Posts

In today’s business world, companies are utilizing third-party vendors more than ever before. Naturally, these vendors have a higher level of access to internal systems (containing sensitive data and information) with hopes of increasing the efficiency of services rendered.

The 2018 Ponemon statistics show that at least 56% percent of organizations have experienced a data breach due to a vendor’s security shortcomings.

We’ve reviewed numerous research and media publications to better understand the impact third-party vendors play in companies information security. In this article, you`ll find:

  • The definition of a data breach
  • An overview of key statistics related to data breaches
  • An in-depth look at the top 7 vendor related data breaches to date

Buckle up, this is going to be an eye-opening ride!

The ever-growing reality of data breaches caused by third parties

First, it’s vital to define a data breach.

The term data breach refers to a confirmed incident, in which sensitive, confidential, or otherwise protected data has been accessed and/or disclosed to unauthorized third parties. Data breach exposures may involve personal information, intellectual property, trade secrets, and any other sensitive information.

Collaborating with third-party vendors as trusted partners, creates an increased risk of exposure to a potentially serious data breach. Surveying across diverse industries, the Ponemon Institute concluded that cybersecurity incidents related to third parties are increasing (see the figure below).

Cybersecurity Incidents are Increasing and difficult to manage

65 % of respondents say that it’s hard to manage cybersecurity risks associated with third-party vendors. Also, a significant number of respondents admit they are sharing sensitive data with third parties, while not truly knowing their security policies (see the figure below).

The third-party data breach statistics numbers don’t lie

The issue of vendor related data breaches is in constant flux. Numerous surveys have set out to explore the impact. Let’s review some of the key findings and highlights.

  • On average, Companies allow 89 vendors to access their networks weekly. (Bomgar survey)

The survey adds that 71% of respondents are expecting their companies to become more reliant on third parties in the next two years. In turn, this leads to growing security threats to both businesses and employees.

  • The number of data breaches related to third-party vendors has increased by 22% since 2015 (PwC survey)

PwC’s inaugural Digital Trust Insights survey exposes the growing problem and emphasizes the need for building lasting trust around data.

  • 74% believe that third-party vendor selection overlooks potential key risks, with 64% saying that their organization focuses more on cost than security when outsourcing  (Bomgar survey)

The report reveals that many businesses find costs more important than security; however, the authors of the survey argue that “the cost of not taking a potential threat seriously will be far greater than the cost of preventing third-party security risks.”

The numbers don’t lie: companies are impacted daily by breaches involving third-party vendors, threatening the financial stability and reputation of companies across all industries.

While the numbers are alarming and the threat is real, there are proactive steps you can take to be defensible. Why? Read to learn more.

The top 7 vendor-related breaches in history

After carefully examining a myriad of press releases, media and research publications, we compiled a list of some of the most noteworthy data breaches related to a vendor or a third-party. Our ranking considers factors like:

  • The scope of the breach.
  • The impact of the breach on the company and/or the compromised customers.
  • The nature of exposed data (financial and medical data, for instance, is more sensitive).
  • The recency of the incident.
Equifax Breach Meme

1. Equifax

When? 2017

What was leaked? The data ofapproximately 147 million consumers. The hackers accessed sensitive information like names, social security numbers, birth dates, addresses, and in some cases, driver`s license numbers, as well as the credit card numbers of about 209,000 US consumers.

Cost: A total cost of about $1.38 billion, according to the settlement documents (page 1) as quoted by The New York Times.

Vendor breached: The open-source software Apache Struts.

What happened?

Credit monitoring company Equifax reportedly discovered the breach on July 29 but waited for more than a month to warn its shareholders. The hackers exploited a vulnerability in the open-source software Apache Struts, which is a tool used for building web applications. Equifax used Apache Struts to support its online dispute portal – the place, where the company’s customers log issues with their credit reports.

As part of the settlement, you can file a claim to be compensated for the costs of recovering from the security breach — including any costs associated with the theft of your identity and freezing and unfreezing your account– and compensation of unauthorized charges to your banking accounts. The agreement caps payouts at $20,000 per person. Information about how to file a claim is available at Equifax`s website.

2. Target

When? 2013

What was leaked? The payment accounts of about 41 million customers and the personal details of around 70 million. Resulting in an estimated 110 million affected parties.

Cost: About $236 million in total expenses and more than 140 lawsuits filed against the company.

Vendor breached: A third-party HVAC vendor.

What happened?

According to the state`s investigation, the cyber attackers managed to access Target`s computer gateway by stealing credentials from a third-party HVAC vendor. These credentials helped the hackers exploit weaknesses in the company’s system, enter the customer service database, and install malware. The attackers accessed sensitive data such as full names, emails, credit card numbers, verification codes and more, as USA Today and other media outlets reported at the time.

The retailer had to pay an initial multi-state settlement of $18.5 million to cover state-specific costs associated with their investigations of the breach. Additionally, Target agreed to pay up to $10,000 to consumers who could prove their data was compromised.

3.  Home Depot

When? 2014.

What was leaked? The incident compromised the credit card data of roughly 56 million customers, as well as separate files containing approximately 53 million email addresses. An estimated 109 million consumers were affected.

Cost: About $179 million.

Vendor breached: The attackers used a Home Depot`s third-party vendor’s login credentials to install memory scraping malware on over 7,500 self-checkout POS terminals.

What happened?

According to Home Depot`s official announcement, the hackers used the username and password of an undisclosed third-party vendor to enter the Home Depot`s environment. Then, the cybercriminals acquired elevated rights that helped them deploy unique, custom-built malware on the retail company`s systems in the US and Canada.

The Target and Home Depot incidents expose two areas of information security that retailers generally struggle with. They often times have a lack of integration between inventory and internal systems, in addition to poor vendor risk management practices. Each data breach was successfully deployed by stealing third-party vendor credentials and RAM scraping malware, according to SANS research on the subject.

4. Marriott International

When? 2018.

What was leaked? Sensitive information including credit card details, passport numbers, names, gender, and dates of birth of roughly 500 million guest accounts.

Cost: About $72 million.

Vendor breached: The Starwood guest reservation database in the USA.

What happened?

Marriott International hotel chains, the parent company of prominent hotel chains like Sheraton, W Hotels, Westin Hotels, and Le Méridien, became aware of the massive hack on September 8, 2018.

The company received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the USA. Further investigations revealed that there had been unauthorized access to the Starwood network since 2014. The unauthorized party had reportedly copied and encrypted information before taking steps to remove it. Prior to being acquired by Marriot in 2016, Starwood was a third-party vendor used for booking reservations.

“We deeply regret this incident happened,” commented Arne Sorenson, Marriott’s President and Chief Executive Officer in Marriott`s press statement, which shed light on the breach.

The company was subject to several lawsuits for failing to protect its guests` accounts.

5.  Under Armour

When? 2018

What was leaked? Around 150 million MyFitnessPal accounts compromised. The leaked data included usernames, hashed passwords, and email addresses.

Cost: Not fully clarified yet. A consumer class action lawsuit was filed against Under Armour, which might face a number of legal claims or investigations by government regulators and agencies. The company may also be required to incur additional expenses to further enhance its data security infrastructure.

Vendor breached: The MyFitnessPal app, which was acquired in 2015 for $475 million.

What happened?

The vulnerability was introduced through the diet and fitness application MyFitnessPal. The app was acquired by Under Armour three years prior to the breach. On March 25, 2018, MyFitnessPal became aware that during February of the same year an unauthorized party acquired data associated with MyFitnessPal user accounts.

Under Armour`s data breach was one of the biggest of 2018, leading to a 4% drop in the company’s shares.

6. Saks, Lord & Taylor

When? 2018

What was leaked? Credit and debit card data of more than 5 million people. Most of the stolen cards were obtained from locations in New York and New Jersey.

Cost: Not fully clarified yet.

Vendor breached: The cash register systems at the Saks and Lord & Taylor stores in North America.

What happened?

A popular group of cybercriminals known as JokerStash managed to obtain the information by implanting a software into an unsecured point of in-store sale system.

The breach was initially reported by cybersecurity firm Gemini Advisory:

“Based on the analysis of the available data, the entire network of Lord & Taylor and 83 Saks Fifth Avenue locations have been compromised.”

The potential impacts of such breaches can be devastating for the reputation of both the parent company (Hudson’s Bay Co) and its subsidiary (Saks, Lord & Taylor). To mitigate such risks, companies need to ensure their divisions have received the necessary security awareness training.

7. Managed Health Services (MHS)

When? 2018

What was leaked? The personal data ofabout 31,000 plan members. The exposed information included names, insurance ID numbers, addresses, dates of birth, dates of service, and descriptions of medical conditions.

Cost: Not fully clarified yet. Managed Health Services has offered individuals affected in both incidents 12 months of free credit monitoring services. The organization has also invested in enhancing its email security and re-training staff on mailing processes and cybersecurity risks.

Vendor breached: The LCP Transportation vendor company (first incident). The second incident is attributed to a mailing mistake.

What happened?

Managed Health Services (MHS), the organization running the Hoosier Healthwise and Hoosier Care Connect Medicaid programs, admitted that personal data of about 31,000 plan members was accessed in two separate breaches.

The first incident was associated with a phishing attack at the LCP Transportation vendor company. The LCP employees received scam emails, allowing hackers to access their email accounts. In contrast, the second attack was attributed to a mailing mistake – notification letters of a future pharmacy change were sent to the wrong recipients, according to a publication published at Becker’s Healthcare.

Meanwhile, in Singapore, the Secure Solutions Group Pte. Ltd. (SSG) vendor was responsible for exposing the personal data of 80,000 blood donors, according to Info Security Magazine. These types of breaches remind us that medical records are a major target for attackers.

Are you still with me?

Let’s face it, the breaches that we have covered here are very large scale, involving enterprise-level companies, and may seem far removed from your business, but the potential risk is real and needs to be addressed. When it comes to hackers, there is a common misconception that only large companies are a target. Companies of all sizes are exposed to potential risk daily and it goes far beyond their internal systems

As we stated earlier vendors can be a vital piece of success for companies of all shapes and sizes, but they are also inadvertently responsible for the majority of the breaches that occur today. Taking all the necessary precautions to make your company defensible might seem like a daunting task, but we are here to help.

Food for thought

What are the measures that your organization currently takes to stay protected from potential vendor risks? Share with us in the comments below.

Securitystudio has taken a common-sense approach to information security and we are here to help your business identify potential risks. Feel free to reach out if you would like to have a conversation and learn more about improving your information security program.

free information security risk assessment tool

Most people are relatively aware of the Health Insurance Portability and Accountability Act (HIPAA). It was created to make sure that medical records of patients remain safe, and that the medical providers accessing them are doing their best to ensure that’s the case. When most people think of HIPAA, they often go right to medical providers and hospitals. It’s important to understand that dental providers are also expected to adhere to HIPAA requirements. However, being HIPAA compliant poses challenges for dental providers. Here are some of those challenges, and what dental providers can do to combat them.

Failure to Identify Your Dental Practice as a HIPAA “Covered Entity”

Covered entities are required to follow HIPAA requirements. A dental practice is considered a covered entity if it transmits an electronic claim, payment, etc. to a dental plan or on behalf of a dental practice. It’s very likely that your dental practice is a covered entity and should be considering HIPAA requirements.

Missing Business Associate Agreements (BAAs)

Outside people or entities often have access to patient records and information. If your dental practice works with third parties of this nature, it’s important that you’re keeping tabs on them. Third parties are often root causes of breaches and data exposure. Continuously review your third parties and be sure you have BAAs for them.

Security Policies and Procedures

Well thought out, written plans are needed to ensure that your practice stays in compliance. Your HIPAA compliance policy should clearly state the responsibilities of your office and each staff member in protecting your patients’ private health information. The policy should clearly outline how your office handles and remediates various kinds of security breaches.

Training

Training employees is a critical component to HIPAA compliance, even for dental practices. Once you have your policies and procedures in place, it becomes critical that you train your employees on them. If someone’s job is affected by a change in your HIPAA policies or procedures, provide training on the change within a reasonable time after the change becomes effective. Training employees will limit the risk of breach.

Texting and Email

HIPAA applies to emails and text messages sent to a patient, such as for scheduling or appointment reminders. HIPAA also applies to emails and texts sent to another provider about a referral, with diagnostic images, or to discuss treatment. Here’s the kicker—HIPAA applies when a dentist emails patient records or information from a work email account to a personal email account, even if the dentist is doing so simply to finish up work from home later that evening. While HIPAA doesn’t prohibit using email or text to communicate patient information, it is important it’s done the proper way.

Social Media

A restaurant is very likely to respond to a Yelp, Facebook or Google review to either appreciate what has been said, or try to take corrective action. Dental practices must be a bit more careful. It’s easy to respond in a way that violates HIPAA rules. Ensure you and your employees understand privacy rules before responding to your practice’s reviews.

Other Media

As photos or videos are being taken of a patient there is the possibility that other patients may be included inadvertently. These photos and videos are quite often shared through social media and this can compromise those patients’ privacy. In addition, staff members of the practice might be included in the photo or video and this violates their privacy. Be cognizant of what is going on in the background of your images and videos so you do not compromise patient information.

Reporting Breaches

Breaches happen. It can and will happen to anyone at any time. It’s crucial that you understand what you need to report, and when. Covered dental practices must report all breaches of unsecured protected health information to the Office of Civil Rights, as well as to individuals and, in some cases, to the media. The bottom line is, have a plan for what to do in case an incident does occur, because it certainly can.

How can you get a better understanding of these challenges, so you know how to avoid and face them? A cyber security assessment is a great tool to do that. Security assessments helps you identify where your gaps in security are. Once they’ve been identified, you can also use the assessment to develop action plans for improvement, meeting HIPAA regulations and proving to examiners that you have a strong data protection program. While there are many challenges as a dental provider to being HIPAA compliant and safeguarding patient information, getting a security assessment puts you on the fast track to understanding and preventing your patients’ data being compromised.

free information security risk assessment tool