The 2021 Gartner Magic Quadrant for IT VRM Tools is now available! Get your complimentary copy here!

Third-Party Data Breaches: What You Need to Know

Why third-party breaches are on the rise, who is being affected, and what you can do about it.
By:
Prevalent
June 29, 2021
Share:
Blog third party data breach 0621

A third-party data breach occurs when malicious actors compromise a vendor, supplier, contractor, or other organization in order to gain access to sensitive information or systems at the victim’s customers, clients or business partners. Third-party data breaches are becoming increasingly common as technology makes it easier for businesses to connect and as global supply chains grow in complexity. As a result, organizations are often unable to visualize where their data goes, and proprietary or sensitive data can easily be shared with suppliers and subcontractors that the contracting organization knows little to nothing about.

This article examines why third-party data breaches are increasing; provides examples of prominent companies that were compromised by third, fourth, or Nth party vendors; and explains what steps you can take to mitigate the risk of your organization becoming a victim.

Why Third-Party Data Breaches Are Increasing

The last decade has seen an increasing number of large organizations investing heavily in information security. In fact, information security spending grew by a stunning 12.4% in 2020 alone. No system can be entirely secure, but heavy investments in cybersecurity do make it far more difficult for malicious actors to compromise well-resourced organizations. Hackers are increasingly incentivized to target smaller subcontractors to bypass robust and well-funded cybersecurity programs. Compromising a small HVAC contractor and using that organization as an unwitting Trojan Horse is far easier to accomplish than directly compromising a Fortune 500 company with a fully staffed Security Operations Center and several layers of security controls.

Small businesses have consistently lagged behind in adopting robust information security practices despite the fact that 43% of attacks target them. This enables malicious actors to compromise smaller third parties and either steal data entrusted to them, or hijack their access to sensitive systems at larger organizations. Third-party data breaches can be extremely damaging and can result in millions of dollars in fines, legal fees and penalties -- along with inordinate reputational damage.

Examples of Prominent Third-Party Security Incidents

Third-party data breaches have become far more common in recent years. As the world economy becomes more integrated, data often flows throughout supply chains with little regard for its protection or how it is managed. This has resulted in a “wild west” approach to applying information security controls, as many organizations have little to no idea where their data is throughout the extended supply chain -- much less what security measures are being taken to protect it.

Mercedes

Mercedes-Benz recently announced that approximately 1.6 million unique records were leaked through a third-party vendor's cloud storage platform. An eternal cybersecurity researcher reportedly found the flaw and notified Mercedes-Benz of the incident. According to Mercedes-Benz, less than 1,000 customers had sensitive information like social security numbers and drivers license information leaked.

The car manufacturer disclosed the breach on Thursday, June 24th. It appears that potential buyer and customer information was leaked from filling out information on Mercedes-Benz websites between January 1, 2014 through June 19, 2017. Any individual seeking to access these files would need to implement “special software programs and tools” to find the information leaked. The company announced that the security flaw has been remediated and plugged.

Possibly leaked data includes:

  • Driver's license numbers

  • Social Security numbers

  • Credit card information

  • Birthdays

  • First and last name

  • Email address

  • Phone numbers

  • Purchased vehicle information

Volkswagen

Over 3.3 million customers were impacted in a data breach of car manufacturer Volkswagen. Current and prospective customers' information was left exposed online between August 2019 and May 2021. According to Volkswagen, they were alerted that an unauthorized third party may have accessed the customer information on March 10, 2020. External security experts are currently working to investigate the cyber incident.

Possibly exposed data includes:

  • First and last name

  • Personal address

  • Business addresses

  • Email addresses

  • Phone numbers

  • Vehicles purchased

  • Vehicles leased

  • Vehicle ID numbers makes, models, years, and colors

SolarWinds

The SolarWinds supply chain breach, first reported in December of 2020, impacted over 18,000 users of its Orion network management product. The SolarWinds supply chain breach continues to wreak havoc on Orion customers around the world, as they continue to identify and mitigate its risks. The list of impacted companies includes major US government agencies and firms:

  • Department of Energy

  • Department of the Treasury

  • Department of Commerce

  • State and local governments

  • Department of State

  • Department of Homeland Security

  • National Institutes of Health

  • The Department of Defense

Private companies affected by the breach include Microsoft and FireEye. This security incident dealt a major blow to US national security that revealed major flaws in cybersecurity defenses. Recognizing the potentially damaging impact on companies’ operations, Prevalent released a free event and incident management assessment to its customers soon after the breach was first reported.

Free Risk Monitoring Report

Get a complimentary third-party vendor risk report for one organization. Includes cyber, business and financial risk scores, plus supporting events and evidence.

Get Your Free Report
Blog third party monitoring 0521

GE

The 2020 GE breach shows that a security incident can harm not only customer relationships, but also employee relationships and trust in the company. General Electric’s human resources document management provider, Canon Business Process Service, suffered a breach at the beginning of 2020. Over 200,000 current and former employees' sensitive information, including benefits and personal health information (PHI), and more were exposed in the incident.

The personal information released includes:

  • Names

  • Social Security Numbers

  • Bank account information

  • Date of birth

  • Direct deposit forms

  • Driver’s licenses

  • Passports

  • Birth certificates

  • Marriage certificates

Death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents were also exposed.

Adobe

In 2019, over 7 million Adobe Creative Cloud user records were exposed because an internal Elasticsearch database was left exposed online without password protection. The information included usernames and customer account information but not financial data or user passwords.

Other information exposed included:

  • User email addresses

  • Adobe member IDs

  • Country of origin

  • Adobe products used

  • Account creation date

  • Last login date

  • Subscription status

  • Payment status

Although the breach did not include user credentials like names, passwords or financial information, the incident still posed harm to users. Hackers using spear phishing techniques can email high-value accounts, obtain passwords, and sell them on the dark web. Any breach of customer information, no matter how small, can pose enormous risks.

Marriott

When Marriott acquired Starwood in 2016, the company inherited a compromised reservation system platform that resulted in lawsuits and reputational damage after the breach was announced in 2018. Malicious actors had direct access to Starwood’s networks and systems since 2014. The attackers maintained access to Starwood systems until the breach’s discovery and disclosure in 2018.

The malicious actors stole information on up to 500 million guests, including:

  • Names

  • Addresses

  • Phone numbers

  • Birth dates

  • Email addresses

  • Encrypted credit card details

  • Passport numbers

  • Travel histories

In 2020, Marriott announced a second breach, which affected over 5 million customer accounts and compromised addresses, birthdays, phone numbers, and loyalty card information. This third-party data leak was caused because two Marriott franchise owners had their corporate access to systems stolen. It is important to monitor any third parties who have access to your business infrastructure information, even if this is a partner organization like a franchisee. Franchisees frequently may not adhere to the same cybersecurity requirements as their parent company, exposing the entire organization to risk.

Target

In 2013, major retailer Target was hacked by cyber attackers compromising the data of over 70 million consumers. During this seminal third-party breach, one of Target's HVAC contractors was the victim of a spear-phishing attack that leaked credit card numbers, security codes, phone numbers, and full names.

The hackers accessed Target’s corporate network with stolen credentials and installed malware on Target’s POS devices. The installed malware collected sensitive customer data between November and December of 2013. The Target breach provides a clear example of how even the best-funded information security programs can easily be compromised via security exposures in third-party products and services.

How to Prevent Third-Party Security Breaches

Set Clear Contractual Expectations for How Data Is Stored and Transferred

Many organizations fail to build their third-party contracts with vendor risk management in mind. Your organization should have clear company policies regarding when personal information, customer data, or other sensitive information can be shared with third parties. For example, you might want to consider including clear stipulations regarding when confidential information can be shared with fourth parties and beyond.

Conduct Continuous Monitoring on Third Parties with Access to Sensitive Data or Systems

Vendors should be monitored for unauthorized access to personal data or other proprietary information. Even if the vendor isn’t acting maliciously, their IT systems could have been compromised resulting in malware spreading to your organization’s systems. Any vendor with any access to your IT assets should be monitored for the duration of access.

In addition, you should practice proactive, external third-party monitoring for all vendors that deal with your confidential information. Organizations change their information security programs over time, and what was originally reported on their vendor risk assessment questionnaire may not hold true a few months later. Additionally, a proactive monitoring approach can help you to catch potential data breaches before they happen. By monitoring the dark web, pastebin and other areas where stolen credentials are posted, you can learn if one of your vendors has been compromised.

Use Third-Party Risk Management Software

Third-party risk management software can dramatically simplify your TPRM workflow and enable you to get easy visualization of how your data is being shared and used across your vendor network. Prevalent’s TPRM software makes it easy to build standardized vendor risk assessment questionnaires, centralize vendor data, and compare vendors based on risk.

Pay Attention to Regulatory Requirements

Information security and data privacy regulations have been ramped up dramatically in the past decade. We’ve seen the introduction of GDPR, CCPA, NY Shield Act, and dozens of other compliance requirements in just the past few years. It is highly likely that regulatory scrutiny will continue to mount as new third-party breaches emerge.

Require Vendors to Independently Verify Their Information Security Practices

Third-party risk assessment questionnaires can be enormously helpful in determining whether vendors are taking appropriate information security measures. However, in some cases, you may want to consider requiring potential vendors to become certified against an information security standard. For example, the Department of Defense recently propagated the Cybersecurity Maturity Model Certification. This regulation required contractors working with the Department of Defense to be certified against a 5-tier standard set by DOD determined by the type of information the contractor is working with.

Your organization can take a similar approach in dealing with vendor cybersecurity concerns. For many vendors, particularly those not dealing with large amounts of confidential data, a simple vendor risk assessment questionnaire might suffice. However, for vendors that need access to proprietary data and systems, you might want to consider requiring compliance against an outside standard such as SOC2 or NIST CSF.

Next Steps for Preventing Third-Party Data Breaches

Wondering how prepared your organization is for a third-party data breach? Get started with our 10-question risk calculator. For a custom benchmarking report on your third-party risk management program, request a free TPRM maturity assessment and consulting session. Interested in how Prevalent can help? Read more about our third-party risk management platform and vendor risk assessment services, or request a demo.

Tags:
Prevalent
Prevalent takes the pain out of third-party risk management (TPRM). Companies use our software and services to eliminate the security and compliance exposures that come from working with vendors, suppliers and other third parties. Our customers benefit from a flexible, hybrid approach to TPRM, working closely with each customer to tailor a solution that not only fits their unique needs, but also delivers a rapid return on investment. Regardless of where they start, we help our customers stop the pain, make informed decisions, and adapt and mature their TPRM programs over time.
  • Ready to get started?
  • Schedule a personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo