Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost by $207,000.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware, or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risks and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for November. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. Booking.com, Expedia.com, Hotels.com and Many Hotels
A recent data breach involving Prestige Software, a channel manager that links hotel reservations to sites like Hotels.com, Booking.com, and Expedia, revealed millions of hotel guest records. The company’s Cloud Hospitality software was storing guest data on an unsecured Amazon Web Services cloud database for seven years. The compromised files include:
- credit card details
- email addresses
- ID numbers
- reservation details
The data dates back to 2013 and contains more than 180,00 records alone. It’s not clear how long the data was left unsecure, or if the data was previously captured by anyone. Website Planet claims it “can’t guarantee that somebody hasn’t already accessed the S3 bucket.” Prestige Software confirmed its ownership of the data.
Amazon S3 buckets left open are not new sources of breaches. Many companies use cloud servers to store their data. Despite their great advantage, misconfigured buckets often expose sensitive data and kind of serve as an open invitation to hackers to dump and use a company’s data for their malicious activities, as we have seen in this incident. The leak also highlights the risks of strong dependence on third-party platform providers. Security is only as strong as the weakest link in the chain.
The company behind the popular gaming app Animal Jam recently confirmed a breach that compromised 46 million records. Although the incident took place in early October, WildWorks was not aware until now.
According to Animal Jam, someone hacked into one of its third-party servers used for employee communication. The hacker obtained a secret key that authorized access to the user database of the company, including stolen data known to circulate on at least one website for cybercrime. WildWorks is now suggesting that the stolen information could be exploited or used by malicious hackers. WildWorks did not name the third-party vendor that was involved in the breach.
Although much of the stolen data wasn’t highly sensitive, according to the announcement by Wildworks, the company warned some of the stolen records might include:
- the player’s username
- player’s gender
- the player’s birth year
- player’s full date of birth
7 million parent email addresses used for controlling the accounts of their children were also stolen by the hacker. It was also claimed that 12,653 parent accounts had the complete name and billing address of a parent, and 16,131 parent accounts had the name but no billing address of a parent. The company claims no other billing data was compromised, such as financial details.
3. (Colorado-based) Insurance Carriers
Early-November breach news out of Colorado involves 27.7 million Texas drivers.
The insurance tech company Vertafore blames the incident on human error, stating in a written announcement that three company files containing information from driver’s licenses issued before February 2019 were “inadvertently stored in an unsecured external storage service,” adding that they appeared “to have been accessed without authorization.”
Files that have been accessed during the incident include:
- driver’s license numbers
- dates of birth
- vehicle registration histories
which the company was using for its insurance rating software solution. However, the accessed files did not have social security numbers or financial account information, according to the company.
The breach window is believed to be between March 11th and August 1st. Vertafore said it notified relevant authorities about the security breach, including the Texas Attorney General, the Texas Department of Public Safety, the Texas Department of Motor Vehicles, and federal law enforcement.
4. First Federal Community Bank, Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust
Ransomware attacks were some of the most popular breaches in 2020. The most recent ransomware attack was towards American Bank Systems (ABS), a service provider to US banks and financial institutions resulting in a leak of 53 GB-size data. Avaddon, the ransomware group behind the attack, previously published the 4 GB portion of the database, threatening to publish more in case the ABS did not pay the requested fee.
Avadon recently published a 52.57 GB dump, after ABS refused to cooperate with the ransom demands. The beneficiaries affected by this attack seem to include multiple banking names and mortgage companies, such as First Federal Community Bank, Rio Bank, Citizens Bank of Swainsboro, First Bank & Trust, etc. ABS provides banking software and systems to facilitate bank processes and compliance requirements.
The compromised data in the published dump includes:
- loan documents
- business contracts
- private emails
- credentials for network shares
- company confidential files
- other personal information
For a detailed study on ABS and third-party ransomware attacks, read our blog!
5. LensCrafters, Target Optical, EyeMed, and Other Eye Care Practices
A data breach at Luxottica exposed information of 829,454 patients at LensCrafters, Target Optical, EyeMed, and other eye care practices.
The company faced a ransomware attack in August as well, and since the Nefilim ransomware threat actors have released data allegedly stolen from the seller on the dark web. The ransomware attack caused website disruptions for popular Luxottica brands, such as EyeMed and Ray-Ban.
As the world’s largest eyewear company with a portfolio of well-known eyeglass brands, including Ray-Ban, Oakley, Michael Kors, Bulgari, Armani, Prada, Chanel, and Coach, Luxottica also operates the EyeMed Vision benefits company and partners with eye care professionals as part of their LensCrafters, Target Optical, EyeMed, and Pearle Vision retail outlets. These partners leverage Luxotica’s web-based appointment scheduling application that allows patients to schedule appointments online or over the phone.
The breach that led to the HIPAA breach disclosure was the result of a hack on its web-based appointment scheduling application managed by Luxottica.
Breached patient information includes:
- contact details
- health insurance policy numbers
- appointment notes related to treatment, such as health conditions, procedures, and prescriptions
- Patient credit card information and Social Security information
A Luxottica spokesperson announced: “We have no evidence that indicates misuse of our patients’ information as a result of the scheduling app incident. We have followed all laws and notification requirements in this incident and continue to manage the situation with full transparency.”
As the hacking group behind the ransomware attack back in August continues to publish the data, banking information and other sensitive data also compromised is still being revealed.
Again, according to the company spokesperson, the company “has no evidence that the data leak highlighted had any impact in the U.S.”
At this stage, it’s unknown whether the two incidents- the ransomware attack and hacking of the scheduling application -were related. However, it is not surprising to see one cybersecurity event lead to another, as hackers often leverage a vast amount of stolen data as a vector in a new attack.
Note: The ransomware attack Luxottica experienced in August was due to a vulnerable Citrix ADX controller device. The hackers leveraged the critical CVE-2019-19781 flaw to infiltrate corporate IT networks and steal credentials. It was an unfortunate example of a failure to patch against a vulnerability that was originally made public 9 months ago.
Please read our blog for critical vulnerabilities that are frequently exploited by hackers.
6. Clients of Belden
More third-party vendor breach news came from Belden, the networking equipment supplier. The company became aware of the incident after the IT staff detected unusual activity on several file servers. A further investigation disclosed employee information and company information regarding business partners were leaked as part of the hacking incident.
“Safety is always paramount at Belden and we take threats to the privacy of personal and company information very seriously,” said Roel Vestjens, President and Chief Executive Officer. “We regret any complications or inconvenience this incident may have caused and are offering assistance to those individuals who may have been impacted.”
Belden is now notifying clients and employees whose information it suspects was compromised in the incident. No comment has been made from Belden regarding whether the hackers have transformed the intrusion into a ransomware attack. However, according to data provided by threat intelligence firm KELA, credentials for Belden accounts have been available on the cybercrime underground since April 2020.