16-11-2022, In some cases, organizations are required to trust third parties with their sensitive data, whether they are vendors, suppliers, or business associates. If one of these third parties were to experience a data breach, the sensitive data they have access to (or store) could be exposed to the public and even malicious actors.
According to a report published in 2021 called A Crisis in Third-party Remote Access Security, by the Ponemon Institute, 51% of businesses have suffered a data breach caused by a third party, and the majority of these breaches were the result of them being given too much-privileged access.
It’s worth noting that this number could actually be higher, as some third parties may try to conceal data breaches from their clients, especially if they lacked the security controls necessary to keep their data secure.
The report also states that 65% of organizations have not identified the third parties that have access to their most sensitive data, and 54% of organizations do not have a complete list of all the third parties that have access to their network.
Examples Of Famous Third Party Data Breaches
Third-party data breaches probably occur every day, although in most cases, they are inconsequential. Some, however, can affect government agencies, universities, hospitals, and large corporations. In these cases, the consequences are more severe. Below are the four biggest third-party data breaches we’ve seen in the last couple of years:
Third party: Click Studios
Passwordstate, a business password manager owned by an Australian company, Click Studios, was compromised between April 20th and 22nd, 2021. The attackers exploited a vulnerability in the app’s update mechanism to spread malware to its users. Passwordstate is used by approximately 370,000 security and IT professionals, although it is unclear how many of those customers were affected by the breach. Click Studios advised their customers who installed the update to change their passwords immediately.
Third party: Elekta
The Cancer Centers of Southwest Oklahoma suffered a data breach after protected health information (PHI) belonging to roughly 8,000 cancer patients was accessed without authorization. The breach originated from third-party cloud storage provider, Elekta, and included personal information such as names, Social Security numbers, locations, birthdays, as well as information about cancer diagnoses and treatments.
Third party: Accellion
Accellion’s File Transfer Application (FTA), which is used to transfer large sensitive files within a network, was compromised in January 2021. The attack affected roughly 30 organizations, including The University Of Colorado, Standford University, Washington State, The Reserve Bank of New Zealand, etc. The attackers exploited flaws in the FTA software resulting in the exposure of Social Security numbers and financial information.
Third party: Unknown
Aramco, the Saudi Arabian oil company, had one terabyte of data stolen from third party contractors. This data included employee names, phone numbers, photos, passport copies, email addresses, and more. The attack was allegedly carried out by the hacking group, ZeroX, who offered Aramco the chance to have the stolen data deleted for $50 million, otherwise, it would be sold on the dark web for $5 million. Aramco didn’t provide information about the breached contractor(s).
Best Practices to Prevent Third Party Data Breaches
Given that data security is a huge topic, a full guide on how to prevent data breaches is beyond the scope of this article. Instead, let’s go through some of the simplest and most effective ways to prevent third-party data breaches:
Carry out third-party risk assessments?
Carry out a risk assessment of any third parties who have access to your sensitive data. You will need to communicate with your vendors, suppliers, and business associates in order to get access to the information you need. If they are unwilling to cooperate, you may be better off severing ties with them. You will need to ensure that they take risk management seriously and are allocating a sufficient amount of resources to their risk management program. Ask to see information about their own risk assessments, supply chain risk mitigation strategy, compliance frameworks, and any other relevant information. If possible, periodically review their cybersecurity program to evaluate the effectiveness of their security posture.
Enforce “least-privilege” access
As mentioned previously, most third-party breaches are caused by giving third parties too much access to sensitive data. As such, it is imperative that you adhere to the least-privilege access model, whereby users are granted the least privileges they need to perform their role, and these privileges should be frequently reviewed and revoked when they are no longer required.
What To Do When You Become the Victim of a Third-Party Data Breach
In the event of a data breach involving a third party, you must first determine the scope and impact of the breach, as this will help you plan your next steps. Below are some of the steps you may have to take if a large amount of sensitive data has been exposed.
Mobilize your breach response team
You will need to act swiftly to mobilize your breach response team to prevent further data loss. They will need to patch any vulnerabilities, change passwords, secure or lock down the affected systems, and so on. You will also need to contact the relevant authorities and forensics professionals for more information about how/when to get your systems back online.
Find and remove any leaked/stolen information
If any sensitive data was exposed to the public, it must be removed immediately. Since search engines “cache” copies of your website, you may need to contact them and ask them to remove those copies. Your security team should spend some time conducting Google searches to find copies of sensitive data on other websites. You should also speak with all individuals who were involved in, or observed the breach, in order to determine the cause.
Execute your incident response plan
All companies who handle large amounts of sensitive data should have an incident response plan (IRP) in place, and this plan should be executed in the event of a third-party data breach. The plan should include information about the roles, responsibilities, and activities that need to occur in the event of a security incident, and all employees must be aware of the plan, and know who to contact to report suspicious activities.
Alert the necessary parties
You will need to notify the relevant authorities, organizations, and affected individuals about the breach, and the procedure for doing so should be documented in the IRP. You will need to check the state and federal laws and regulations for any requirements that apply to your company. For example, regulations such as the GDPR have breach notification requirements, which must be adhered to in order to avoid costly fines and lawsuits.