theDocumentId => 1339617 Top Third-Party Data Breaches of 2020: Lessons ...

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

12/7/2020
10:00 AM
Dark Reading
Dark Reading
Sponsored Article
50%
50%

Top Third-Party Data Breaches of 2020: Lessons Learned to Make 2021 More Secure

Learn from 2020's top third-party data breaches to make 2021 more secure by increasing and improving on your Third-Party Risk Management program.

With 2020 almost over (thank goodness!), we thought it would be a good time to look back on some of the more prominent third-party breaches of the year and lessons that might be gleaned from others' misfortunes. With third-party breaches from vendors and other outside entities rising while regulations and laws are enacted to extract ever greater penalties from such breaches, proper Third-Party Risk Management (TPRM) is more important than ever.

Yet, as obvious as it is from these successful hacks that continue to come through third-party access, many companies still aren't applying sufficient controls to prevent them. So let's take a stroll down memory lane at some of these events and see if there are any key takeaways.

Marriott Breach

Marriott is first on our list because they are a repeat offender. They had a breach in 2018 via their Starwood merger. And in early 2020, they revealed over 5.2 million customer records were exposed in a breach that potentially exposed names, birthdays, telephone numbers, and loyalty numbers of guests. This breach came from two employees of a franchise who had their corporate access to systems hacked.

The cautionary tale here, besides the obvious "don’t get hacked twice," is to keep close tabs on third parties who have access to your systems, even when they are a close, trusted partner like a franchisee. These organizations sometimes don't have the same level of security as the parent corporation, but yet tend to be treated as insiders with system access and privileges.

A second lesson from this breach is for those unfortunate companies cleaning up from their first breach. You don't just want to fix the issues from the breach you just had, but you also need to take this as an opportunity to do a top-to-bottom security review and revamp of all your security policies, procedures, and technology stacks. This way you can find the holes from the future breach you haven't had yet and avoid it.

General Electric (GE) Breach

Near the beginning of 2020, GE suffered a breach from what most would consider a mundane low-risk vendor with their human resources document management vendor, Canon Business Process Services. The breach included over 200,000 current and former employees' personal information including benefits and personal health information (PHI). Document management technology has advanced greatly in recent years, evolving from stand-alone copiers to networked data collection devices connected to the cloud. These services often are a treasure trove of data including sensitive internal communications, designs, and other intellectual property, and in this case, employees' personal data.

Unfortunately, vendors often do not get the same security scrutiny as internal servers and databases, even though they may contain the same information. This emphasizes the importance of proper vendor management, including inventorying all your vendors and third parties, no matter how minor or non-critical they may seem, to make sure that proper practices are in place to protect the data they handle.

Health Share of Oregon

This healthcare organization had a breach in 2020 via a laptop stolen from a contractor, Gridworks IC. Over 650,000 records containing patient Medicaid data were taken when the contractor's offices were burglarized and the laptop was taken.

This incident illustrates the need for good physical security for our third parties, especially when they take data offsite. Contractors are often given laptops to work on or data files to process at their site. Simple protections like Fixed Disk Encryption (FDE) for all mobile computing devices issued to vendors would have made this theft irrelevant. And now that many internal employees are working from home on similar devices, FDE is considered a best practice for any data storage device that goes offsite.

Instagram, YouTube, and TikTok

This massive data breach (over 235 million records!) affected multiple social media giants, exposing their usernames, contact and other personal information, pictures, and statistics about their account. The breach appears to have come from DeepSocial, a now-defunct social media data broker. They had apparently been violating terms of service of these and other providers, resulting in Facebook and Instagram banning them. But unfortunately, it was too late for Instagram and the other social media companies caught up in the breach. And with the company out of business, the victims have little recourse.

Even though you might prohibit activities in terms of service with your vendors, realize that they may not follow them, either knowingly or via rogue employees. Also keep in mind, while you may have contract terms that place liability on your third parties if they have a breach of your data, if they go out of business, you are out of luck. You need to make sure you have sufficient insurance and contingency plans to handle all costs of a data breach without relying on third parties.

SpaceX, Tesla, Boeing, and Lockheed

Another multiple customer breach happened when these aerospace and auto companies had data exposed via Visser, a relatively unknown parts vendor. Technology providers service multiple customers and if they are hacked, the bad guys can often exploit multiple client networks. The data breach included crucial schematics and designs in an industry that is highly competitive on innovation. These companies often deal with classified data which can make them the targets of nation-state hackers with significant resources.

They know that exploiting smaller third parties is the way to go to get into these larger companies This shows how third-party risk can have implications beyond just personal data, in this case, intellectual property and national security.

Expedia and Hotels.com

For our final illustrative example (there were many more third party breaches in 2020 than we can list here), we come first circle to the hospitality industry with Expedia, Hotels.com, and other travel sites suffering a huge data breach via Prestige Software, a Spanish software developer that left over 10 million records from their large hotel booking website clients in an exposed AWS S3 data bucket. This is yet another example of a simple software misconfiguration that left the companies scrambling to deal with the corporate wreckage that a data breach causes. Expedia and Hotels.com joined the club with Capital One, which had an AWS breach of 150 million records in 2019.

The lesson to learn here is to make sure you understand what third parties your third parties are using to store and process your data. This is known as the "Nth party risk," where a breach can come to you through a vendor's vendor or even a vendor's vendor's vendor, and so on. But at the end of the day, you are ultimately responsible for your clients' data and if you don't put in place controls, both technical and contractual with your vendors to secure their vendors, it can happen to your organization. The Data Protection Agreements (DPAs) required by GDPR and the Business Association Agreements (BAAs) prescribed by HIPAA are examples of these protections. Another best practice is putting in place good, granular monitoring and audit capabilities for your third party access so you can see suspicious activity by them and catch incidents before they turn into breaches.

In a study by BlueVoyant, 22% did not monitor their entire supply chain for good information security and 32% did not reassess their vendors regularly to catch any issue and also integrate new vendors. This data is borne out in the increase in third-party related breaches this year. So if you are making plans for 2021, make a New Year's resolution to increase and improve your Third-Party Risk Management.

Author Biography:

Tony Howlett is a published author and speaker on various security, compliance, and technology topics. He serves as President of (ISC)2 Austin Chapter and is an Advisory Board Member of GIAC/SANS. He is a certified AWS Solutions Architect and holds the CISSP, GNSA certifications, and a B.B.A in Management Information Systems. Currently, Tony is the CISO at SecureLink, a vendor privileged access management company based out of Austin, Texas.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32788
PUBLISHED: 2021-07-27
Discourse is an open source discussion platform. In versions prior to 2.7.7 there are two bugs which led to the post creator of a whisper post being revealed to non-staff users. 1: Staff users that creates a whisper post in a personal message is revealed to non-staff participants of the personal mes...
CVE-2021-32796
PUBLISHED: 2021-07-27
xmldom is an open source pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module. xmldom versions 0.6.0 and older do not correctly escape special characters when serializing elements removed from their ancestor. This may lead to unexpected syntactic changes durin...
CVE-2021-32748
PUBLISHED: 2021-07-27
Nextcloud Richdocuments in an open source self hosted online office. Nextcloud uses the WOPI ("Web Application Open Platform Interface") protocol to communicate with the Collabora Editor, the communication between these two services was not protected by a credentials or IP check. Whilst th...
CVE-2021-34432
PUBLISHED: 2021-07-27
In Eclipse Mosquitto versions 2.07 and earlier, the server will crash if the client tries to send a PUBLISH packet with topic length = 0.
CVE-2021-20399
PUBLISHED: 2021-07-27
IBM Qradar SIEM 7.3.0 to 7.3.3 Patch 8 and 7.4.0 to 7.4.3 GA is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. IBM X-Force ID: 196073.