The Worst Third-Party Data Breaches in 2019
by CyberGRX
Happy national cybersecurity month! Data breaches exposed 4.1 billion records in the first half of 2019. What’s more, third-party breaches account for over half of all data breaches in the US, according to the Ponemon Institute.
A third-party breach costs, on average, twice what a normal breach costs. Considering the impact to brand reputation, loss in business, and possible decreases in share value, the overall cost of failing to effectively vet and evaluate third parties is about $13 million.
You can’t have cybersecurity without third-party cyber security. Check out some of the worst data breaches of 2019 to see why:
Quest Diagnostics
Exposed records: 11.9 million patients
Reported June 2019
An unauthorized user gained access to Quest Diagnostic’s sensitive data via a billing collections vendor named American Medical Collection Agency (AMCA). The hacker had access to the information for roughly 7 months – from August 2018 to March 2019. The sensitive data of 11.9 million patients was accessed, ranging from credit card numbers to bank account information and even social security numbers.
U.S. Customs & Border Protection
Exposed records: Up to 100,000
Reported June 2019
Hackers breached a U.S. Customs and Border Protection database containing photos of license plates and travelers’ faces. The images were obtained through an unnamed subcontractor’s network that had been hacked. The breach could have affected up to 100,000 travelers.
FBI
Exposed records: 3 terabytes of information
Reported January 2019
3 terabytes of confidential information – including FBI investigation records, millions of department files, personal data, system credentials, and even internal communication records – were exposed to the public via an open storage server that belonged to the Oklahoma Department of Securities. The database was found to be publicly accessible to any IP address, and any files stored on the server were downloadable – by anyone. The oldest records dated back to 1986.
Exposed records: 540 million and 22,000
Reported April 2019
With countless third-party apps and programs accessing Facebook information, it’s not surprising that some of these third parties fail to store user data in a secure way. Below are two notable Facebook data breaches to learn from.
Facebook Data Breach #1:
A digital media company called Cultura Colectiva, based in Mexico, left over 540 million records of user IDs, account names, comments, and more exposed on a publicly accessible server.
Facebook Data Breach #2:
Plaintext (unprotected) passwords and email addresses for 22,000 users were exposed via At the Pool, another third-party Facebook app.
Focus Brands Inc.
Exposed records: Unknown
Reported October 2019
Focus Brands Inc., a restaurant franchising group, recently revealed data breaches at Moe’s Southwest Grill, McAllister’s Deli, and Schlotzsky’s. The breach stemmed from hacked payment processing computers at an unspecified number of locations. In other words, their Point of Sale (PoS) vendor was hacked, leaving payment information of countless customers vulnerable in from April 2019 to July 2019.
As businesses grow, they turn to third parties to provide specialty services – expanding and complicating digital ecosystems. While outsourcing can alleviate business problems and needs, it often comes with risk. A larger ecosystem creates more possibilities for a hacker to break through – and all it takes is one single vulnerability of a trusted vendor to gain access to a plethora of your organization’s and your customers’ sensitive data – maybe even the make-up of your very own DNA. Unless our approach to risk management changes, we will continue to see an increase in data breaches caused by third parties.
Ready to re-think your approach to third-party cyber risk management? Contact our team to learn more or download our Vendor Risk Management Guide to learn the three fundamentals.