Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. 

Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog,  you will find the most recent breaches for the month of July. It should be noted that several of these breaches are still being substantiated as more data is collected.  

1. Promo.com

Image by Merakist on Unsplash

In the last week of July an Israeli marketing video firm, Promo.com revealed a massive user data breach appearing to have impacted more than 23 million records, according to “have i been pwned”.

The breach, occurring through an undisclosed third party vendor of the marketing site, also affected the affiliated company, Slidely. In third-party induced breaches, it is not surprising to see the ripple effects of a breach in a cyber ecosystem.

Although social media log-ins and financial details were not compromised, the attackers seem to have obtained loads of sensitive personal information.

The announcement on Promo.com reads, “Although your account password was hashed and salted (a method used to secure passwords with a key), it’s possible that it was decoded. Your log in via your social media account was not affected.”

The breach was discovered when user data was freely available on a darknet forum.

The exposed data includes:

  • first/last name 
  • email address 
  • IP address
  • approximated user location based on the IP address 
  • gender 
  • hashed and salted passwords

The post on the Promo.com website reads on to say, “On July 21, 2020, our team became aware that a data security vulnerability on a 3rd party service had caused a breach affecting certain non-finance related Slidely and Promo user data. We immediately stopped all suspicious activity and launched an internal investigation to further learn about what happened.”

2. CITRIX

Photo by Jordan Harrison on Unsplash

According to the recent announcement from the networking tech giant Citrix Systems, malicious hackers were inside their networks for five months between  2018 and 2019, offsetting workers, contractors, interns, job applicants and their dependents with personal and financial data. Citrix admitted the intruders broke in by scraping poor passwords from employee accounts. The announcement came nearly a year after the breach. 

An approximate six to ten terabytes of sensitive internal information was obtained. This breach is especially notable as the company offers cloud services to the U.S. military and is one of the authorized providers of the Department of Defence. According to the FBI’s investigation, attackers most likely leveraged a technique called “password spraying” that attempted to access a large number of employee accounts using just a bunch of common passwords.

According to a letter Citrix sent to the affected individuals, the information captured by the hackers may have included:

  • Social Security Numbers or other tax identification numbers 
  • driver’s license numbers 
  • passport numbers 
  • financial account numbers 
  • payment card numbers 
  • health insurance participant identification number and/or 
  • claims information relating to the date of service and provider name

Recent information is now revealing the individuals affected not only worked for the company at some point, but others who applied for employment, internships, or earned health benefits through a family member also had information leaked. 

In the letter, Citrix also discloses that the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018, and Mar. 8, 2019, but there is no evidence that the cybercriminals remain in the company’s systems. There is also “no indication” any of Citrix’s goods or services were compromised by hackers. 

Cybercriminals are specialized in targeting foreign countries and stealing classified information from government departments and major economic players. Recently, Iranian hackers have been accused of hacking VPN servers 

worldwide in an attempt to plant backdoors in massive corporate networks.

3. DUNZO

India’s food and delivery service Dunzo suffered a third-party related data breach that exposed email addresses and other contact details.

Information leaked through the data breach has now been uploaded on haveibeenpwned.com. Although the total number of breached accounts wasn’t disclosed by Dunzo, 3,465,259 Dunzo accounts were identified through this upload to haveibeenpwned.com.

The latest update on Dunzo’s blog reveals additional personally identifiable information (PII) in addition to email and phone numbers were included in the breach. The leaked information includes: 

  • device information 
  • email addresses
  • geographic locations (last known location) 
  • IP addresses
  • names
  • phone numbers

According to internal investigations, the breach occurred through unauthorized access to Dunzo’s database due to a breach in the servers of one of its customers.

The India based start-up said it took measures to protect the holes in its network and introduced additional security protocol layers.

Through a partnership with Google,  users of Google in India were able to buy Dunzo’s groceries, enabling the tech giant to enter the Indian distribution market effectively. The Dunzo service is used via Google Pay without having to download another program.

4. DAVE APP.

Another third-party related breach came from the finance app, Dave, in late July.

According to the recent revelations of the start-up, the breach occurred through a third-party service provider named WayDev, exposing the personal information of its 7.5 million users. The data was obtained when hackers compromised the Waydev analytics network, a former partner of Dave’s.

The incident was discovered after the names, emails, birth dates, addresses, and phone numbers were posted on a public forum. The hackers were also able to access user passwords which were stored in hashed form. However, the company claims bank account numbers, credit card numbers, financial transaction records and unencrypted social security numbers have not been compromised. 

The statement from Dave reads, “Dave has no evidence that any unauthorized actions were taken with any accounts or that any user has experienced any financial loss as a result of this incident.”

5. Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners, and Pacific Investment Management Co.

Photo by Austin Distel on Unsplash

A ransomware attack discovered in May against a vendor of SEI Investments Co. 

compromised the investors’ personal details of about 100 clients of the fund administrator. The investors of Angelo Gordon & Co., Graham Capital Management, Fortress Investment Group LLC, Centerbridge Partners, and Pacific Investment Management Co. were impacted by the ransomware attack.

The Atlanta-based third-party M.J. Brunner, which lies in the center of the attack, develops and supports SEI’s investment dashboard and online enrollment portal. M.J Brunner’s was infiltrated by attackers that captured files including sensitive information such as;

  • user names
  • emails
  • physical addresses 
  • phone numbers

The announcement by a spokesperson of SEI Investments Co. reads, “We take our clients’ security very seriously, and we are working with Brunner, the FBI and our impacted clients to understand the extent to which SEI’s or our clients’ data has been exposed,” she said, adding company’s network wasn’t compromised.

This incident is the latest in a series of ransomware incidents through supply-chain that have impacted the financial services industry. It is not uncommon in this industry for hackers to prey on third-party vendors or business partners instead of the financial institution itself.  Housing large amounts of sensitive information, the finance sector often lures attackers Financial Ecosystems, if not to themselves.

Check out Black Kite’s 2020 Financial Risk Report to learn more about the risks that third parties are bearing in a financial ecosystem. 

6. Multiple universities in US, UK, and Canada

Photo by Sankalp Sharma on Unsplash

Ransomware at a third-party cloud-based service provider affected various universities in three different countries, U.S., Canada, and U.K., including California State University, University of Manitoba, University of New York, University of Strathclyde, St. Aloysuis College, Aberdeen University and Rober Gordon University. University College Oxford, the University of London, Canada’s Ambrose University, and the Rhode Island School of Design. 

The U.S. based cloud-service provider BlackBaud offers solutions to non-profit organizations including universities, churches, and foundations. The breach affected nearly half a million students at different campuses.

In a July 16 blog post, the company explained that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.” Although the company found no financial or social security details in those files, it decided to pay the cyber attacker to erase the stolen data.

“Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” Blackbaud’s statement reads. “This incident did not involve solutions in our public cloud environment (Microsoft Azure, Amazon Web Services), nor did it involve the majority of our self-hosted environment.”

The data exposed included personal data such as:

  • names 
  • student ID 
  • contact information
  • major dealings with the university (i.e., alumni programs)

The University of York’s announcement reads: “On 16 July we were contacted by a third-party service provider, Blackbaud, one of the world’s largest providers of customer relationship management systems for not-for-profit organizations and the Higher Education sector. They informed us that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from a number of their clients. This included a subset of University of York data.”

As clear from the announcement, BlackBaud failed to comply with GDPR’s requirement of breach notification within 72 hours.

Click for Black Kite’s detailed blog post on GDPR- related breaches and fines

Featured image by Jordan Harrison on Unsplash