A Very Real and Present DangerAll Posts
Third Party Vendor Breaches Are on the Rise
The likelihood of your organization relying on third parties for day-to-day operations is at an all-time high, with approximately two-thirds of companies outsourcing at least one aspect of their business. As companies partner with other firms, managing third party cyber risk has become more and more of a challenge. Major breaches caused by third parties have raised awareness of the problem, especially as the long-term effects may include legal action by customers, business partners and shareholders as well as damage to a company’s reputation, costly post-breach remediation, and expensive security forensics.
According to the 2015 Global Security Report and the 2015 US State of Cybercrime Survey, 63% of breaches involve a third party. Even organizations with formidable data security systems are susceptible to breaches as a result of weaknesses in the system’s third parties that possess sensitive data or are granted access to systems or intellectual property such as an organization’s web host, payroll provider, benefits provider, payment processor or even law firm.
Examples of third party vendor breaches are many and increasing in number. The Target breach that was discovered in late 2013 is one of the most well known and costly, with the company agreeing in December 2015 to pay a $39 million settlement to several U.S. banks over a data breach that affected roughly 40 million customers. The banks, which service MasterCard, lost millions when they were forced to reimburse customers who lost money in the massive 2013 hack of Target’s database. The settlement was just the latest in a series of payouts Target has made. In August 2015, Target settled with Visa for $67 million over the data hack. When the breach happened, no one could fathom it was due to a third party HVAC business!
Subsequent breaches in 2014 included Home Depot, the world’s largest home improvement chain, with 6 million credit and debit cards affected by a data breach as well as 53 million email addresses. According to the company, criminals used a third-party vendor’s user name and password to enter the perimeter of Home Depot’s network. The hackers then acquired elevated rights, which allowed them to navigate portions of the company’s network to deploy unique, custom-built malware on self-checkout systems in the U.S. and Canada.
Other examples include Jimmy John’s, a sandwich shop chain, where hackers were able to obtain the login credentials from the chain’s payment technology vendor and access cards used in an online order or a transaction where the card number was entered manually. Also, Goodwill Industries confirmed a data breach in 330 of its stores which may have compromised an estimated 868,000 debit and credit cards. According to their investigation, a third-party vendor’s systems were attacked by malicious software, enabling criminals to access some payment card data of a number of the vendor’s customers.
Incidents in 2014 were not just limited to credit and debit card information theft. In early 2014 the world’s second largest email service, Yahoo Mail, serving 273 million people worldwide, reported a data breach into its users’ email accounts. In addition, Lowe’s issued letters to both current and former employees to notify them that their personal information may have been compromised after a third-party vendor exposed it to the public. Personal information included names, addresses, birthdays, Social Security numbers, driver’s license numbers and other driving record information. The data had been housed in an online database provided by a driver safety firm. According to Lowe’s, the root cause of the incident was an improperly secured backup to an unsecured computer server that was accessible from the Internet and potentially exposed. This breach came hot on the heels of news that eBay’s customer database was stolen through a third-party database hack, further demonstrating the increasingly porous nature of corporate networks.
These and other third party breaches were so large in scope that Booz Allen Hamilton predicted third party vendors would be the number one security risk to financial services firms in 2015. Indeed, PNI Digital Media and NoMoreClipboard are reminders of how third party vendors can affect retailers and hospitals. Other examples of industries breached through third party vendors in 2015 include online travel agencies, as Expedia, Travelocity and Hotels.com customers were targeted. In the telecom industry, AT&T agreed to settle an FCC investigation paying a $25 million fine when it was discovered employees of one of their service providers violated privacy guidelines by accessing consumer accounts to obtain customer names and partial SSNs, allegedly used to request unlock codes for stolen mobile phones. Stealing personal information via third party vendors systems continues to plague companies as well as government institutions, to include the Army National Guard and the Louisville Metro Government.
As demonstrated by Target’s cybersecurity breach, litigation can tie up a company’s resources for years. The breach was found late 2013 and two years later a spokesperson for Target made the official statement that the company was “pleased that the process is continuing to move forward.” And that was after the latest settlement of $39 million was reached! It is unclear how many more settlements are still looming for Target, but the monetary damage is just part of the impact for the company as the media continues to keep the negative news in the mainstream with each settlement that is announced. To be sure, business for the hapless third party HVAC vendor that caused the breach has surely taken a huge hit as well.
So what is the take-away? Third party vendor breaches are on the rise and commercial as well as government sectors are susceptible as more and more organizations outsource at least one part of their operation to third party vendors. Culpability is not just on the third party vendor – it’s also on the partnering entity that was targeted. Financial repercussions can be significant, with company reputation nose-diving and litigation continuing for years. It is therefore important that organizations not just take note of what is happening, but also take action. After all, forewarned is forearmed.