The year is not even half over, and third-party data breaches continue to proliferate.
In third-party data breaches, sensitive information belonging to an organization is compromised through a vendor, business partner or supplier. Such cyber events can be disastrous for organizations, which can lose customer confidence and loyalty and face hefty regulatory penalties. In fact, according to a recent Gartner report, a data breach is an average of $700,000 more expensive when a third party is involved.
Which third-party data breaches really stood out in 2020, and what can we learn from them? Here are five notable ones:
GE suffered a particularly damaging data breach when an unauthorized party accessed an email account of its vendor, Canon Business Process Services. The account contained substantial personal data belonging to GE employees, former employees and beneficiaries, including bank account numbers, passport numbers and more. It was unclear if the data was stored in the email account itself or if the account contained login information that allowed attackers to access Canon’s systems.
This extensive breach occurred because of a single compromised third-party email account—a fact that underscores just how vigilant organizations must be about cybersecurity. In addition, the breach might have been prevented by understanding early on how Canon would be using and storing GE’s personal data and how to mitigate that risk. Bottom line? This breach illustrates why it’s so important to map vendors according to business relationship, and assess their security accordingly and implement compensating security controls to minimize risk.
P&N Bank, located in Australia, experienced a cyberattack when it was performing a server upgrade and data was stolen through a third-party hosting provider. As a result, customer information such as names, addresses, email addresses, account numbers and balances were compromised. The bank sent an email to 96,000 members informing them of the breach.
The cyber incident at P&N Bank illustrates how organizations can be susceptible to data breaches through third-party hosting providers. More so, a breach at a hosting provider can create a bigger breach effect considering that it is relied upon by multiple businesses. For this reason, it’s important to thoroughly assess the cyber posture of cloud providers and in particular, make sure that servers are configured correctly.
Health Share of Oregon
Health Share of Oregon, the state’s largest Medicaid coordinated care organization (CCO), suffered a significant data breach after a laptop was stolen from its medical transportation vendor, GridWorks. The laptop, which was seized during a break-in, was not encrypted and contained the personally identifiable information (PII) of over 650,000 members. This data included names, addresses, phone numbers, dates of birth and Social Security numbers.
This incident illustrates how companies need to align their third parties to their own security standards, in particular when PII and HIPAA is involved. Having even one device falling into the wrong hands can be disastrous. For this reason, it’s important to ensure that your vendors have a stringent security policy in place, including device security and encryption.
Social Captain, a third party that helps individuals and businesses boost Instagram followers and like counts, leaked thousands of Instagram account passwords. A website bug allowed access to any Social Captain user profile without having to log in. Essentially, this meant that anyone could simply enter a user’s unique ID to find out their Instagram login credentials. Instagram noted that the service breached its terms of service by improperly storing login credentials.
This incident illustrates the dangers of when individuals and businesses share credentials with any third party. When such information is shared, there’s a risk that the third party is not taking the necessary steps to protect it. On another note, it demonstrates why passwords should never be reused: While having a unique password for each website will not prevent a leak, it can minimize the possible damage that could occur if it is exposed.
Marriott experienced its second major data breach in two years when third-party software was compromised, exposing the personal information of 5.2 million guests. The attackers succeeded in obtaining this information after they obtained login credentials of two employees. The stolen data included names, addresses, phone numbers, airline loyalty programs numbers and more, and the unauthorized access likely continued for about six weeks.
The first issue with this breach was that an unauthorized individual was able to access an email account. The second issue was that this individual was able to continue using this email account to steal data and remained undetected for so long. Implementing multi-factor authentication and regularly monitoring user activity could have prevented this breach or at least lessened its impact. Clearly, there was a lack of oversight and monitoring, which are necessary to ensure third-party security.
How Can You Prevent Third-Party Data Breaches?
To minimize the risk of being breached through a third party, organizations should be sure to
- Thoroughly assess their third parties’ cyber posture
- Determine business relationship and address risk accordingly
- Remediate any cyber gaps
- Continuously monitor cyber posture