Rapid7 recently disclosed that some of its customers may have been affected by a cyberattack against Codecov, a third-party provider of code coverage solutions. The Codecov breach occurred on or around January 31, 2021 and was made public on April 15, 2021.
While Rapid7 is just one of hundreds of Codecov clients potentially affected by the security breach, they stand out as a high-profile security technology provider. As such, they are a prime target for malicious actors attempting to compromise customer assets. While Rapid7 may have internally robust controls and response processes, this breach highlights how even the most stringent organizations can be prone to exploitation within their supply chains.
The Prevalent Third-Party Risk Management Platform includes an impact discovery assessment that our customers can leverage to identify vendors and suppliers that use Rapid7 solutions and may have been detrimentally impacted this incident.
In related news, Canada Post also announced a third-party breach this past week. The incident, which exposed data on 950,000 customers, was traced to a malware attack on electronic data interchange supplier, Commport.
All too often, we assume that large, respected organizations are wholly in control of their operations and services. The fact is, just about all companies rely on third parties to produce and deliver their products and services. In turn, the third parties usually outsource to fourth parties – and many business relationships further extend to seemingly countless levels of Nth parties. As a result, data breaches and other security incidents deep in the supply chain can have a ripple effect that ultimately impacts the final consumer.
While absolute assurance is not possible when it comes to supply chain security, these cases demonstrate the importance of regularly conducting vendor risk assessments, mapping vendor Nth-party relationships, and pursuing continuous third-party monitoring. These activities enable organizations to quickly identify supply chain incidents, understand their potential exposure, get the information they need to remediate the risk, and effectively communicate with their customers and other stakeholders.
Prevalent offers solutions and services that can help you gain visibility into your organization’s third-, fourth- and Nth-party risks. Contact us to see if Prevalent is a fit for you.
A Microsoft zero-day exploit enables attackers to gain full admin privileges. Use this questionnaire to assess...