The Okta, Intellighartz and Bank of America breaches are all examples of a third-party data breach that we see increasingly in the headlines today. Other cybersecurity attacks can lead to data breaches, such as the recent MOVEit supply chain attack that resulted in a third-party data breach for numerous organizations across industries that continued to be revealed throughout the year. These included the Oregon and Louisiana Department of Motor Vehicles, Tigo, a video chat forum and Nuance Communications, Microsoft’s healthcare technology company.
What is a Third-Party Data Breach?
Third-party data breaches are a subset of data breaches that meet a specific set of criteria. First, these attacks occur when data is compromised or stolen from a third party. Second, the third party must have its own infrastructure located in a separate IT environment from the businesses. Finally, the data that was stolen must be sensitive or confidential, so that the business is concerned about the breached data.
Not all data breaches are from third parties, however. Many are data breaches that occur simply because a malicious attacker discovers a vulnerability in an organization’s system or network and exfiltrates sensitive data from it. That’s what also happened in the case of the third data breach last year at T-Mobile, which was a result of a glitch in a technology update, and Chick-fil-A data breach, which was a result of a months-long credential stuffing attack.
After obtaining sensitive data or information, malicious attackers may then sell it on the dark web or use it to instigate a ransomware attack on an organization. In many cases, however, the exact origins of the breach remain forever a mystery.
How to Evaluate Your Risk of a Data Breach
Almost 300 million accounts were leaked in 2023, with one-third of those accounts being from the U.S. These breaches can lead to hefty fines and penalties, legal court cases, additional security incidents, and a loss of customer trust and damage to the brand.
While it’s impossible to predict a data breach, there are steps your organization can take to reduce the likelihood of suffering a data breach. Although risk assessment, remediation, and supply chain visibility are all aspects that contribute to third-party risk management, this post focuses on threat intelligence and vulnerability management to defend against this threat.
Here are 4 key strategies:
1. Continuously Monitor Security Posture
It’s important to assess and continuously monitor your vendors’ security posture in order to unveil assets and any possible cyber gaps. Comprehensive third-party risk management includes a thorough attack surface analysis that should examine at least three layers:
- Network and IT: Parameters involving web, email and DNS servers, TLS protocols, asset reputation, cloud solutions and other exposed services.
- Applications: Parameters involving web applications, CMS, domain attacks, etc.
- Human: Parameters involving social posture, employees’ attack surface, presence of a dedicated security team, etc.
In particular, you should be sure to pay attention to critical and high-severity findings. With a comprehensive assessment and continuous monitoring of your vendors, you can pinpoint security gaps early on and remediate them before they can be exploited by malicious actors.
2. Review Cyber News
If a breach does take place that might involve your vendor, you want to be aware of it as early as possible so that you can take steps to mitigate it. For this reason, it’s important to regularly review cyber news to keep abreast of any cyber incidents and how they might affect you and your third parties. Staying informed allows you to take important steps such as limiting third-party access to your systems and being alert to suspicious activity.
3. Check Dark Web Chatter
It’s a good idea to check trend changes by mentioning your third parties on hacker forums and other nefarious marketplaces. By doing so, you can monitor potentially malicious hacker chatter about opportunities to target your third party, sell databases of personal information or take advantage of system weaknesses for financial benefit. By regularly checking the dark web, you can become proactive about knowing in advance of in-the-wild threats to your supply chain. In addition, you can collaborate with your third party about how to prevent them.
4. Watch for Warning Signs
Certain vendor security issues can indicate that there might be a problem with your vendor. They might include, for example, outdated technologies, untrusted certificates, mail server misconfigurations, lack of security controls and botnet traffic emanating from compromised machines. All of these are signs that something might be amiss with your vendor and that you should investigate the matter more thoroughly.
How Panorays Helps Manage Third-Party Risk
Almost three-quarters (73%) of organizations have experienced a security incident in the last three years originating from a third party. As a result, organizations are re-examining and adjusting their third-party risk management as needed. With technology, risk, compliance and the vendor lifecycle dynamic, context is needed to properly evaluate threats to organizations.
Panorays delivers a third-party contextual risk management (TCPRM) solution that evaluates third-party risk throughout the vendor lifecycle. It does this with minimal dependence on communication with third parties, combining AI-powered cybersecurity questionnaires and external attack surface assessments.
Cybersecurity questionnaires help to deliver internal assessments of third parties that include questions that can be customized according to frequency, questions and templates, based on risk profile and individual risk tolerance. The questionnaires are answered using an AI-based response based on a combination of vendor documentation and external public data.
The attack surface assessments deliver accurate external assessments that map and analyze third parties for various risks. These include vulnerabilities and control failures, breach history, human risk, dependence on AI technologies and Known Exploited Vulnerabilities (KEVs) according to their level of criticality. It is also able to evaluate details of assets (e.g., location, domain, discovery origin, etc) and test different categories (e.g. company credentials, endpoint, cloud and applications findings) to properly evaluate the third-party’s security posture.
Together these internal and external assessments produce the most accurate risk assessment for each vendor relationship, taking into consideration the evolving risk based on the changing relationship of the vendor with your organization. When a data breach does occur in your supply chain, you’ll be able to respond immediately by sending a cybersecurity questionnaire to the relevant parties. You’ll then use the results to develop a remediation plan with a list of critical tasks your suppliers need to complete to close the gaps that pose the most risk to your organization.
Want to learn more about how Panorays can help your organization manage third-party risks? Get a demo today.
A third-party data breach is a data breach with specific criteria. First, the data must be stolen or compromised by a third party. Second, the third party must have its IT infrastructure on its own separate environment from the organization suffering the data leak. Third, the data or information must be sensitive or confidential.
The most common causes of third-party data breaches include:
- Weak passwords. Weak passwords can be easily compromised and allow attackers easy access to an organization’s network, system or databases.
- Insider threats. Disgruntled or former employees may have access to networks and systems that can be used to steal or exfiltrate data for malicious intent.
- Malware. Malicious software can be used to exploit vulnerabilities within an organization’s system or network and gain unauthorized access to data and files.
- Social engineering. Employees can be manipulated into revealing their user credentials and passwords or other confidential information attackers can leverage for malicious intent.
In the event of a third-party data breach, your business may be liable. This is true of any data breach that is the fault of the cloud provider under the shared responsibility model. Businesses must check their vendor contract to understand the legal repercussions of a third-party data breach, which can include fines and penalties and court cases and class action cases for larger data breaches. Regulations such as GDPR, HIPAA and CCPA allow authorities to fine companies for not properly securing their data or failing to disclose a data breach within a certain timeframe.
If passwords are exposed in a third-party data breach, it means that your organization and customers are at a greater risk of an additional cybersecurity attack. Cybercriminals often use data leaks as the first step of a more sophisticated attack, such as account takeover and ransomware. Exposed passwords also result in a loss of customer trust and damage to your brand.