Third-party data breaches have grown increasingly common, highlighting the vital role of cybersecurity programs encompassing third-party cyber risk management, such as merchants, vendors and subsidiaries. The origins of these breaches trace back to the internet’s early days when rising online transactions prompted companies to accumulate extensive customer data, including names, addresses, and payment particulars.
In today’s landscape, businesses heavily depend on third-party vendors for diverse services like payment processing, cloud infrastructure, API integrations, customer support, and marketing. These vendors possess greater access to sensitive customer data, thus becoming prime targets for cybercriminals, prime targets that are hit badly.
Ponemon institute points out that 54% of the companies experienced data breaches resulting from their third parties, while 61% of the companies do not have a comprehensive inventory of their third parties.
In recent years, notable data breaches have unfolded, encompassing entities like SolarWinds and Marriott. These breaches exposed critical data like credit card specifics, Social Security IDs, and personal identification, fueling identity theft, financial manipulation, and cyber malfeasance.
From late 2022 to mid-2023, numerous additional third-party data breaches have emerged, jeopardizing the personal data of countless individuals, and resulting in unmeasurable cost and reputational damage.
Below are highlights of some of the latest prominent third-party data breaches.
August
Discord, an instant messaging and VoIP social platform, suffered
a third-party data breach from Discord.io, a service allowing server owners to
create custom invites to their channels.
The leak exposed the information of 760,000 members. The
leaked information includes a member’s username, email address, billing address
(small number of people), salted and hashed password (small number of people),
and Discord ID.
Discord.io confirmed the data breach and shut down its
services in response.
June
-Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest contract chipmaker, and one of Apple’s largest suppliers, acknowledged a breach linked to its supplier Kinmax. The LockBit ransomware group demands a $70 million ransom for not disclosing stolen data. This is known to be one of the largest ransomware demands in history.
-Reports confirmed intrusions affecting various organizations, including U.S. government agencies, exploiting a vulnerability in Progress Software’s MOVEit Transfer tool. The CLP Ransomware gang exploits this for profit, impacting third parties amid ongoing assessment of the attack’s scale.
-The Swiss government confirmed a software vendor, Xplain, was infected by malware. The cybercriminals posted some of the data on the dark web. The data set contains over 425,000 addresses.
May-April
– The world’s largest eyewear company, Luxottica, confirmed the leakage of 70 million customers’ personal information after a data breach that occurred in 2021. The company owns brands such as Ray-Ban, Chanel, Prada, Versace, Dolce and Gabbana, Burberry, Giorgio Armani, Michael Kors and Oakley, amongst others.
The company confirmed that the leaked data resulted from a security incident that impacted a third-party contractor holding customer data.
March
-AT&T disclosed a breach impacting about 9 million wireless accounts. An unauthorized person breached a third-party vendor’s system providing marketing services. While data like names, email addresses, phone numbers, account lines, and wireless plans were accessed, no SSNs, passwords, or financial data were taken.
LinkedIn revealed a breach impacting 700 million users. Exploiting a third-party software library vulnerability, hackers accessed data like names and emails. LinkedIn urged password updates and took extra security measures.
January (23)-December(22)
T-Mobile suffered a breach affecting 40 million customers. Hackers entered via a third-party vendor, stealing data including names, phone numbers, addresses, SSNs, and licenses. T-Mobile offered free credit monitoring and boosted security.
Uber confirmed a December 2022 breach. Threat actors accessed employee emails, IT assets, and corporate data. Via the vendor Teqtivity, they conducted phishing attacks. The leaked info could fuel targeted campaigns.
These breaches highlight the perils tied to third-party vendors, underscoring the imperative of robust cybersecurity measures.
Conclusion
To mitigate third-party data breach risks, companies must go beyond perusing SOC2s and distributing questionnaires. Despite strong vendor review processes, some firms have still fallen victim. This extends to scrutinizing security policies, agreements, and access limits. A trend is emerging: external vulnerability risk assessments periodically. This provides the same cyber risk view as attackers and fosters proactive risk discussions.
Onlayer focuses on supply chain security for enterprises in a variety of sectors, from financial institutions to energy and insurance, periodically assessing and managing the risks of the primary organisations’ vendors, merchants, subsidiaries and other third parties. By detecting, prioritizing and remediating these risks, Onlayer minimizes data breach risks and prevents financial and reputational damage.
Reach out to us and request a demo to explore how we can mitigate and remediate your third-party risks.
References
https://techcrunch.com/2023/06/30/tsmc-confirms-data-breach-after-lockbit-cyberattack-on-third-party-supplier/
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a
https://www.securityweek.com/millions-of-att-customers-notified-of-data-breach-at-third-party-vendor/
https://cybernews.com/news/threat-actors-scrape-600-million-linkedin-profiles-and-are-selling-the-data-online-again/
https://tech.co/news/t-mobile-massive-security-breach
https://cybernews.com/news/uber-suffers-data-breach-attack-third-party-vendor/
https://www.swissinfo.ch/eng/politics/data-leak-affects-425-000-swiss-abroad/48628744
https://www.bleepingcomputer.com/news/security/luxottica-confirms-2021-data-breach-after-info-of-70m-leaks-online/
https://www.bleepingcomputer.com/news/security/discordio-confirms-breach-after-hacker-steals-data-of-760k-users/
https://ponemonsullivanreport.com/2022/10/the-2022-data-risk-in-the-third-party-ecosystem-study/