A recent survey conducted by Ponemon Institute reveals that 56% of companies have experienced a 3rd-party breach in 2017, which is an increase of 7% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.

Third-parties include broad range of companies a company directly worked with such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, sub-contractors, basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news. Here are September picks(*).

Major Third-Party Breaches Revealed

1. All platforms that use Facebook login

Facebook login

Facebook breach that hit the news in the last days of September is the candidate to be the most significant cyber security event of the year with 50 million accounts compromised. What makes it a third-party breach is the fact that all the platforms and third-party services that use Facebook-login feature are now vulnerable to data breach, because an attacker can login to their system as a legitimate user.

2. The Conservative Party (UK)

Conservative

In September, we see that how a conference app can cause trouble for a political party. The Conservative Party of UK had been using an conference app developed by an Australian company (CrowdComms) before party members’ personal information become public due to a security flaw in the app. It seems that anyone with a valid e-mail address can login to conference system and can see the sensitive information about MPs, journalist and conference attendees, including personal mobile numbers. Very unfortunate days for Tories.

3. Perth Minth

Perth Minth

Perth Minth, Australia’s official bullion mint, was hit by a data breach because of a third-party provider (name not disclosed) used for online depository. Data compromised include names, addresses, passport and bank account of 3200 customers.

4. British Airways

British Airways

Another breach covered by the news extensively was the one affecting 380,000 customers of British Airways whose financial and personal details are compromised. The attack was part of a campaign called MageCart and executed through a Website Javascript. Same malicious actors were also behind TicketMaster breach, another third-party attack through a company used for website application.

5. Foosackly

Foosackly data

Foosackly, a mobile-based chicken-finger chain, warned their customers of a data breach in its payment system in the early days of September. Company estimated that approximately 165,000 customers, who dined at the affected locations while the attack was executed, might have been affected with their payment card informations are on stake.

6. University of Louisville

University of Louisville

University of Louisville is another institution who informed a third-party breach in September. A cyber attack executed to a third-party vendor used for fitness activities (Minneapolis-based Health Fitness Corp.) exposed names, employee IDs, physician’s name of hundreds of employees and retirees enrolled in a program called “Get Healthy Now” between 2007 and 2014.

7. E-commerce sites that use Feedify

E-commerce sites that use Feedify

MageCart actors once again stole payment card information, now through Feedify’s Javascript. Feedify is a cloud-service provider to serve their customer by target their clients with behavioral analysis. For that, customers of Feedify should add a Javascript to their websites. With a malicious code injected into this Javascript, attackers were able to stole payment card information of hundreds of e-commerce sites.

8. The Washoe County School District

School District

WSCD experienced a breach that exposed Teachers’ emails, usernames and passwords. The breach is originated from Edmodo, an instructional tool which teachers use for student communications about assignments, resource for lesson plans, example quizzes, and instructional guides.

9. Blue Cross Blue Shield of Rhode Island

Blue Cross Blue Shield

Blue Cross Blue Shield of Rhode Island (BCBSRI) notified its more than 1,500 members of a breach that exposed member names, their BCBSRI ID numbers, service providers, types of service provided and costs of claims. The breach was originated from a vendor (name not disclosed) responsible for “sending members’ benefits explanations.”

10. Wegmans

Wegmans

A hack through a Chilean seafood supplier (Invermar) may have cost Wegmans over $900,000. The grocery chain accused Invermar of poor cyber security posture that allows hacker to infiltrate their e-mail system. Hackers re-direct payments made by Wegman to their own bank accounts.

(*) Links to relevant news and our updated list can be found at https://www.blackkite.com/data-breaches-caused-by-third-parties/