Third-Party Cyber Breaches

Ever wondered what the true cost of a third-party cyber breach is, or what the top threats are? Learn from recent data breaches and how to prevent them in our definitive guide.

Impact of a Third-Party Cyber Breach


According to research conducted by the Ponemon Institute, third parties are involved in over half of the data breaches in the US and a third-party breach costs, on average, twice what a normal breach costs. Considering the impact on brand reputation, loss in business, and possible decreases in share value, the overall cost of failing to effectively vet and evaluate third parties is about $13 million.

Ponemon Report: The Cost of Third-Party Cybersecurity Risk Management

Third parties are inundated with assessments and enterprises aren’t getting the insights they need – and the cost of failure is high. Grab a free copy of the report to learn more.

Top 3 Cyber Threats To Your Business


As businesses grow, they turn to third parties to provide specialty services – expanding and complicating digital ecosystems. While outsourcing can alleviate business problems and needs, it often comes with risk. A larger ecosystem creates more possibilities for a hacker to break through – and all it takes is one single vulnerability of a trusted vendor to gain access to a plethora of your organization’s and your customers’ sensitive data.

So, which attack vectors are most prone to be explored and how can that help when designing your cyber-threat management strategy? Let’s take a look at the top cyber threats to businesses that companies should look out for:

1. Ransomware

Made famous by the crippling WannaCry attack in 2017, ransomware is a type of malware designed to deny access to a computer system or data by encrypting the information and holding it “hostage” until the ransom is paid. This cyber threat continues to be one of the top cyber attacks, and according to Business Insider, ransomware generates over $25 million in revenue for hackers each year. Additionally, 50% of companies don’t feel they are adequately prepared for this type of threat.

2. Phishing

Phishing is a form of internet fraud where an attacker attempts to obtain sensitive information by pretending to be someone of familiarity through the use of electronic communication such as email or telephone. Playing on human’s innate trust, 91% of data breaches come from phishing, making this type of social engineering attack the leading threat vector for hackers. And as users are sharing an increasing amount of personal information through social media, criminals are finding a fruitful source of funds in information holders, which they target through phishing and ransomware attacks.

While no operating system is completely safe from phishing, taking actions like promoting a security culture within your business, deploying spam filters, keeping systems current with the latest security patches and encrypting all sensitive company data are a few important steps that you can do to protect yourself and your organization.

3. Data Leakage

2018 was a year of data breaches for what read like a list of who’s who of the world’s biggest companies. Data leakage is an action where classified information is transferred from a computer or data center to the outside world either intentionally or accidentally. This type of security incident can be damaging, costly and take time to repair.

According to the Ponemon Institute’s 2018 Cost of a Data Breach study, a cyber breach goes undiscovered for an average of 197 days, and by the time the incident is exposed and fixed, it is likely the damage is already done. Adding salt to the wound, 53% of organizations have experienced one or more breaches caused by a third party, costing an average of $7.5 million to remediate. The intent is generally to steal credentials, passwords and credit card numbers; though hackers will steal any data that can be sold.

What about insider threats and computer predators? There’s more on that in our blog, Top 5 Cyber Threats to Businesses in 2019.

Recent Major Data Breaches


There have been countless third-party cyber breaches over the past few years, but a handful of them stand out, particularly for their amount of exposed records.

Quest Diagnostics

Exposed records: 11.9 million patients
Reported June 2019

An unauthorized user gained access to Quest Diagnostic’s sensitive data via a billing collections vendor named American Medical Collection Agency (AMCA). The hacker had access to the information for roughly 7 months – from August 2018 to March 2019. The sensitive data of 11.9 million patients was accessed, ranging from credit card numbers to bank account information and even social security numbers.

Following the breach, AMCA lost its four largest clients including Quest Diagnostics and has filed for Chapter 11 protection.


Exposed Records: 150,000,000

Reported February 2018

Everything from user names, email addresses, and scrambled passwords all stolen in the 2018 MyFitnessPal hack (Reuters). The parent company, Under Armour, saw its shares dip by 3% following the news.

With Under Armour’s addition of MyFitnessPal, their already complex digital ecosystem grew, and a vulnerability was introduced through the acquired business unit. Though many third-party data breaches involve vendors, suppliers, or even partners, it’s just as severe when a hack is introduced this way. Regardless of where the weakness was, Under Armour took the financial and reputational hit, much like Hudson’s Bay Company.

“As companies continue to evolve into increasingly interconnected networks, including subsidiaries, affiliates, suppliers and vendors, the importance for ensuring appropriate levels of security at every node is all the more critical.”

-Fred Kneip, CEO and Founder, CyberGRX

MyHeritage Geneaology Site

Exposed Records: 92,000,000

Reported June 2018

A security researcher recently found an archive on a third-party server containing personal details of over 92 million MyHeritage users. The data ranged from hashed passwords to emails, luckily not payment information or – you guessed it – DNA test results.

MyHeritage reported that it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.

The MyHeritage incident marks the biggest data breach of 2018 and the biggest leak since 2017’s Equifax hack (BleepingComputer).

How To Prevent Data Breaches


Unless our approach to risk management changes, we will continue to see an increase in data breaches caused by third parties. So how can you ensure your data is secure, even when it is in the hands of third parties and vendors?

Implementing an efficient, effective third-party cyber risk management (TPCRM) program is essential to securing your organization’s cyber ecosystem by tracking, avoiding, and minimizing the risks that your organization is exposed to.  It can also save your organization time and money while scaling with growth.  With a clearer understanding of the cyber risks that your third parties pose, your organization can fine-tune its participation in greater cyber ecosystems, pursuing more opportunity when third-party cyber risk is low, and protecting value when third-party cyber risk is high.

But there’s a catch.


TPCRM programs have to be efficient and effective. Without the right tools, you could find yourself relying on possible false-positive information from scans, or outdated data from static spreadsheet assessments – both of which can not only be misleading but also drain your resources without providing valuable information. Whether you have a TPCRM program in place or are looking to build one, an effective program should inform decision making throughout the entire process – so you are actually able to identify, prioritize and reduce third-party cyber risk – and should be able to scale with your needs and ecosystem.

Buyer's Guide: Rethinking TPCRM

Get the guide to better understand the options for third-party cyber risk management, whether you are looking to advance your current program maturity or are just getting started.

The Most Efficient and Effective Third-Party Cyber Risk Management Program


Current practices and technologies used to support TPCRM and assess third parties are costly and often inadequate and inefficient. Third parties spend an average of 15,000+ hours completing assessments each year. 54% of enterprises say this data is only somewhat valuable, and less than 8% of these assessments result in action. It seems TPCRM has presented a tough code to crack for many CISOs and security leaders alike – so, what’s the solution?

Use an Exchange.


Rather than maintaining a one-to-one relationship between companies and their third parties, why not work together with a community of risk management professionals towards a common goal of decreasing third-party risk. Why not ditch the disparate, one-to-one assessments, and use dynamic, one-to-many assessments hosted in an Exchange?

It benefits both sides. Enterprises simply look to see if their third-party has completed a dynamic assessment and request access. Essential risk information in the click of a button. And, instead of spending 15,000+ hours filling in spreadsheets every year, third parties can complete one assessment, share with their upstream partners, and keep the information updated as there are updates to their security controls.

The CyberGRX Exchange is the destination for enterprises and third parties to connect based on a common goal to cut out busy work and take a truly risk-based approach to TPCRM.


It allows companies with expanding ecosystems to easily scale their TPCRM programs while reducing the assessment burden third parties deal with every year. And, with over 46,000 companies on the Exchange (and growing) there’s a good chance your third parties are already on the Exchange. That’s the power of an Exchange – and it’s one of our primary differentiators.