Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost by $207,000.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.
We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for the month of October. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. Innova Health, OSF
Another victim of the recent Blackbaud breach is Innova Health. Innova issued a statement saying in part that some of the sensitive information of patients and donors was stolen by hackers. Although social security numbers and financial account information are not thought to be impacted in the breach, ransomware attackers may have obtained:
- patient names
- phone numbers
- medical departments patients visited
Innova has already sent letters to thousands of patients, advising them to visit Inova Health’s website to review their credit report as well.
OSF HealthCare also sent notification letters to its patients this October. According to a statement made by OSF, the investigation and review at Blackbaud determined the database leaked contained similar patient information, including names, addresses, phone numbers, email addresses, dates of birth, treatment facilities, treating physicians, departments of service, room numbers, and/or medical record numbers.
Blackbaud, a third-party service provider used for alumni fundraising and/or
donor activities at non-profits and universities worldwide, is facing implications in the data breach. A recent Securities and Exchange Commission (SEC) filing shows that more unencrypted information than previously thought has been accessed by hackers in the breach. This included bank account information, Social Security numbers, usernames and or passwords, according to the SEC filing. The largest client affected by the Blackbaud breach is Inova Health System in Virginia with 1 million individuals included in the tally. So far, more than 6 million individuals have been added to the breach tally. In addition, some of the millions of infringement claimants have filed litigation against the vendor.
2. Kylie Cosmetics
Kylie Cosmetics LLC, the cosmetic company created by the popular “Keeping Up with the Kardashians” confirmed customer information was compromised as part of Shopify Inc.’s data breach.
Shopify, a third party to Kylie Cosmetics, was targeted by two “rogue” workers engaged in a “scheme” to acquire customer transaction information from its merchants. Contact information, as well as types of goods and services bought, were included in the data stolen. Shopify has not revealed the merchants.
In a notice to customers published by TMZ, Kylie Cosmetics says that it is “working diligently with Shopify to get additional information about this incident.” The notice states that the incident affected
- product orders
- the last four digits of SS numbers
“Shopify has assured us that the customers’ full payment details were not compromised in the incident,” the notice added.
Shopify confirmed the data breach in late September, in which two “members” of its support team stole customer data from at least 100 merchants. The employees reportedly stole consumer data from “less than 200 merchants,” including names, postal addresses and order information, but financial data was untouched.
Lamar Bailey, Senior Director of Security Research at cybersecurity firm Tripwire Inc., noted that insider threats often get little attention. “Support engineers are often an entry-level job so it is easier for someone to infiltrate the organization at this level,” he added.
The Kylie Cosmetics breach is a typical case for third-party, or what we call supply-chain, attacks. According to Gartner, third party breaches account for at least 60% of the data breaches. With the digital transformation, companies outsource their larger portion of businesses to the vendors or suppliers to deliver goods and services in a cost-optimized manner. With this optimization always comes risk.
Businesses have to accept or at least manage the risk when they enter into a relationship with a third party.
3- City of Odessa
The town of Odessa recently faced a data breach involving its online payment website, which is not the first breach the town has faced. This incident only concerned Click2Gov online system users who submitted one-time payments for utility bills.
Odessa uses Click2Gov as a third-party software provider which enables individuals to pay their utility bills electronically. The security breach lasted from mid-April to late-June and is the second device data breach in the last year. After the first hack, the town said it started looking for a new online payment provider.
Click2Gov is owned by CentralSquare Technologies. Compromised data is believed to include credit/debit card information of some customers.
“We are now researching other service providers,” said Devin Sanchez, Odessa Director of Communications. “Who is more secure? That’s our main concern right now is who is going to be the most secure.”
4-Dickey’s Barbecue Pit
A POS-related breach news came from the U.S. Barbecue franchise, Dickey’s Barbecue Pit. The leak toll could be as much as 3 million cards for sale on the dark web. Researchers have already identified card information uploaded to the infamous forum, Joker’s Stash.
According to the data, customers in around 1/3 of locations, 156 of 469, across 30 states may have had their cards compromised. What was more interesting was that security researchers believe it went unnoticed from May 2019 to September 2020, until it was discovered to be publicly available on Joker’s Stash.
Dickey’s issued the following statement about the data breach: “We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved.”
Researchers from the Gemini Advisory also determined the payment transactions were processed via the outdated magstripe method, which is prone to malware attacks. However, it is unclear as of this writing if the affected restaurants were using outdated terminals or if the EMV terminals were misconfigured, researchers added.
Rutter’s Store was affected by a similar breach this February, eventually leading to a compromise of customers’ names, card numbers, expiration dates, and internal verification codes of its customers.
5- Broadvoice Customers
In the latest case of an organization failing to protect its cloud storage, more than 350 million customer records belonging to Broadvoice were leaked online. The leaked database contained more than 350 million customer records belonging to a voice over-internet-protocol business. The data was found on an unprotected Elasticsearch cluster of Broadcom, which included:
- phone numbers
- hundreds of thousands of voice mails
- medical and financial details
The data breach was verified by Broadvoice, claiming the data was accidentally leaked on Sept. 28. The information was then secured the next day after the organization was told of the exposure on Oct., 1st. Broadvoice said it had no reason to suspect that there was any exploitation of the data, having ticked the list of standard incident response steps:
- an investigation initiated
- alerting authorities
- hiring a third-party forensics company
Established in 2006, Broadvoice offers VoIP services to a variety of U.S. businesses, which exacerbates the exposure of data. The business has thousands of clients, all of whom may have had their data exposed, or even worse – their personal information stolen.