (AMCA), a third-party bill-collection vendor for the health institutions, affected 17 health institutions including the United States’ biggest lab testing companies. Hackers exploited a vulnerability in AMCA’s web payment portal, the company’s database filled with customer’s personal and payment information. The companies that use AMCA’s portal affected by the data breach and have exposed information of over 25 million customers were affected. The breached data may include patient names, dates of birth, addresses, phone numbers, dates of service, providers, and balance information as well as credit card and bank information.

8-Instagram, 49M users, May 2019

A database of a huge number of Instagram influencers, big names, and brand records containing their data including contact subtleties were found openly available on the web. It had over 49 million records of Instagram users and was traced back to social media marketing firm Chtrbox.

7-Uber, 57M users, October 2017

In 2016, hackers discovered that the Uber’s developers had published code that included their usernames and passwords on a private account of the software repository Github. Hackers stole 57 million people’s private information including the names and driver’s license information of 600,000 drivers, and worse, the names, email addresses, and phone numbers. Uber quits GitHub for in-house code after a data breach.

6-JPMorgan Chase & Co, 83M customers, October 2014

The JP Morgan Chase Bank data breach caused damage to over 76 million households and 7 million small businesses. That information compromised in the attack includes customers’ contact information, including names, addresses, phone numbers, and e-mail addresses. Hackers Breached JPMorgan Chase Bank via Corporate Sponsor Website.

5- Target, 110M users, November 2013

Attackers hacked into Target’s network after hacking a third-party providing heating and air conditioning services. The breach took place during two weeks in November 2013. The breach affected more than 60M customers across 41 states in the US. and exposure of  40M credit/debit card information.

Upon investigation, it was concluded that hackers gained access to  Target’s gateway server through stealing third-party vendor’s credentials. The next step involved installation of malware on the system and gaining access to customer service database. This allowed hackers to capture customer names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data. 

Target agreed to compensate up to $10,000 to each customer who proved to have suffered  from breach as a result of the $10 million class-action lawsuit in 2015. Before then, it had provided free credit monitoring services for consumers affected by the breach.

4- Equifax, 143 million customers, July 2017

Equifax, one of the “big-three” U.S. credit bureaus, had a major data breach in 2017. The breach impacted full names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of the Equifax cutomers. It was initially thought to have  affected around 143M consumers; however further investigation found out that an additional 2.5 million US consumers were impacted by the breach. The vulnerability that attackers exploited to access Equifax’s system was in the Apache Struts web-application software, a widely used enterprise platform.

The cost of the breach was tremendous to Equifax. Equifax agreed to pay at least $575 million and up to $700 million to compensate the losses of those who suffered the breach, upon settlement with The Federal Trade Commission (FTC). The breach had also a momentous effect on Equifax’ credit ratings and thus reputation.

Moody’s downgraded its rating outlook on Equifax just because of this data breach. This is the first time a cyber event affecting the credit ratings of a company.

The company had also a third-party caused breach in late 2018, exposing sensitive personal information including Social Security numbers, full names, dates of birth and home addresses. The third-party was Image-I-Nation Technologies, which is a North Carolina-based company providing software and hosting services; in particular  employee and background screening software, to major companies. 

3- Republican National Committee, 200M voters, June 2017

Deep Root data-analytics firm hired by the Republican National Committee (RNC) to gather political information about US voters leaked the sensitive personal details 200million citizens. Leaked data contains names, dates of birth, home addresses, phone numbers, and voter registration details.

In an FBI report of 2017, it was also revealed that RNC was targeted by Russion hackers during the presidential election campaign. The hackers penetrated into a server belonged to Republicans through spear-phishing tactic, in which the users were tricked into giving their credentials. US intelligence agencies concluded that no sensitive information was exfiltrated from the Republicans’ server.

2- Marriott, 500M guests, November 2018

The biggest data breach in the entire year of 2018 was experienced by Marriott Hotels. In this massive data breach, personal information of as many as 383 million guests records and 18.5 million encrypted passport numbers are compromised. The breach hit Marriott’s Starwood branded hotels and it may seem odd why this particular breach is in our third-party data breach list, considering that Starwood is now part of Marriott brand, not a third party. However, if we rewind the events 4 years back, when Starwood was not part of Marriott, it was the time of the leak started. Marriott acquired Starwood in 2016, two years after the beginning of the breach. Lack of due diligence during the M&A process transferred the cyber risk to the Marriott’s system. That’s why it can be classified as a third-party breach and deserves a place in our list.

1- Facebook, 540 million users, April 2019

Cultura Colectiva, one of two third-party Facebook app developers, left 540 million records which including comments, likes, reactions, account names, and more in stored on the Amazon S3 storage server without a password. Although the data breach did not make the headline like the Cambridge Analytica scandal on Facebook, it affected a lot of users and ranked first in our list.