A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.
Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and November has taken a big share on third-party breaches. Here are November picks(*).
1. Cryptocurrency exchange market gate.io
2. Ontario Cannabis Store
Canadian Ontario Cannabis Store, a store that sells recreational cannabis, experienced a third-party data breach because of an online tracking tool developed CanadaPost. As a result, around 4,500 customer’s name and addresses were potentially compromised.
3. Huntsville Hospital in Alabama and El Centro Regional Medical Center
When a healthcare company is hacked, patient informations are usually on stake. But the attack that affected Huntsville Hospital in Alabama did not compromise the patient data, but it caused a breach of Social Security numbers of thousands of individuals who applied for a job at the hospital. The breach originated from a third-party online employment application services run by JobScience, Inc.
The attack against JobScience did not only affect job seekers at Huntsville Hospital, but also the ones at EL Centro Regional Medical Center.
4. City of Bakersfield
City of Bakersfield has become the latest victim of attacks against Click2Gov, an online payment tool widely used by many US cities. Unfortunately, 2,400 user accounts with payment information were compromised.
Nordstrom, a Seattle-based retail store, got its share from the long line of attacks executed against retail stores in 2018. Personal information of employees including names, SSNs and dates of birth, checking account and routing numbers, salaries, etc. were potentially breached. The details indicate that the breach comes from a third-party to manage direct deposits of wage.
6. City of York Council
City of York in England has started a program called One Planet York with the goal of increasing awareness around recycling. To ease the use of program, City ordered a mobile application called One Planet York App developed by Appware. Unfortunately, a vulnerability on the mobile app exploited by the hackers and potentially almost 6,000 individual’s personal information including name, address, postcode, email, phone, and encrypted password were compromised.
7. Atrium Health at Charlotte
Recently, one of the largest data breach in healthcare industry was revealed. 2,65 million patient including names, addresses, dates of birth, invoice numbers, account balances, dates of service, insurance policy information and Social Security numbers were potentially breached. The origin of the attack was a third-party used for billing services managed by AccuDoc Solutions, Inc.
8. BitPay (CoPay)
9. The Australian Defence Department
A highly classified review by a former federal police chief showed that, in the last 18 months, The Australian Government Defence Department was badly exposed due to poor security postures among many of its small and mid-tier suppliers.
10. Marriott International
Probably the biggest data breach in the entire year of 2018 was experienced by Marriott Hotels. In this massive data breach, personal information of as many as 500 million guests are compromised. The breach hit Marriott’s Starwood branded hotels and it may seem odd why this particular breach is in our third-party data breach list, considering that Starwood is now part of Marriott brand, not a third party. However, if we rewind the events 4 years back, when Starwood was not part of Marriott, it was the time of the leak started. Marriott acquired Starwood in 2016, two years after the beginning of the breach. Lack of due diligence during the M&A process transferred the cyber risk to the Marriott’s system. That’s why it can be classified as a third-party breach and deserves a place in our list.
(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/