9 Recent Third-Party Breaches You Need to Know About


8 Third-Party Breaches You Need to Know About
63% of breaches are linked to third-parties. How are you managing third-party cyber risk? See the latest headlines and arm yourself with resources to strengthen your TPCRM program.
9 Recent Third-Party Breaches You Need to Know About
+ resources to keep you out of the headlines
You probably read our last post on third-party related cybersecurity breaches in 2018, but this is the official year-end round up of all the headlines we saw for the year, plus some January headlines to be aware of.

Stick around for bonus tips on how to protect yourself from third-party cyber risk in 2019.

Oklahoma Dept. of Securities – FBI Records Breach
Exposed records: 3 terabytes of information representing millions of files | Reported January 2019
A storage server belonging to the Oklahoma Department of Securities was left completely open and accessible, exposing terabytes of confidential govenment data – including sensitive FBI investigation documentation – to the public.

“As a result of neglecting basic security measures, anyone with an internet connection could have access to the server, making it extremely easy for hackers to compromise the data,” said CyberGRX CEO, Fred Kneip.

Read the rest via the Washington Times.


Exposed records: 24,000,000 mortgage and loan records | Reported January 2019

Data on tens of thousands of loans and mortgages issued by Wells Fargo, CapitalOne, and several other financial institutions — some now defunct — was leaked online in “what appears to be a particularly egregious example of human error.”

The Ascension data breach is an example of the exposure that companies can face from the security gaps of their vendors and other third parties that they interact with – directly or indirectly. In this case, even though Citi and Wells Fargo did not appear to have direct contact with Ascension for years, their customer data still got exposed.

“The Ascension data breach shows why it’s important for organizations to prioritize vendors based on business exposure and potential impact, and then applying the right level of due diligence to those vendors,” says CyberGRX CEO, Fred Kneip.

Atrium Health
Exposed records: 2,500,000 | Reported November 2018
More than 2.65 million patients
had significant amounts of PII exposed by the healthcare provider’s third-party billing vendor, AccuDoc Solutions. The healthcare sector remains acutely vulnerable to attacks exploiting third-party contractors even as their first-party security posture hardens.

“The Atrium breach demonstrates how any third party in a company’s digital ecosystem can be the weak link that gives attackers a clear path to exposed data. The fact that this incident is being labeled “the Atrium breach” in the media also shows where the reputational risk lies… third-party exposures remain a sticky problem for healthcare companies, as the Atrium breach shows.” – Jonathan Simkins, CyberGRX CFO

Level One Robotics and Controls Inc.
Exposed records: Unknown | Reported July 2018

A data breach at a leading Canadian robotics company exposed
trade secrets of a range of over 100 leading automakers, including Tesla, Ford, Toyota, Chrysler, Volkswagen, Fiat, General Motors, and more.

The data sets ranged from customer data to employee data (badge access, drivers license and passport scans, etc.) – and even included level one data, including contracts, invoices, price negotiations, customer agreements, and more. All because of misconfigured data storage.

“If you don’t understand which third parties with access to your network present the greatest risk to your data, your digital ecosystem becomes a ticking time bomb just waiting to be exploited,” said Fred Kneip, CEO of CyberGRX. “That’s exactly what happened to Toyota, Tesla and Volkswagen. It’s just one vulnerability in one of thousands of suppliers, but the impact could be enormous.”

MyHeritage Genealogy Site

Exposed records: 92,000,000 | Reported June 2018

A security researcher recently found an archive on a third-party server containing personal details of over 92 million MyHeritage users. The data ranged from hashed passwords to emails, luckily not payment information or – you guessed it – DNA test results.

MyHeritage reported that it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.

The MyHeritage incident marks the biggest data breach of 2018, and the biggest leak since last year’s Equifax hack (BleepingComputer).


Exposed records: Undisclosed | Reported June 2018

Human resource firm PageUp found a malware infection in their backend, leaving customers’ sensitive information such as names, contacts and passwords accessible. And accessed it was – by a cyber attacker.

“Unless something changes, I think this trend of third-party attacks will continue to get worse,” said Scott Schneider, CRO of CyberGRX. “From Target to the SWIFT Network, there have been high-profile third-party attacks for a long time, and still not a week goes by without a new one popping up. The interconnected nature of our digital ecosystems is a great thing for facilitating the flow of business, but unfortunately there’s a flip side. It also makes it easier for attackers to find soft spots to access our data. It’s become the path of least resistance – and I can’t imagine why they would stop now when they’re having so much success.”

Baylor Scott & White Medical Center

Exposed records: 47,000 | Reported December 2018

“The Baylor Scott and White Medical Center-Frisco felt firsthand the effects of a third-party breach,
as they were forced to notify over 47,000 patients that their payment information had been exposed,”
said Fred Kneip, CEO, CyberGRX.
“We are at a pivotal point in the evolution of cyber-attacks, where organizations are called to move beyond previous, static approaches to third-party cyber-risk management that are unable to scale with our growing ecosystems. As a result, the industry must foster collaboration across the board, where organizations work with their third parties to mitigate risk before they become a target for attackers.”

Read the full article here.

Take informed steps when kick-starting your third-party cyber risk management program – and know how to streamline it. Download the guide or take our TPCRM Maturity Quiz.
U.S. Electric Utilities – Russia Hack
Exposed records: Unknown | Reported July 2018

The Russian DragonFly APT group, which last year broke into air-gapped networks run by U.S. electric utilities in a likely ongoing campaign that victimized hundreds, accessed the providers’ control rooms where they could have caused blackouts and other damage.

This gives them the ability to disrupt power flows and potentially far worse.

“Any company that interacts with thousands of third parties is in a race with hackers, whether they know it or not – and that certainly applies to utilities,” said Fred Kneip, CEO at CyberGRX, with organizations needing to identify vulnerabilities in their ecosystems before the attackers do.

“If they beat you just once by finding a single exploitable weakness within a single vendor, supplier or contractor, the results can be catastrophic,” said Kneip, calling on utilities to “take a more proactive approach to managing third-party risk, including “identifying third parties with weak security controls before they’re exploited, and working with them to mitigate the risk of attacks and breaches before they become a target for attackers.”

Take informed steps when kick-starting your third-party cyber risk management program – and know how to streamline it. Download the guide or take our TPCRM Maturity Quiz.
third party cyber risk breach report


Leave a Reply