It’s only mid-2019, but we’ve already experienced a significant amount of third-party breaches, and the number is only increasing.
In third-party data breaches, the personal information held by large companies is compromised through a vendor, business partner or supplier. The consequences of such incidents are considerable: Companies lose consumer confidence and loyalty, and can face costly penalties for violating data privacy regulations.
In our opinion, some data breaches were particularly noteworthy because they revealed hacking trends, originated from unexpected sources or resulted in particularly disastrous outcomes. Which data breaches really stood out? Here are our top five choices:
1. Topps.com
What happened?
Topps, a leading trading card retailer, became aware of an unauthorized third party that had hacked their site. The company stated that customer information such as names, addresses, email addresses and payment information may have been obtained by the attackers.
Upon further investigation, it was discovered that these intruders employed Magecart attacks, adding a malicious script that was active from November 19, 2018 to January 9, 2019. Magecart attacks were also used for data breaches at Ticketmaster, British Airways, NewEgg and more.
In most of their attacks, the group hacked into a company that provided web application services through Javascript integration to other companies. After hacking the provider of the Javascript code, they augmented the original integration code with their own malicious code. As a result, every application that used the services of the compromised company became compromised.
Why is it notable?
Online retailers like Topps are prime targets for Magecart, because data is easily stolen during checkout as customers enter their credit cards. Because these stealthy attacks blend in with original code and are hard to detect, Magecart isn’t going away anytime soon. The Topps breach illustrated that.
2. American Medical Collection Agency (AMCA)
What happened?
AMCA was the third-party provider of billing services for large healthcare companies such as Quest Diagnostics, LabCorp and BioReference Laboratories. Health providers like AMCA hold some of patients’ most sensitive data, which can be used by attackers for identity theft insurance fraud, financial gain or even blackmail.
The data breach took place from August 1, 2018, until March 30, 2019, and resulted in compromising the private information of 20 million Americans, including name, date of birth, provider and balance information.
Why is it notable?
This incident illustrates the disastrous consequences of a data breach. As a result of the breach, AMCA’s four largest clients ceased operations with the company, numerous class action suits were filed and the company faced enormous penalties for noncompliance with HIPAA. Consequently, AMCA filed for bankruptcy.
3. Wipro
What happened?
In early 2019, Indian outsourcing consulting giant Wipro suffered a major breach that sources said was caused by phishing attacks targeting numerous customer systems. Initially, the attackers were believed to be state sponsored, but later it became clear that the primary goal was to obtain cash.
Researchers found that dozens of Wipro employees had been attacked and the hackers gained access to over 100 Wipro computer systems.
Why is it notable?
Supply chain attacks are typically considered to be attacks on hardware components, like malware on laptops and network devices. This attack, however, was an attack on a service provider.
According to reports, at least one major US company responded to the breach by severing ties with Wipro.
4. Evite
What happened?
In May 2019, Evite, an online text invitation service, said that an outside party had gained access to its servers and was able to access members’ personal data. At the time, it was thought that approximately 10 million users had their information exposed; however, later reports said that the number could be as high as 100 million.
Why is it notable?
We tend to think of Evite as a B2C; however, it is fully integrated with companies. As a result, the data breach exposed business information, as well as personal.
According to Panorays’ research, more than half of evaluators do not recognize the need to continuously monitor low-risk business partners such as their marketing tools. However, as the Evite incident shows, the next breach can come from these so-called “low-risk” business partners.
5. US Customs and Border Protection
What happened?
In June, it was discovered that a contractor of the Customs and Border Protection had suffered a cyberattack. Consequently, photos of travelers into and out of the country and copies of license plate images were taken. The CPB alerted members of Congress, removed the subcontractor’s equipment from service and said it was monitoring its work.
Why is it notable?
This breach was significant because it illustrated how third-party breaches can occur even on the government level.
The Federal Information Systems Act (FISMA) of 2002, amended in 2014 as the Federal Information Security Modernization Act, mandates best practices for safeguarding data and information systems. Contractors to the Federal Government are required to comply with FISMA, which they can do by implementing the NIST information security control standards. Yet this breach occurred despite having these controls in place.
How Can You Prevent a Breach from Your Third Parties?
To help minimize the risk of third-party breaches, companies should:
- Conduct a third-party security risk assessment to evaluate the supplier’s security posture
- Remediate any security gaps
- Be vigilant about how data is shared with the supplier
- Continuously monitor supplier cyber posture
- Minimize risk based on relationship
Want to learn about how you can manage your third-party security better? Contact Panorays today.
