Increasing numbers leading brands this past year such as T-Mobile appearing in headlines again as having been a victim of a data breach. This time, the breach impacted 37 million customers. But this was the eighth data breach the company had suffered in the last five years.
Although the most recent attack wasn’t from a third-party, these attacks frequently occur when cybercriminals identify vulnerabilities within these vendors to target their intended victims. Here’s a list of the top five third-party data breaches of 2023, with a detailed definition of what constitutes a third-party data breach.
How is a Third-Party Data Breach Determined?
Many data breaches occurred in 2023; some were investigated and the source of the breach disclosed. Others were not. For some, the source of the breach remains a mystery. In addition, many data breaches occur that do not originate from a third-party. For example, the Chick-fil-A data breach that affected more than 71,000 users was a result of a months-long, automated credential stuffing attack.
Our definition of a third-party data breach must meet the following criteria:
- Data was compromised or stolen from a third-party. Instead of using a third-party to access data, many hackers simply access data through a vulnerability or misconfiguration in an organization’s system or IT infrastructure and sell it on the dark web. While these have the potential to be major data breaches, they cannot be classified as third-party data breaches. For example, Kid Security suffered a data breach when it was exposed via misconfigurations in their ElasticSearch and Logstash instances, compromising more than 300 million users. However, it was not a third-party data breach.
- The third-party is located outside of the organization’s IT environment. Many services and systems, such as APIs, can be integrated into a company’s IT infrastructure and compromised via cyber attacks. The T-Mobile data breach that affected 37 million customers earlier this year was a result of a compromised API. Since we do not know whether or not this is as an internal or external API, however, we cannot classify this breach as a third-party data breach.
- The data was confidential and/or sensitive accessed via unauthorized methods. Not all data is confidential or sensitive. A significant amount of data is public and available on the internet and other open sources. For example, malicious actors scraped public data of over 600 million LinkedIn users in March, selling it on the dark web. Even though this data was publicly available on LinkedIn, it is important to remember that it can easily be leveraged to find additional targets for a cyberattack. However, this LinkedIn incident cannot be classified as a data leak.
5 Top Data Breaches in 2023
Now that we’ve given you a few examples of what isn’t a third-party data breach, we can list a few of the top third-party data breaches from this year.
1. The Dollar Tree
The discount store retailer was one of the major data breaches this year, affecting almost two million records of current and former employees and their families. The data includes personal information such as names, dates of birth and social security numbers that were breached through a malicious attack via Zeroed-in Technologies, a third-party HR analytics service.
2. Oregon and Louisiana Departments of Motor Vehicles
These DMV data breaches affected nearly ten million users this year. The data was exposed through a zero-day vulnerability in MOVEit, which the organization was using to store data at the time. Since the security incident was exploited through a system managed by the file transfer service, it is considered a third-party data breach.
3. Wilton Reassurance
This was another instance of a data breach originating from the MOVEit supply chain attack. The life insurance and reassurance company was affected through PBI Research Services, a service that delivers death notifications to the organization. PBI is a third-party of MOVEit and a fourth party of Wilton Reassurance, making this technically a fourth-party data breach that exposed the confidential information of nearly 1.5 million consumers.
The identity management services provider was hit by a data breach that affected its current and past employees and their relatives through its third-party Rightway Healthcare, a vendor used by Okta’s employees to help them navigate better healthcare providers. Although the company announced that the breach had a limited impact on only its Okta employees and relatives, it occurred after several significant cybersecurity attacks on the company. This included a malicious actor that succeeded in gaining stolen credentials to access its customer support case management system, a supply chain attack that ultimately had the potential to impact its entire customer base of more than 18,000.
The patient payment balances and collections company breach reported that nearly 500,000 customers were affected by the breach that occurred from the exploitation of their third-party GoAnywhere transfer file service. Data included not only names, addresses and birth dates but also medical data and social security numbers. Other high-profile companies affected by the GoAnywhere attack include Hitachi, Saks Fifth Avenue and Atos.
Major Takeaways from Third-Party Data Breaches in 2023
Organizations can examine these cyber attacks to determine trends and gain insights. Several lessons from these third-party data breaches include:
- Third parties offer better opportunities for attackers than having to target a company directly. Larger organizations may have protections in place for phishing, credential stuffing, and other low-risk, low-cost attack methods. In contrast, the third parties of these organizations may be significantly easier to exploit since they may not have invested the same time and resources in these cybersecurity defenses. They may also not have a culture of cybersecurity awareness in place among their employees or may have only started to put better security practices in place.
- Attack surfaces are increasing, making digital supply chains more complex. If you don’t have a detailed understanding of your digital supply chain and the relationship you have with each vendor, it’s impossible to classify your risk. Organizations should consider using advanced third-party security management tools not only to identify and map their third parties in their ecosystem but fourth, fifth and n-th parties as well.
- Understanding the criticality of your third, fourth and n-th parties is critical. Although it’s best to know about a breach as soon as possible, it’s even more important to understand the relationship the vendor has with your organization. Depending on the level of criticality of the vendor, your organization will want to put a remediation plan in place.
How Panorays Helps You Manage Third-Party Risk
Panorays’ AI-powered third-party risk management combines an extended attack surface assessment together with cybersecurity questionnaires to give you an accurate cyber rating of your supplier security posture. The cyber rating is based on the continual discovery of hundreds of millions of assets used to develop AI models that are highly accurate due to continual feedback from suppliers. AI is also used to generate the cybersecurity questionnaires, both on the evaluator’s end to validate responses with vendor documents, and on the supplier’s end with automated completions of responses based on similar questions asked in the past. With these cybersecurity questionnaires, you’ll also be able to determine the level of compliance of your vendors with various standards and regulations such as GDPR, PCI-DSS and HIPAA, using either a customizable questionnaire or predetermined templates used for SIG and CAIQ evaluation.
Its attack surface assessment maps and identifies your third, fourth and n-th party suppliers, agencies, service providers, subsidiaries, contractors and vendors – including Shadow IT – in your digital supply chain, along with their level of criticality. Armed with this information, you’ll then determine which remediation path to pursue.
Want to learn more about how you can manage third-party risk across your extended attack surface? Get a demo today.
A third-party data breach occurs when:
1. It was breached by a third party. Not all breaches occur as a result of a third party, some are a result of misconfigurations, vulnerabilities, and different types of cyber attacks, such as phishing and credential stuffing.
2. The third party must exist in a separate IT environment from the organization. Many services an organization uses, such as data storage, can exist in either internal or external environments. Exploited vulnerabilities within an internal system that lead to exposed data, for example, are not considered a third-party data breach.
3. It compromises confidential or sensitive data. Data that is public or available in open source methods cannot be considered a data breach if aggregated and exposed publicly.
The biggest data breach of 2023 was MOVEit, which compromised the data of 60 million individuals and over a thousand high-profile organizations, including the BBC, British Airways, Boots; U.S universities such as Harvard, Stanford and Johns Hopkins; and even governmental organizations such Security and Exchange Commission. The Russian ransomware gang Clop claimed responsibility for the attack. File transfer services such as MOVEit are an attractive target for cybercriminals since they are tasked with storing and transferring large volumes of highly sensitive and personal data from leading organizations across different industries.
Data breaches occur through a number of attack vectors, including (but not limited to) phishing attacks, business email compromise, malware, social engineering attacks and malicious insiders. Many times, a vulnerability is exploited by a third party, allowing a malicious actor to then gain unauthorized access to an organization’s data or systems and expose it. The vast majority of data breaches are a result of human error, such as the use of weak passwords or a misconfiguration.