Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for the month of June. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. National Fusion Center and Police Departments in U.S.
Another breach caused by a 3rd party exposing nearly 270 gigabytes of potentially sensitive data were leaked from hundreds of police departments and fusion centers last week, . An internal analysis performed by the National Fusion Center, reveals some of the files contain highly sensitive information such as
- ACH routing numbers
- international bank account numbers (IBANs)
- personally identifiable information (PII)
- law enforcement and government agency reports
The breach stemmed from a 3rd party website design company, NetSential of Houston, who confirmed its web servers were compromised. The third-party web hosting firm provides services to over 200 law enforcement and government agencies throughout the United States.
The statement from Netsential regarding the cyberattack reads:
“Netsential can confirm its web servers were recently compromised. We are working with the appropriate law enforcement authorities regarding the breach, and we are fully cooperating with the ongoing investigation. We have enhanced our systems and will continue to work with law enforcement to mitigate future threats. Netsential will continue to work with clients impacted by the intrusion.”
Following the breach, Black Kite CSO Bob Maley claims, “After a quick review of a Black Kite technical report on NetSential, several potential vulnerabilities were revealed on their servers. This data is not to imply the servers were vulnerable (patches may have been applied), however, these vulnerabilities would have raised a red flag in the due diligence process resulting in further security practices and control efficacy, should a business have considered NetSential as a vendor.”
“It isn’t always the Tier 1 vendor who poses the most risk. Any third party who touches the company data should be continuously monitored as part of the Third-Party Risk Management program,” says Maley.
2. San Francisco Employees’ Retirement System (SFERS)
The recent data breach involving the San Fransisco Employees’ Retirement system (SFERS) affected about 74,000 individuals’ personal information.
The third-party vendor, 10up Inc, providing web design services to SFERS, revealed an external actor accessed its test data server on February 24, which hosted members’ information. The intrusion was discovered almost a month later on March 21.
The notification posted by SFERS reads, “The vendor promptly shut down the server and began an investigation. The vendor found no evidence that the information of SFERS members was removed from its server, but at this time, it cannot confirm that the information was not viewed or copied by an unauthorized party.”
The data included:
- first names
- home addresses
- dates of birth
- designated beneficiary information
- SFERS website usernames and passwords
- 1099-R tax form information
- bank routing numbers
SFERS required its members logging into the SFERS website to reset their passwords.
It is not clear whether the exposed information was misused. SFERS is offering a free one‐year membership of Experian’s® and IdentityWorks as an identity-protection service to the affected members.
The cybersecurity firm Keepnet recently experienced a data breach on its historic collection of breach data. The breach took place via a third-party contractor containing five billion email addresses and passwords collated from previous data breaches.
An engineer at a third-party IT service provider hired by Keepnet temporarily took the firewall down while migrating the e ElasticSearch database. Ten minutes without a firewall was enough for the database to be indexed by BinaryEdge, an internet indexing service.
Security researcher, Bob Diachenko, downloaded 2 MB from the 867 GB database and revealed the data came from prominent historical data breaches, along with those of Adobe, Twitter and LinkedIn. The database included breached data from 2012 to 2019, including:
- the source of the breach
- the year the breach was made public
- breached email addresses
- breached passwords or hashes and the format of the breached passwords (e.g. plaintext, encrypted or hash)
The database was immediately taken offline after Diachenko sent the alert to Keepnet.
Keepnet Labs gathers historical breach data from “online public services” so that its customers can be alerted if their business domain is breached. Threat intelligence services use this common and entirely legal form. The exposure did not reveal any Keepnet customer data.
An early June TP data breach came from Joomla. As an open-source content management system (CMS), Joomla experienced this breach due to a human error at one of its third parties named Open Source Matters.
A statement from a developer claims, “JRD full site backups (unencrypted) were stored in a third-party company Amazon Web Services S3 bucket. The third-party company is owned by a former team leader, still member of the JRD team at the time of the breach.”
The statement continues to say, “The backup copy included a full copy of the website, including all the data. Most of the data was public, since users submitted their data with the intent of being included into a public directory. Private data (unpublished, unapproved listings, tickets) was included in the breach.”
The incident was found during a security audit, which also disclosed the existence of Super User accounts outside of Open Source Matters. The breach affected 2,700 individuals possibly exposing:
- full names
- business addresses
- business phone numbers
- company URLs
- encrypted passwords (hashed)
- IP addresses
- new subscription preferences
Whether the data was accessed by third parties is unclear. Joomla recommends all users of the Joomla Resources Directory change their passwords as soon as possible, as it is likely the same combination of credentials may has been used elsewhere.