A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.
Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news. Here are September picks(*).
Major Third-Party Breaches Revealed
1. All platforms that use Facebook login
Facebook breach that hit the news in the last days of September is the candidate to be the most significant cyber security event of the year with 50 million accounts compromised. What makes it a third-party breach is the fact that all the platforms and third-party services that use Facebook-login feature are now vulnerable to data breach, because an attacker can login to their system as a legitimate user.
2. The Conservative Party (UK)
In September, we see that how a conference app can cause trouble for a political party. The Conservative Party of UK had been using an conference app developed by an Australian company (CrowdComms) before party members’ personal information become public due to a security flaw in the app. It seems that anyone with a valid e-mail address can login to conference system and can see the sensitive information about MPs, journalist and conference attendees, including personal mobile numbers. Very unfortunate days for Tories.
3. Perth Minth
Perth Minth, Australia’s official bullion mint, was hit by a data breach because of a third-party provider (name not disclosed) used for online depository. Data compromised include names, addresses, passport and bank account of 3200 customers.
4. British Airways
Foosackly, a mobile-based chicken-finger chain, warned their customers of a data breach in its payment system in the early days of September. Company estimated that approximately 165,000 customers, who dined at the affected locations while the attack was executed, might have been affected with their payment card informations are on stake.
6. University of Louisville
University of Louisville is another institution who informed a third-party breach in September. A cyber attack executed to a third-party vendor used for fitness activities (Minneapolis-based Health Fitness Corp.) exposed names, employee IDs, physician’s name of hundreds of employees and retirees enrolled in a program called “Get Healthy Now” between 2007 and 2014.
7. E-commerce sites that use Feedify
8. The Washoe County School District
WSCD experienced a breach that exposed Teachers’ emails, usernames and passwords. The breach is originated from Edmodo, an instructional tool which teachers use for student communications about assignments, resource for lesson plans, example quizzes, and instructional guides.
9. Blue Cross Blue Shield of Rhode Island
Blue Cross Blue Shield of Rhode Island (BCBSRI) notified its more than 1,500 members of a breach that exposed member names, their BCBSRI ID numbers, service providers, types of service provided and costs of claims. The breach was originated from a vendor (name not disclosed) responsible for “sending members’ benefits explanations.”
A hack through a Chilean seafood supplier (Invermar) may have cost Wegmans over $900,000. The grocery chain accused Invermar of poor cyber security posture that allows hacker to infiltrate their e-mail system. Hackers re-direct payments made by Wegman to their own bank accounts.
(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/