According to a recent Ponemon report, the average organization utilizes nearly 6000 third parties in various business functions. Digital transformation, including increased migration to the cloud, IoT, and increased outsourcing to third parties, has been steadily growing over the last couple of years. The unexpected events of 2020 found many companies scrambling to adjust in ways no one had ever considered, and as a result, their cyber risk increased.
Bad actors have taken advantage of this upheaval and the fact that organizations default to putting time and resources into protecting themselves from direct attacks. Unfortunately, many organizations don’t put as much—or any—thought into the cybersecurity practices of the third parties either providing services directly to them, or in the case of Instagram and YouTube, through them.
Here are some of the more memorable third-party cyberattacks of 2020, and what we can learn from them to ensure our vendor ecosystems are as secure as our front lines.
At the end of Q3, Shopify, an e-commerce platform for online stores and retail point-of-sale systems, reported a data breach in which two “rogue” support team members stole customer data from merchants utilizing the platform. According to Shopify, the employees allegedly stole customer data, including names, postal addresses, order details, and the last four digits of the customers’ credit cards, from fewer than 200 merchants.
The now-former employees of Shopify obtained the data using Shopify’s Orders API, which allows merchants to process orders on behalf of their customers.
Instacart, the grocery delivery and pick-up service had a third-party related security incident at the end of August when two support agents working for a third-party vendor accessed 2180 shopper records that may have included name, email address, telephone number, driver’s license number, and a thumbnail image of the driver’s license. Instacart stated that no customer data was stored, downloaded or copied and that “no customer information or profiles were accessed or impacted in any way by this incident.”
This was the second cybersecurity incident for the US-based company. A month prior, Instacart reported a credential stuffing attack affecting 278,531 user accounts.
Recently Spotify alerted users that some of their registration data, including email addresses, preferred display names, passwords, gender, and dates of birth, was inadvertently exposed to a third-party vendor. This latest breach is the third security incident in less than a month for the streaming service that reports over 320 million monthly active users. Spotify said in a statement that this recent breach was due to a software vulnerability that existed from April 9 until Nov. 12 when it was discovered and corrected.
In late November, Spotify experienced a number of account takeovers as the result of a credential-stuffing attack. In this type of breach, cybercriminals count on people reusing passwords and then they try stolen passwords and IDs on different services to gain access to a range of accounts. The cause of this breach was reported to be an open and vulnerable Elasticsearch database with more than 380 Spotify user records, including login credentials that were most likely obtained illegally or leaked from other sources.
DeepSocial, a now-defunct social media data broker, suffered a data breach that exposed more than 235 million records and affected two of the most popular social media platforms: Instagram (owned by Facebook) and YouTube (owned by Google).
The data in question included usernames, contact and other personal information, pictures, and statistics about accounts. The third-party violated terms of service of these and other providers, resulting in Facebook and Instagram banning them, but it was too late.
Unfortunately, Australian financial institution P&N Bank’s 2020 got off to a bad start when it fell victim to a cyberattack when data was stolen through a third-party hosting provider as they were performing a server upgrade. The bank emailed 96,000 members informing them of the breach, saying that “non-sensitive data” was accessed, and that customer information included names, addresses, email addresses, account numbers, and balances. According to the CEO, no customer passwords or credit card details were accessed, as its core banking system was “completely isolated and separated from the impacted system.”
The effects of a data breach run much deeper than the immediate hit to a company’s bottom line. What’s not always quantifiable is the loss of trust that customers have in the organization. When the data breach affects sensitive employee data, the fallout takes on an additional level of damage.
In April of this year, Canon Business Process Services, the third party that processes current and former General Electric employees' documents and beneficiary-related documents, suffered a massive data breach when an unauthorized party accessed an email account. The exposed data included bank account numbers, passport numbers, and other personal data and it’s unclear if the data was stored in the email account itself or if the account contained login information that gave the bad actors access to Canon’s systems.
SolarWinds, IT management software that’s used by many government agencies and Fortune 500 companies, announced recently that it suffered a cyberattack where hackers inserted malware into a service that provided software updates for its Orion platform. The attack, nicknamed Sunburst, is thought to have started in March 2020 and is considered to be a supply chain attack, as it targeted a company that, by its very nature, is a third-party service provider.
While the magnitude of the attack is still unfolding, SolarWinds has said that around 33,000 of its customers were Orion users and that fewer than 18,000 may be infected with the malicious code. SolarWinds went on to say that the attack also compromised its Microsoft Office 365 accounts.
Be sure you always know where your third parties are keeping both yours and your customers’ data, and what security measures they have in place to protect that data. Having this knowledge ahead of time gives you the opportunity to mitigate any risks that may be present with that third party, and it gives the third party an opportunity to correct the security concern. This lets them secure their environment not only for your organization but for all of their customers, as well.
Cyberattacks aren’t always complicated and sophisticated. As we’ve seen time and time again, one compromised third-party email account, for example, can lead to the theft of very valuable personal information. It’s important that organizations know exactly how a third party will be using—and storing—personal data and have a plan in place to mitigate that risk before it becomes a problem.
Third-party cyber risk management is a holistic approach; there’s not just one action a company can take that will secure all of its data and minimize risk. In addition to knowing how the third party handles sensitive data, organizations should have policies in place that, for example, only give access to data that is pertinent to the business relationship.
Take steps to avoid cyber events altogether by having a TPCRM program in place that vets all of your third parties prior to doing business with them. With the average organization using around 6000 third parties and the costs of a data breach rising each year, you need to make sure you’re doing everything you can to prevent cyber risk in the first place. Prevention and remediation are less expensive than cleaning up a cyber event after the fact.