A third-party data breach involves a hacker accessing a company’s network through their third-party vendors or suppliers. While some may assume that they should be more concerned with their own internal infrastructure, not implementing a proper third-party vendor security strategy is a high-risk practice. Considering only 37% of companies believe they have sufficient third-party security in place shows that vendor security is not highly prioritized and the repercussions are not fully understood.
Third-Party Breaches are the Rise
According to the 2018 Third-Party Data Risk Study, third-party vendors are one of the fastest growing risks to an organization’s sensitive data. In fact, 59% of companies have experienced a third-party data breach in the last year and 22% admitted they didn’t know if their company has experienced a third-party data breach or not.
One of the contributing factors to the rise in third-party breaches is the increase in vendors that organizations rely on. On average, companies share their sensitive information with 583 parties and only 34% of organizations have a list of these vendors. In our connected and digital world, outsourcing services is becoming more prevalent and there is often an online relationship that leaves a trail of data attracting hackers to take advantage of these access points.
Another area of concern lies within the third-party vendors of a company’s third-party vendors, also known as fourth-party vendors or second-tier third-party vendors. These are essentially the suppliers of your suppliers and can leave a gateway open for hackers to access your network and credentials. Fourth-party vendor attacks often go unnoticed as many companies do not even have the proper security measures in place to manage third-party vendor attacks, let alone companies even further down the supply chain.
In 2013, Target suffered a data breach that accessed the credit and debit card accounts for more than 41 million customers and contact information for more than 60 million customers. This breach stemmed from hackers accessing the point of sale (POS) system by utilizing stolen login credentials from HVAC systems provider, Favio Mechanical Services.
Favio Mechanical Services was connected to Target’s network in order to monitor energy consumption and alert managers if the store temperatures were experiencing significant fluctuations. The hackers first gained access on November 15th, 2013 and had malware implemented to the majority of Target’s POS systems by the end of the same month. This breach was “conveniently” collecting credit card numbers from live customer transactions on Black Friday (November 29th), the biggest retail shopping day of the year.
As a result, Target was required to pay an $18.5 million multi-state settlement in 2017. The agreement set higher industry standards for organizations who process payment cards and have access to confidential customer information.
Delta Air Lines & Sears
Delta Air Lines and Sears both suffered a breach as a result of the lack of cyber security at 7.ai, a company that offers online support services for companies. Hackers were able to access 7.ai’s chat boxes using compromised credentials where they changed the source code to steal personal information from the chat box users. According to a report from Reuters, the hack is estimated to have happened on September 26th, 2017 and was identified and resolved on October 12th. However, Delta and Sears were not notified of the breach until March of 2018.
As a result, card details and personal information from up to 825,000 Delta customers and 100,000 Sears customers were exposed. In August of this year, Delta filed a lawsuit against 7.ai claiming that the company did not have proper cybersecurity measures in place such as forbidding workers from using identical login credentials across multiple systems or not requiring multi factor authentication for employees accessing and editing source code. Delta also claimed that 7.ai waited 5 months to inform Delta, of where they did so through LinkedIn and not official channels.
Who is Responsible?
Regardless if your system is breached through a third-party vendor or not, you can still be held accountable. In the example of Target’s breach, Target was required to pay a settlement even though the breach occurred through another vendor’s lack of security. This clearly demonstrates that vendor security is just as important as protecting your own organization and companies need to be informed on how to properly assess threats and risks towards their suppliers.
How Threat Intelligence Tools Can Help
Figure 1: Using threat intelligence tools to detect and mitigate third-party breaches each step of the way.
Dark Web Search
Before a breach even occurs, hackers will often express their intentions on online environments such as the Dark Web. Whether they post their manifesto to receive support from their online community or are seeking a more experienced hacker to get the job done, there are opportunities to detect a breach before it occurs.
Once the breach has happened, the Dark Web can be used for locating the use and/or sale of stolen credentials such as credit cards and intellectual property. Threat intelligence software can give you safe access to the Dark Web to search for this type of breach and set up custom alerts to be notified should one of your assets be mentioned.
Third-Party Vendor Search
In the case of Delta Air Lines and Sears, the third-party vendor that was responsible for their hack did not disclose the hack until five months after detection. Using threat intelligence to continuously monitor your vendors will allow your organization to detect mentions of your vendors that suggest they have been breached. This will allow your organization to remain in-the-know and not rely on third-party vendors to disclose they have been breached.
Monitor Online Brand Reputation
Regardless if a breach is an organization’s wrongdoing or the fault of a third-party vendor, brand reputation will suffer after your customers catch wind. Customers are becoming increasingly concerned with how their data is used and shared, especially in online environments.
With threat intelligence tools, users can search the Surface, Deep and Dark Web for negative mentions of their brand. This allows organizations to stay informed about what their customers are saying after a breach and during potential lawsuits that may arise.
Better Security with Media Sonar
Media Sonar’s risk detection and threat intelligence platform can help companies detect and mitigate the risks of data breaches that stem from third-party vendors. Media Sonar’s platform allows companies to stay informed about breaches every step of the way, as shown in Figure 1. With safe access to the Dark Web, advanced filtering capabilities and custom alerts, companies can implement a more effective strategy to protect the assets that matter most.