A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.
Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and June was an active time for third-party data breaches. Here are the August picks.
1. Pearson Clinical Assessment
A data breach occurred on the web platform AIMSweb 1.0 which is a performance assessment tool used by educators around the globe operated by Pearson Clinical Assessment.
According to Pearson, no sensitive data was affected by this incident. The specific data accessed could potentially include the following:
- Students’ first and last names
- Students’ dates of birth
- Teachers’ first and last names
- Teachers’ email addresses
Thousands of schools and students were affected by this data breach but the total number of victims remains unclear.
More details about the victims are as follows:
- 3,700 student names & birth dates and 800 staff member’s names & school email addresses in Naperville Unit District 203
- 49,000 student names & birth dates and 2,300 staff members information in Indian Prairie Unit District 204
- 3,206 student names & birth dates and 338 staff members information in Charles Unit District 303
- 8,000 student names & birth dates and 400 staff members information in Geneva Unit District 304
- Student names & birth dates of DeKalb School District 428
- Student information of Wilmette Public Schools District 39
- Student and teachers’ information in The School District of Clayton, Brighton, Brockport, East Irondequoit, Fairport, East Rochester, Greece, Pittsford, Rochester, Spencerport, Victor, Webster and West Irondequoit school districts
2. Cable One
Cable One, an American Internet and cable service provider, announced an information security incident because of its third-party vendor. During the data breach incident, email accounts of 14 employees were compromised. The information stored in the accessed email accounts varied by individual, including employees’ family members’ information, addresses, Social Security numbers, government-issued identification numbers, financial account numbers, digital signatures or medical and health insurance information.
Even though there is no indications of stolen data being misused, Cable One offered identity protection services to people who were affected by this incident. (*) Links to relevant news and our updated list can be found at: https://www.blackkite.wpengine.com/ data-breaches-caused-by-third-parties/