2019 was a huge year for cyber breaches, especially third-party cyber breaches (third-party breaches account for over half of all data breaches in the US, according to the Ponemon Institute).
Plus, a third-party breach costs twice what a normal breach costs. Considering the impact to brand reputation, loss in business, and possible decreases in share value, the overall cost of failing to effectively vet and evaluate third parties is about $13 million. Let’s dive in to the worst third-party cyber breaches of 2019.
One of Ascension’s third parties exposed millions of bank loan and mortgage documents via a misconfigured server. The documents contained sensitive information from many major financial institutions ranging from Wells Fargo to CapitalOne and CitiFinancial – plus some U.S. Federal departments.
In a breach blamed on an unnamed “third-party service provider,” 4.9 million DoorDash customers, merchants, and workers had personal information exposed. This included the last four digits of payment information, bank account information of merchants and workers, and over 100,000 workers had their drivers license information exposed.
The health insurance company was breached via their third party, Bankers Life, compromising names, addresses, birth dates, social security numbers, and policy information of an unknown number of customers.
An unauthorized user gained access to Quest Diagnostic’s sensitive data via a billing collections vendor named American Medical Collection Agency (AMCA). The hacker had access to the information for roughly 7 months – from August 2018 to March 2019. The sensitive data of 11.9 million patients was accessed, ranging from credit card numbers to bank account information and even social security numbers.
Consulting giant Wipro suffered a major breach caused by phishing attacks targeting numerous customer systems. Initially, the attackers were believed to be state sponsored, but later it became clear that the primary goal was to obtain cash.
UK Metro Police, Global Village, Power World Gyms, + 6,000 others
Suprema, the firm that offers Biostar 2 – a biometric security software – left unencrypted, biometric data exposed online. the data breach leaked over 27.8 million records (including fingerprints), accounting for roughly 23GB of data. Amongst the information leaked was over one million fingerprint records, images of users and linked facial recognition data, records of entry to secure areas, employee information, user security levels and clearances, staff personal details – such as their email and home addresses – and mobile device records. Major customers of Suprema who use Biostar 2 are UK Metro police (unknown records), Power World Gyms (114,000 user records and fingerprints), and Global Village (15,000 finger prints) though the other 6,000 companies that work with Suprema were exposed to the information leak.