Stick around for bonus tips on how to protect yourself from third-party cyber risk in 2019.
“As a result of neglecting basic security measures, anyone with an internet connection could have access to the server, making it extremely easy for hackers to compromise the data,” said CyberGRX CEO, Fred Kneip.
The Ascension data breach is an example of the exposure that companies can face from the security gaps of their vendors and other third parties that they interact with – directly or indirectly. In this case, even though Citi and Wells Fargo did not appear to have direct contact with Ascension for years, their customer data still got exposed.
“The Ascension data breach shows why it’s important for organizations to prioritize vendors based on business exposure and potential impact, and then applying the right level of due diligence to those vendors,” says CyberGRX CEO, Fred Kneip.
had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutions. The healthcare sector remains acutely vulnerable to attacks exploiting third-party contractors even as their first-party security posture hardens.
“The Atrium breach demonstrates how any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data. The fact that this incident is being labeled “the Atrium breach” in the media also shows where the reputational risk lies… third-party exposures remain a sticky problem for healthcare companies, as the Atrium breach shows.” – Jonathan Simkins, CyberGRX CFO
trade secrets of a range of over 100 leading automakers, including Tesla, Ford, Toyota, Chrysler, Volkswagen, Fiat, General Motors, and more.
The data sets ranged from customer data to employee data (badge access, drivers license and passport scans, etc.) – and even included level one data, including contracts, invoices, price negotiations, customer agreements, and more. All because of misconfigured data storage.
MyHeritage reported that it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.
“Unless something changes, I think this trend of third-party attacks will continue to get worse,” said Scott Schneider, CRO of CyberGRX. “From Target to the SWIFT Network, there have been high-profile third-party attacks for a long time, and still not a week goes by without a new one popping up. The interconnected nature of our digital ecosystems is a great thing for facilitating the flow of business, but unfortunately there’s a flip side. It also makes it easier for attackers to find soft spots to access our data. It’s become the path of least resistance – and I can’t imagine why they would stop now when they’re having so much success.”
as they were forced to notify over 47,000 patients that their payment information had been exposed,”
said Fred Kneip, CEO, CyberGRX.
“We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”
This gives them the ability to disrupt power flows and potentially far worse.
“If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic,” said Kneip, calling on utilities to “take a more proactive approach to managing third-party risk, including “identifying third parties with weak security controls before they’re exploited, and working with them to mitigate the risk of attacks and breaches before they become a target for attackers.”