Top Third-Party Breaches of 2018 (So Far)
We’re only halfway through 2018 and third-party breaches continue to dominate the headlines. It may not be surprising that third-party breaches are now the most expensive incidents for both enterprises and SMBs. This year, the average cost of a data breach has reached $120k for SMBs, 36% higher than 2017 ($88k). For enterprises, the average impact of a breach is up to $1.23 million — a 24% increase since last year (DARKreading).
While the trend continues, let’s take a look at some of the biggest breaches we’ve seen this year…
Saks Fifth Avenue and Lord & Taylor
(Hudson’s Bay Company) | Exposed records: 5,000,000 | Reported April 2018
A well-known ring of cybercriminals obtained more than five million credit and debit card numbers from customers of Saks Fifth Avenue and Lord & Taylor by implanting software into an unsecure point of sale system in-store, siphoning card numbers and information since May of 2017.
CyberGRX CEO and Founder, Fred Kneip, weighed in on the hack: “The Lord & Taylor/Saks Fifth Avenue breach shows how the parent company bears the reputational impact of breaches at its subsidiaries just like a company does when its vendors are breached. Companies need to consider their divisions as part of their third-party ecosystems. This includes understanding the effectiveness of key controls such as security awareness training to mitigate phishing attacks, as well as vulnerability management of point-of-sale systems. This breach illustrates that both are weak links within third-party ecosystems that hackers will exploit.”
BestBuy, Sears, Kmart, Delta
Exposed records: unknown | Reported April & May 2018
Electronics, home goods, mom jeans, and air travel — these companies don’t have much in common — except for a big weak link. [24]7.ai, a chat and customer services vendor for many brand names, was hacked via malware, compromising credit card information, addresses, CVV numbers, card expiration dates, and other personal data across multiple customer groups. Hundreds of thousands of customers were affected per company hacked.
“[These] breaches illustrate how intertwined our ecosystems are. If our attack surfaces are connected, our mitigation strategy should be too, and that means we need to start collaborating with each other more,” Fred Kneip commented.
Corporation Service Company
Exposed records: 5,678 | Reported May 2018
Hackers stole personal information of over 5,600 customers of CSC, a company that provides domain registration services and acts as an agent for service of process for clients — some of which are Fortune 500 firms. A routine security monitoring detected unauthorized access to its network via a third party who stole a database table from the network that contained confidential data on CSC’s clients (SC Media).
“The Corporation Service Company breach is another in a long line of examples of hackers accessing sensitive data through vulnerable third party. CSC collects personal information on behalf of its clients, including some of the biggest companies in the world, and it’s those clients’ reputations that are on the line when CSC gets hacked. Large enterprises that interact with thousands of third parties need to start paying closer attention to the security controls of the vendors, contractors, suppliers and customers in their digital ecosystem.” — Scott Schneider, Chief Revenue Officer of CyberGRX.
MyFitnessPal
Exposed records: 150,000,000 | Reported February 2018
A business unit of Under Armour, MyFitnessPal was hacked earlier this year, sending Under Armour shares down 3%. Approximately 150 million user accounts were hacked, with user names, email addresses and scrambled passwords all stolen (Reuters).
With Under Armour’s addition of MyFitnessPal, their already complex digital ecosystem grew, and a vulnerability was introduced through the acquired business unit. Though many third-party breaches involve vendors, suppliers, or even partners, it’s just as severe when a hack is introduced this way. Regardless of where the weakness was, Under Armour took the financial and reputational hit, much like Hudson’s Bay Company.
“As companies continue to evolve into increasingly interconnected networks, including subsidiaries, affiliates, suppliers and vendors, the importance for ensuring appropriate levels of security at every node is all the more critical.” -Fred Kneip, CEO and Founder, CyberGRX
Universal Music Group
Exposed records: Unknown | Reported June 2018
A Universal Music Group contractor left data exposed when they failed to protect an Apache Airflow server. Everything in UMG’s cloud data storage — provided by a contractor — was exposed to the open internet. This included internal file transfer protocol (FTP) credentials, AWS Secret Keys and passwords, and the internal and SQL root password (Threatpost). That’s a lot of confidential information.
Bryan Gale, Chief Product Officer at CyberGRX, commented: “The amount of damage a single contractor with lax security controls can do is staggering. If you don’t believe that, just ask Target and the HVAC contractor that led to that infamous breach. Universal Music Group interacts with thousands of third parties on a daily basis, and it only took one — a contractor who forgot to password protect an Apache Airflow server — to leave the keys to the kingdom exposed. We will continue to see these types of breaches until organizations start prioritizing third-party risk management and actively maintain ongoing visibility into their ecosystem.”
Applebee’s
Exposed records: Unknown | Reported January 2018
Malware was discovered on point of sales systems at more than 160 Applebee’s restaurants, exposing credit card information collected from unknowing diners.
Our CEO, Fred Kneip, weighed in with Threatpoast, stating, “We’re seeing more of these types of breaches happening… it’s an industry wide problem as more retailers look to an ecosystem of providers to bring in third party systems like point of sale and inventory management solutions. As of today a lot of stores are playing catch up with security, and it can take months or years to realize that compromises have happened on third party systems.”
Chili’s
Exposed records: Unknown | Reported May 2018
Much like Applebee’s, Chili’s suffered a point of sale malware breach this year. Payment card data, including names and credit or debit numbers, were collected via malware. The investigation is ongoing to date.
“There is a growing awareness of the threat to the vendor supply chain. Although Chili’s itself may implement best-in-class security, they must also ensure that their vendors do the same,” commented Bryan Gale, Chief Product Officer of CyberGRX.
MyHeritage Genealogy Site
Exposed records: 92 million | Reported June 2018
A security researcher recently found an archive on a third-party server containing personal details of over 92 million MyHeritage users. The data ranged from hashed passwords to emails, luckily not payment information or — you guessed it — DNA test results.
MyHeritage reported that it uses third-party payment processors for financial operations, meaning payment data was never stored on its systems, while DNA test results were saved on separate servers from the one that managed user accounts.
The MyHeritage incident marks the biggest data breach of the year, and the biggest leak since last year’s Equifax hack (BleepingComputer).
As businesses grow, they turn to third parties to provide specialty services — expanding and complicating digital ecosystems. While outsourcing can alleviate business problems and needs, it often comes with risk. A larger ecosystem creates more possibilities for a hacker to break through — and all it takes is one single vulnerability of a trusted vendor to gain access to a plethora of your organization’s and your customers’ sensitive data — maybe even the make-up of your very own DNA. Unless our approach to risk management changes, we will continue to see an increase in third-party attacks.
Scott Schneider said it best: “The interconnected nature of our digital ecosystems is a great thing for facilitating the flow of business, but unfortunately there’s a flip side… Too many organizations think that their responsibility to safeguard data ends where their network does despite mountains of evidence to the contrary… It’s not a matter of a few simple steps. Organizations need to fundamentally change the way they approach managing third-party risk, and that means more collaboration” (Threatpost).
