A recent survey conducted by the Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to the previous year. Data breaches caused by third parties cost millions of dollars to large companies and devastating to small businesses.

Third-parties are those companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies alone. Any external software, hardware or firmware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and November was an active time for third-party data breaches. Here are the November picks.

1. FloridaBlue, Tenncare

A data breach at Magellan Health, a managed care provider, caused thousands of Florida Blue Members’ data exposed. The breach was due to an employee’s hacked account who possibly had access to Florida Blue’s customers. The officials announced, employee’s account was hacked through a phishing scam.

Among the exposed data, there are personal identifiers and protected health information (PHI) that might have been accessed including:

  • Numerous personal identifiers,  
  • Dates of birth
  • Patient prescriptions

Florida Blue issued the following statement:

“We take data breaches very seriously, and while we do not believe our members’ personal information was compromised, we are working closely with Magellan to make sure our potentially impacted members have access to credit monitoring and identity theft protection tools to help them ensure their information is protected.”

Another organization that might have been affected by the breach is TennCare, to whom Magellan provides pharmacy management systems. According to officials, nearly 44,000 TennCare members’ data are at risk.  

Although revealed in November 2019, the affected parties have known about the risk for about two months. Only recently the affected people were notified of the breach. 

2. Pompano Beach City, City of San Angelo

Hackers have gained access to Pompano Beach City’s water bill payment website through a third-party software vendor named Click2Gov. The unauthorized access is believed to have undertaken between August 27th and October 14th. The hack has possibly exposed 

  • Credit card data and
  • Debit card data.

Pompano Beach City sent notifications to all potentially affected water customers.

The City of San Angelo had a  similar incident on its online bill payment system due to the same vendor. “That online payment system was hacked and credit cards were breached. We are trying to narrow down that exact time window with our forensics,” said Water Utilities Director. The customers have been warned for any possible unauthorized charges on their credit or debit cards. The city has shut down its online payment system until the new system is up and running.

This is not the first time hackers are gaining access to systems through Click2Gov. During an attack wave spanning 2017 and  2018, nearly 300,000 payment card data were revealed generating nearly $2 million of revenue. This second aim at Click2Gov may dump thousands of records onto the dark web, researchers say.

A post from FireEye comments on which exploits the attackers utilized, referring to the earlier version of the attack.

“It is not known how the attacker compromised the Click2Gov web servers, but they likely employed an exploit targeting Oracle Web Logic such as CVE-2017-3248, CVE-2017-3506, or CVE-2017-10271, which would provide the capability to upload arbitrary files or achieve remote access”

3. Macy’s

According to Macy’s announcement this month, a Magecart card-skimming code was found to be implanted to checkout and wallet page on the payment portal. The malicious code is believed to  capture financial and other personal data submitted by customers, including

  • First and last names, 
  • Physical addresses, 
  • ZIP codes, 
  • E-mail addresses, 
  • Payment card numbers, card security codes, and expiration dates. 

Although it is not known at this stage how many customers were affected by the breach, Macy’s promises to offer consumer protection services for free. The code was removed the same day it was discovered. 

“We quickly contacted federal law enforcement and brought in a leading class forensics firm to assist in our investigation,” the company says. “We have reported the relevant payment card numbers to the card brands. In addition, we have taken steps that we believe are designed to prevent this type of unauthorized code from being added to macys.com.” Macy’s spokesperson announced.

Ticketmaster, British Airways, Newegg, and thousands of other websites had similar attacks due to the same card-skimming malware.

4. The City of Charlottesville

The officials from City of Charlottesville recently detected a security flaw on the city’s Treasurer’s Office page.

The reported flaw is found to be part of the online payment software for city tax collection, which is provided by a third-party vendor. The software and the payment portal is also used by other localities in Virginia. As soon as the flaw was detected, the system was switched off and the vendor was notified of the flaw. 

The breach, for the time being, is under scrutiny by forensic experts and the city will notify its customers once the investigation is finished.

This is not the first time the city is going through such an attack this year. This September a major breach due to an employee account hack have occurred and affected about 10,700 of utility billing customers. The exposed data included customers’  names, addresses, Social Security Numbers, and in some cases driver’s license numbers.

5. Facebook, Twitter

The personal data of hundreds of Twitter and Facebook users have been exposed, according to a recent announcement made by the spokespeople of the social media giants. Twitter revealed that the compromise was originally from a software development kit (SDK) called  “One Audience”, which gave access to user data by developers of the third-party. For example, if a user were to log in to these apps through his/her Twitter account, his/her most recent tweets were accessible to the developers of the SDK.

The exposed data includes 

  • email addresses, 
  • usernames and 
  • recent tweets of anyone accessing Giant Square and Photofy from their Twitter accounts.

Twitter made the following clarification regarding the breach:

“This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK.” 

A similar malicious SDK from a company named Mobiburm, is also under scrutiny, Facebook revealed. The SDK used in certain Android apps have illegally collected  the user data and passed it to its central server, which is a major privacy violation for the social media platform.

Both SDKs are intended to utilize the user data  for targeted marketing and thus pay developers to integrate their SDKs into the apps.

6. Palo Alto Networks

A former data breach that took place in February came to light this November, when a former Palo Alto employee revealed it to Business Insider. The Cyber Security firm’s third-party vendor has listed personal data of the firm’s seven employees online by accident. The exposed data included

  • names, 
  • dates of birth, and 
  • Social Security numbers

When contacted, Palo Alto Networks confirmed the breach and mentioned that they immediately removed the employee data from the web. Besides, they also ended their relationship with the vendor. Although not much detail regarding the breach was revealed to the press, the exposure is thought to be originated from a security error on the third-party vendor side. It is not clear at this stage whether the exposed data were dumped onto dark web. 

Links to relevant news and our updated list can be found at :  https://www.blackkite.com/data-breaches-caused-by-third-parties/