With 2020 almost over (thank goodness!), we thought it would be a good time to look back on some of the more prominent third-party breaches of the year and lessons that might be gleaned from others' misfortunes. With third-party breaches from vendors and other outside entities rising while regulations and laws are enacted to extract ever greater penalties from such breaches, proper Third-Party Risk Management (TPRM) is more important than ever.
Yet, as obvious as it is from these successful hacks that continue to come through third-party access, many companies still aren't applying sufficient controls to prevent them. So let's take a stroll down memory lane at some of these events and see if there are any key takeaways.
Marriott is first on our list because they are a repeat offender. They had a breach in 2018 via their Starwood merger. And in early 2020, they revealed over 5.2 million customer records were exposed in a breach that potentially exposed names, birthdays, telephone numbers, and loyalty numbers of guests. This breach came from two employees of a franchise who had their corporate access to systems hacked.
The cautionary tale here, besides the obvious "don’t get hacked twice," is to keep close tabs on third parties who have access to your systems, even when they are a close, trusted partner like a franchisee. These organizations sometimes don't have the same level of security as the parent corporation, but yet tend to be treated as insiders with system access and privileges.
A second lesson from this breach is for those unfortunate companies cleaning up from their first breach. You don't just want to fix the issues from the breach you just had, but you also need to take this as an opportunity to do a top-to-bottom security review and revamp of all your security policies, procedures, and technology stacks. This way you can find the holes from the future breach you haven't had yet and avoid it.
General Electric (GE) Breach
Near the beginning of 2020, GE suffered a breach from what most would consider a mundane low-risk vendor with their human resources document management vendor, Canon Business Process Services. The breach included over 200,000 current and former employees' personal information including benefits and personal health information (PHI). Document management technology has advanced greatly in recent years, evolving from stand-alone copiers to networked data collection devices connected to the cloud. These services often are a treasure trove of data including sensitive internal communications, designs, and other intellectual property, and in this case, employees' personal data.
Unfortunately, vendors often do not get the same security scrutiny as internal servers and databases, even though they may contain the same information. This emphasizes the importance of proper vendor management, including inventorying all your vendors and third parties, no matter how minor or non-critical they may seem, to make sure that proper practices are in place to protect the data they handle.
Health Share of Oregon
This healthcare organization had a breach in 2020 via a laptop stolen from a contractor, Gridworks IC. Over 650,000 records containing patient Medicaid data were taken when the contractor's offices were burglarized and the laptop was taken.
This incident illustrates the need for good physical security for our third parties, especially when they take data offsite. Contractors are often given laptops to work on or data files to process at their site. Simple protections like Fixed Disk Encryption (FDE) for all mobile computing devices issued to vendors would have made this theft irrelevant. And now that many internal employees are working from home on similar devices, FDE is considered a best practice for any data storage device that goes offsite.
Instagram, YouTube, and TikTok
This massive data breach (over 235 million records!) affected multiple social media giants, exposing their usernames, contact and other personal information, pictures, and statistics about their account. The breach appears to have come from DeepSocial, a now-defunct social media data broker. They had apparently been violating terms of service of these and other providers, resulting in Facebook and Instagram banning them. But unfortunately, it was too late for Instagram and the other social media companies caught up in the breach. And with the company out of business, the victims have little recourse.
Even though you might prohibit activities in terms of service with your vendors, realize that they may not follow them, either knowingly or via rogue employees. Also keep in mind, while you may have contract terms that place liability on your third parties if they have a breach of your data, if they go out of business, you are out of luck. You need to make sure you have sufficient insurance and contingency plans to handle all costs of a data breach without relying on third parties.
SpaceX, Tesla, Boeing, and Lockheed
Another multiple customer breach happened when these aerospace and auto companies had data exposed via Visser, a relatively unknown parts vendor. Technology providers service multiple customers and if they are hacked, the bad guys can often exploit multiple client networks. The data breach included crucial schematics and designs in an industry that is highly competitive on innovation. These companies often deal with classified data which can make them the targets of nation-state hackers with significant resources.
They know that exploiting smaller third parties is the way to go to get into these larger companies This shows how third-party risk can have implications beyond just personal data, in this case, intellectual property and national security.
Expedia and Hotels.com
For our final illustrative example (there were many more third party breaches in 2020 than we can list here), we come first circle to the hospitality industry with Expedia, Hotels.com, and other travel sites suffering a huge data breach via Prestige Software, a Spanish software developer that left over 10 million records from their large hotel booking website clients in an exposed AWS S3 data bucket. This is yet another example of a simple software misconfiguration that left the companies scrambling to deal with the corporate wreckage that a data breach causes. Expedia and Hotels.com joined the club with Capital One, which had an AWS breach of 150 million records in 2019.
The lesson to learn here is to make sure you understand what third parties your third parties are using to store and process your data. This is known as the "Nth party risk," where a breach can come to you through a vendor's vendor or even a vendor's vendor's vendor, and so on. But at the end of the day, you are ultimately responsible for your clients' data and if you don't put in place controls, both technical and contractual with your vendors to secure their vendors, it can happen to your organization. The Data Protection Agreements (DPAs) required by GDPR and the Business Association Agreements (BAAs) prescribed by HIPAA are examples of these protections. Another best practice is putting in place good, granular monitoring and audit capabilities for your third party access so you can see suspicious activity by them and catch incidents before they turn into breaches.
In a study by BlueVoyant, 22% did not monitor their entire supply chain for good information security and 32% did not reassess their vendors regularly to catch any issue and also integrate new vendors. This data is borne out in the increase in third-party related breaches this year. So if you are making plans for 2021, make a New Year's resolution to increase and improve your Third-Party Risk Management.
Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Currently, Tony is the CISO at SecureLink, a vendor privileged access management company based out of Austin, Texas.