2022 was an eventful year in the world of third-party cybersecurity. In almost every sector, organizations suffered data breaches via vendors in their supply chains, comprising valuable sensitive information.
A third-party breach occurs when hackers gain access to an organization by exploiting a weakness in one of its vendors, business partners, or suppliers, which integrates with the organization’s data sources or has access to certain networks. These security breaches can lead to disastrous consequences for organizations, such as regulatory fines, customer lawsuits, and reputational damage that can be difficult — sometimes, impossible — to repair.
As of 2022, a data breach costs companies an average of $4.35 million (USD). In the United States, that figure is even higher, at $9.44 million.
The rising prevalence of third-party breaches, as well as increasing costs, underscore the critical importance of third-party risk management. By looking back on four notable breaches this year, we can all learn more about how to enhance third-party vendor management and improve overall cybersecurity posture.
1. Okta
What happened?
Okta, the No. 1 identity and access management company for enterprises, was breached in January of this year. When the company disclosed the attack in March, it revealed 366 corporate customers (about 2.5% of its customer base) were impacted by the breach, in which the Lapsus$ hacking group gained access to the company’s internal network.
In a March 23 statement, Okta CSO David Bradbury attributed the attack to Sykes, a subprocessor that provides customer support services to Okta. As of 2021, Sykes is owned by contact center giant, Sitel.
Customer support companies are considered attractive targets for hackers, because they often have broad access to the organizations they provide customer service support to. In Okta’s case, the Lapsus$ hackers infiltrated Sykes’s network for five days before being detected and kicked out. Okta experienced significant criticism from the security industry in the wake of the attack, particularly for waiting two months to notify customers, which only discovered the breach when it was leaked on social media.
Takeaways
The Okta breach illuminates two important lessons regarding third-party vendor management. First, it serves as a reminder that companies need a robust third-party risk management strategy and solution in place, so that they can accurately monitor their third-party security risk and mitigate breaches as quickly as possible. With a stronger approach to third-party vendor management, Okta could have had greater clarity into Sykes’ cybersecurity posture, including the credentials and sensitive customer data that were at risk of exposure.
The second lesson is about prioritization. While all third-parties in your supply chain potentially pose some risk, certain types of service providers introduce far greater risk than others. Support services vendors have long been attractive targets for hackers, precisely because of their wide access to company networks, and because they deal directly with customers. It’s important to prioritize monitoring and attention to those suppliers for which a breach would lead to the most severe consequences.
2. KeyBank
What happened?
In July, hackers stole personal data from KeyBank home mortgage holders in the breach of its insurance services provider, Overby-Seawell Company. Personal data, including the first eight digits of Social Security Numbers, names, mortgage account numbers and information, phone numbers, property information, home insurance policy numbers, and home insurance information of homeowners, were compromised in the attack.
Hackers obtained the information by breaking into computers at Overby-Seawell Company, which provides a real-time insurance monitoring tracking system to banks, credit unions, mortgage servicers, finance companies, and property investors. Although KeyBank didn’t verify the exact number of residential mortgage customers affected by the breach, a federal lawsuit claimed it exceeded 100 people, with damages amounting to more than $5 million. According to the lawsuit, the personal information that was stolen could be used to commit fraud and cause even more damage to customers’ finances, property, credit and reputation.
Takeaways
This attack reminds us that when an outsourced service involves the transfer and/or use of highly sensitive personal information, it’s critical for companies to understand how vendors keep this data secure. First, organizations must audit their vendors’ security policies and tools. They must also assess how strictly data protection policies are enforced.
The KeyBank breach also shows us how easily one slip — due to poor security policy enforcement or human error — is all it takes to enable a highly damaging breach.
3. US School Districts
What happened?
In July, a cyberattack on Illuminate Education — a leading provider of student-tracking software — exposed the personal information of more than one million current and former students in dozens of districts around the US, including New York City and Los Angeles.
According to district officials, the compromised data included the names, dates of birth, races, ethnicities, and test scores of students. At least one district said the breach exposed more delicate details about students, such as behavioral incidents, tardiness and absenteeism, disabilities and migrant status. Hackers stole data dating back more than a decade, raising concern about the nature and scope of the attack.
Takeaways
One of the main takeaways of the Illuminate Education cyberattack is that it indeed illuminates a major challenge: the sophistication of data-mining tools in schools is accelerating more rapidly than protections for students’ personal information. Since Congress has yet to enact meaningful data protection laws for students, ed tech companies are usually not held accountable for security incidents that expose students’ private information.
Therefore, it’s up to school districts and ed tech companies themselves to step up and increase the security of students’ sensitive data — even in the absence of meaningful regulation. In particular, educational institutions must develop a third-party risk management strategy, including a third-party vendor management platform that can automatically and continuously monitor suppliers’ cyber risk.
4. Highmark Health
What happened?
In March, Highmark Health, a large healthcare delivery and financing system based in Pittsburgh, Pennsylvania, reported a fourth-party vendor breach that compromised Highmark data.
The breach targeted Quantum Group, a printing and mailing services provider used by WebbMason, a company that Highmark Health had hired to perform marketing services. As a result of the attack, the sensitive information of about 67,147 individuals was exposed, including names, birth dates, Highmark member IDs, and prescription information.
Takeaways
This breach serves as an unfortunate reminder that even your vendors’ vendors — your fourth parties — pose cybersecurity risks that can cause significant financial, legal, and reputational damage. Incidents like these clarify the need for a holistic, comprehensive, and continuous approach to vendor security risk management. Without one, it’s impossible to identify risk within your vendor supply chain, or mitigate vulnerabilities in time to avoid damaging cyberattacks.
How Can You Prevent Third-Party Breaches?
Unfortunately, you can’t completely prevent a data breach via your third parties. Cyber criminals and hostile nation states are constantly refining and developing new techniques to successfully breach internal networks, systems, and apps. As the rate of supply chain attacks increases, it’s become clear that hackers are eager to exploit third-party vulnerabilities.
However, you can gain far better visibility into your true cybersecurity posture with a clearly defined incident response plan and vendor security risk management platform, like Panorays.
Do you have an expert-designed incident response plan in place? If not — or if yours is in need of a reboot — check out this eBook, The Third-Party Incident Response Playbook, a practical guide to protecting against and preparing for a possible vendor cyber breach. The eBook will help you:
- Understand why third-party security is critically important
- Prepare for a possible supply chain cyberattack
- Recognize signs that may indicate a possible third-party cyberattack
- Respond and recover from such an incident