A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.
Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news. Here are October picks(*).
1. Many major companies including Amazon, Apple, etc.
In the early days of October, Bloomberg’s Supermicro Hack story hit the news. Announced as China’s supply chain attack, story about malicious microchips allegedly embedded in Supermicro motherboards initiated a large debate. Since many large companies including Amazon and Apple may have been affected, it seems that the hacking story will keep being a hot topic in the rest of the year. Many argue that no concrete evidence about the breach has been provided so far, but it still deserves to be in our list.
2. A few e-commerce sites that use Shopper Approved
Shopper Approved, a customer rating plugin, has become the last victim of Magecart campaign, a series of card-skimmer attacks which caused major breaches such as TicketMaster, British Airways, and Newegg this year. Shopper Approved is used by e-commerce sites and attack targets a few of those sites’ customer info. Though still in investigation, RiskIQ researchers claim that credit card information of unknown number of individuals may have been breached.
3. The Indio Water Authority
Indio Water Authority (IWA) in California was breached because of an online payment system called Click2Gov. IWA, serving a city of 90,000 warned its customers about the breach including customers’ name and credit card information. Unfortunately, this was not the first breach of Click2Gov, the system was hacked in the past causing breaches of many other local governments. Many use the system for utility payments.
4. Department of Defense (Pentagon)
Pentagon, a department familiar with cyber attacks, again experienced a cyber attack because of third-party system that was used to keep travel records. Travel records that may have been exposed includes personal and payment card information of 30,000 employees and service members.
5. Vesta CP
In the last days of October, Vesta Control Panel (VestaCP), an open-source hosting panel software provider, announced that the company became victim of a supply-chain attack. VestaCP did not provide any further information about how they got hacked through its supply chain, attackers contaminate the source code of VestaCP software with DDoS malware. Then, the attack initiated another third-party attack for VestaCP users as well.
(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/