Only half the year is over, but we’ve already experienced some of the most damaging third-party data breaches in history. Such cyber incidents compromise sensitive information belonging to an organization by gaining access through a vendor, business partner or supplier. These security breaches can be disastrous for organizations, leading to hefty regulatory fines, lawsuits and loss of customer loyalty. They can also be quite lucrative for cybercriminals, which is why it’s no wonder that third-party cyberattacks are on the rise.
What Are Third-Party Breaches?
Third-party breaches refer to incidents where confidential data is stolen from a vendor, partner, or subsidiary, or when their systems are exploited to access and steal sensitive information stored on your systems.
5 Third-Party Data Breaches From 2021
Which third-party breaches stood out in 2021, and what can we learn about third-party risks from them? Here are five notable ones:
Late last year, cybercriminals exploited vulnerabilities in Accellion’s File Transfer Appliance, which is used to move large and sensitive files within a network, to expose private data such as Social Security numbers and banking information. The motive of the attack was criminal profit, and throughout 2021, we’ve heard about the many victims. They include the Reserve Bank of New Zealand, the state of Washington, grocery chain Kroger, the University of Colorado, cybersecurity firm Qualys, and many more.
The Accellion breach is an unfortunate example of how bad things can get when hackers find an easy way to reach third-party targets. In fact, there are likely more Accellion victims still to be named. Accellion now faces multiple lawsuits in Northern California and Washington state courts, but there will no doubt be more.
2. Audi and Volkswagen
In March, Volkswagen Group of America, Inc. was notified that its vendor had left unsecured data on the Internet between August 2019 and May 2021 that had been accessed by an unauthorized party. The breach affected 3.3 million customers, with over 97% relating to Audi customers and interested buyers. The exposed data varied from contact information to Social Security numbers and loan numbers.
This cyber incident is an excellent example of what can happen when sensitive data is mistakenly left exposed on the Internet, a common yet highly preventable situation. In fact, Panorays recently found that a surprisingly high number of vendors are not configuring their cloud storage buckets properly. To help protect their customers’ data, organizations should be sure to check that their vendors are storing it securely on the cloud.
3. Click Studios
In April, Click Studios notified customers that its enterprise password manager Passwordstate had been breached when attackers exploited the app’s update mechanism to deliver malware to customers. Passwordstate is used by over 370,000 security and IT professionals at 29,000 companies worldwide, and it was not clear how many had been affected by the breach. Click Studios advised customers who upgraded their client during the breach to reset all passwords in their Passwordstate database.
The reality is that not everyone would even consider a password manager to be a third party. But in fact, a password manager should be treated as a high-risk supplier whose security should be thoroughly assessed and continuously monitored. This unfortunate cyber incident involving Passwordstate underscored why it’s so crucial for organizations to fully understand the cyber risks posed by all of their third parties—and to continuously assess, monitor and remediate their cybersecurity posture.
4. Cancer Centers of Southwest Oklahoma
Elekta, the third-party cloud-based storage provider of Cancer Centers of Southwest Oklahoma, discovered unusual activity on its network earlier this year. As a result, there was unauthorized access to the protected health information of 8,000 oncology patients. Information exposed included names, Social Security numbers, addresses, birthdays, and details about medical diagnoses and treatments.
In the past, we have seen cybercriminals target schools, hospitals and charities, so it should really come as no surprise that they could stoop so low as to target oncology patients as well. The bottom line? Everyone is vulnerable.
On July 2nd, it was discovered that the REvil ransomware group had exploited a vulnerability in Kaseya VSA, a remote monitoring and management software platform. Kaseya shut down both the on-prem and cloud SaaS servers as a precautionary measure, and later it was revealed that as many as 1,500 companies worldwide were affected. This included a Swedish grocery retailer co-op chain, which was forced to close more than 800 stores. Following the attack, REvil demanded a $70 million payment in bitcoin to decrypt all the systems.
In what was called the largest ransomware attack in history, this incident caused a complete shutdown of businesses. Kaseya later released a patch to address the vulnerability. On the positive side, it was reported that the vast majority of companies did not pay the ransom because backups had not been deleted and data was not stolen.
How Can You Prevent Third-Party Breaches?
Since third parties are often easier to infiltrate than larger organizations, the majority of data breaches begin with them. For this reason, it’s important to implement a robust third-party risk management program, which helps you understand every third-party vendor you are doing business with, what their security posture is and whether it’s acceptable to your company. An unknown, incomplete or inaccurate view of supplier risk leaves your organization vulnerable. In other words, you must have visibility into and control of third-party security.
Panorays does this by quickly and easily automating third-party security risk evaluation and management, handling the entire process from inherent to residual risk, remediation and ongoing monitoring.
Want to learn more about how Panorays can help you avoid third-party breaches? Schedule a demo today.