Data Breaches and Managing Third-Party Risks

Data breaches are a serious problem for organizations across the globe. In a recent survey from the Ponemon Institute, 53% of organizations were found to have experienced at least one data breach where a third party was at fault.What’s more, the average cost of a third-party data breach is $7.5 million. The problem is clear: companies are using a trust model. Asking vendors to fill out pages of questions that are nothing more than a series of check boxes and not verifying that their controls are in place leads to disaster.

We believe in a trust and verify model.

6 Steps to Better Cyber Vendor Risk Management with RiskQ

1. Identify Your Third-Party Regulations & Requirements

With RiskQ, you can get confidence in your cyber risk management program. Vendors are not the same, so carry out effective risk management of third-party vendors. Identify cybersecurity assessment regulations, and ensure vendors have policies and procedures in place. With our integrated solution, you can save thousands.

2. Assess Vendors by Type

Different vendors must be identified and assessed, including cloud service, system, and technology. Use RiskQ’s out-of-the-box assessments to measure cyber risk based on the type of third party.

3. Automate Evidence Collection

We make it easy to get compliant with all third-party regulations thanks to our step-by-step guidance, so you can provide vendors with consistent requirements and ensure they can upload evidence into a single-source-of-truth solution. With RiskQ, there is no need to reinvent the wheel.

4. Prioritize Vendor Assessments

RiskQ prioritizes vendor assessments that your team should tackle by using objective financial exposure analysis.

5. Audit Vendor Evidence

Using the RiskQ audit functionality, you can ensure seamless communication between IT, auditors, legal, and vendors and make sure vendors provide sufficient evidence. By connecting RiskQ, you can ensure vendors demonstrate evidence of security requirements.

6. Use Continuous Control Monitoring to Stay Secure

RiskQ provides continuous security monitoring so you can demonstrate continuous compliance with your third-party security requirements. Cut costs and move away from point-in-time assessments with your consulting companies, and instead get maximum security via continuous monitoring.

RiskQ Reports Demonstrate Third-Party Cyber Risk Compliance

With RiskQ, you can ensure all third parties meet their obligations to protect data. Using automated compliance reports, you can show regulators the effectiveness of your third-party cyber risk management program. We make it easy to provide auditors and regulators with access to secure reports.

For everything related to third-party cyber risk management, use a single source of truth. Then as your business scales up and your vendors grow, you can enjoy peace of mind knowing that, when it comes to compliance, RiskQ has always got you covered.

RiskQ’s Automated Vendor Risk Management Software

Optimize Vendor Data Loss Prevention

RiskQ financially quantifies vendor exposures and provides an end-to-end third-party cyber risk management program for your business. We identify gaps in your cybersecurity program that can cripple your organization, allowing risk practitioners to massively improve information protection. Leveraging RiskQ empowers organizations to rank risky vendors, isolate extraordinary exposures, and lower vendor risk.

Trust and Verify Vendors

Advanced capabilities allow for prioritization of vendor risk reduction, enabling identification of risky behaviors that represent problematic security postures to prioritize identification and automate remediation steps. Our centralized analytics also offers visualization and tracking of key metrics to support larger data security and business initiatives.

Third-Party Cyber Risk Management Programs: Who needs them?

Many businesses need to comply with third-party requirements in the United States. For example:

  • Healthcare companies need to comply with HIPAA and Business Associate requirements.
  • Companies processing credit card data need to comply with PCI third-party cyber risk requirements.
  • Financial services companies that operate in New York State must comply with NYSDFS Part 500 third-party cyber risk requirements.
  • Many companies must comply with GDPR, CCPA, and VDCPA. All these regulations have third-party cyber risk requirements.

First, Second, Third, & Fourth Parties: What is the Difference?

Knowing the difference between first, second, third, and fourth parties is important.

First Party —This is your actual company and for assessment purposes includes all the digital assets you have on the premises.

Second Party —These are your members or customers. When it comes to risks, they can access your systems and have contact with your digital assets.

Third-Party —This is a person or institution you outsource work to in terms of goods and services. There are four different kinds: Cloud Service Provider, Service Provider, Technology Provider, and System Provider. Any third-party vendor can be one or more of these.

Fourth Party —Third-party vendors also outsource to other vendors. In this case, you are responsible not only for what your vendor does but also for what its third-party vendors do. The more third-party vendors it has, the greater the risks for you.

Defining the Risks of Third Parties

The risk is that third-party vendors with access to sensitive data can put your firm at risk of data breaches. Vendors that perform essential business services or interact with customers can also present a reputational risk to your firm. Below is a list of top breaches over the past four years related to third-parties.

Top Third-Party Data Breaches from 2021

Accellion
Cybercriminals exploited vulnerabilities in Accellion’s File Transfer Appliance, which is used to move large and sensitive files within a network. Data exposed included Social Security numbers and banking information. Victims include the Reserve Bank of New Zealand, the state of Washington, grocery chain Kroger, the University of Colorado, cybersecurity firm Qualys, and many more.

Volkswagen
Audi notified Volkswagen Group of America, that unsecured data was available on the Internet almost two years and had been accessed by an unauthorized party. Over 97% of the breach were Audi customers and prospects. The breach affected 3.3 million customers. Exposed data included Social Security numbers and loan numbers.

Click Studios
Click Studio’s enterprise password manager Passwordstate had a breach and advised all customers to reset all passwords in their Passwordstate database. Cybercriminals exploited the application’s update mechanism and inserted malware to all their customers. Passwordstate is used by over 370,000 security and IT professionals at 29,000 companies worldwide.

Cancer Centers of Southwest Oklahoma
Elekta, the third-party cloud-based storage provider of Cancer Centers of Southwest Oklahoma, discovered unusual activity on its network which resulted in unauthorized access to PHI data of 8,000 oncology patients. Information leaked included names, Social Security numbers, addresses, birthdays, and intimate details about medical diagnoses and treatments.

Kaseya
This issue became a red not one when it was relieved that Kseya was attacked by the REvil ransomware group which had exploited a vulnerability in Kaseya VSA. REvil demanded a $70 million ransomware payment. Kaseya is a remote monitoring and management software platform. Kaseya shut down access to its on premise and cloud servers to prevent further damage to its customers. Up to 1,500 companies worldwide were affected.

Largest Third-Party Breaches in 2020

Here we’ll take a look at some of the biggest data breaches that occurred in 2020.

Instagram
In 2020, Instagram suffered two large data breaches. The first one was blamed on Social Captain, a boosting service influencer use to boost their likes and follower numbers. Users must enter their Instagram usernames and passwords to access the service. In this case, thousands of passwords and usernames were in plaintext, posing a significant risk.

TechCrunch reported that users who viewed the web page source code on their Social Captain profile pages could easily access their Instagram usernames and passwords if they connected their account to the platform. TechCrunch was alerted to the vulnerability by an unknown security researcher. They provided a spreadsheet containing 10,000 user accounts that had been scrapped. This led Instagram to announce that storing login credentials in plaintext breached its terms of service.

It said it was “investigating” and would “take appropriate action.” It encouraged people to “never give their passwords to someone they don’t know or trust.”

Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company
Cyber issues caused problems for Amedicanna Dispensary, Bloom Medicinals, and Colorado Grow Company in 2020. Due to THSuite, a point-of-sale software vendor, records of 30,000 marijuana users were exposed by a vulnerable Amazon S3 bucket.

Bloom Medicinals is a medical marijuana dispensary based in Ohio. It also runs five shops. As a result of the breach, it notified its patients, which HIPAA requires.

AmediCanna Dispensary, which is based in Maryland, and Colorado Grow Company, two other dispensaries, were also affected by the same Amazon issue. Personal details, including medical ID numbers and the quantity and variety of cannabis, were exposed.

In addition, employee and government IDs were breached. The companies may be fined for HIPAA violations, and the Ohio Attorney General is exploring the revocation of operating licenses awarded by the state.

Largest Third-Party Breaches in 2019

Third-party breaches in 2019 cost twice as much as normal breaches on average. In addition, problems suffered by organizations included negative impacts on their reputation, and their stock prices were sometimes affected.

The cost of failing to evaluate third parties effectively is on average over $13 million.

Quest Diagnostics
In June 2019, close to 12 million patient records were reported lost by Quest Diagnostics.

The problem? An unauthorized user gained access to data from the American Medical Collection Agency (AMCA), a third-party billing collections vendor.

The hacker remained in the system from August 2018 until March 2019, and significant amounts of data were stolen, including social security numbers, credit card numbers, and bank account data.

U.S. Customs & Border Protection
In June 2019, US Customs & Border Protection announced that 100,000 records had been exposed. This was due to hackers breaching a database that contained data, including photos of travelers’ faces and license plates.

A compromised subcontractor’s network caused the problem, and the data included personal data, department files, investigation records, internal communication records, and system credentials.

The data was then publicly exposed via an open storage server belonging to the Oklahoma Department of Securities. Any IP address could access the database and download any files stored on the server.

Facebook
Facebook, the largest social network, suffered not one but two breaches in one month during April 2019. During these breaches, an enormous 540 million records were stolen.

App developers that provide third-party apps and programs were responsible for the breaches. One of these was Cultura Colectiva, a Mexican company, which left over 540 million records on a server accessible by the public, including comments, user IDs, and account names.

The second was Pool, who left email addresses and passwords of 22,000 users in plaintext, meaning they were not protected.

Focus Brands Inc.
Focus Brands Inc. is a restaurant franchising group, and it revealed that it suffered data breaches during 2019 at Schlotzsky’s, Moe’s Southwest Grill, and McAllister’s Deli.

When the Point of Sale (PoS) vendor was hacked, it left the payment information of customers vulnerable between April and July 2019.

Government Breaches
It’s not just private organizations that suffer from data breaches. In 2019, a third-party service provider leaked about 750,000 applications for birth certificates of US citizens.

These applications were discovered on an AWS cloud platform and were available to the public without any protection.

The data was particularly sensitive, including names, home addresses, phone numbers, and dates of birth of people residing in New York, Texas, and California.

The exposed database goes back as far as 2017, according to Fidus Information Security. The third party who was responsible obtained death certificates and birth certificates.

Data like this can be gathered using phishing campaigns, and the data is often sold on the dark web. Vulnerable AWS buckets are a common configuration mistake, and many of these are managed by third parties.

Regus
Regus, owned by IWG, saw records of over 900 employees published online following a breach. It occurred after the company assigned a mystery shopping business for an on-site audit.

Applause, the third party, reviewed Regus sales staff using pens embedded with cameras. Personal info, including names, contact details, addresses, and job performance details, were then accidentally published online in a Trello spreadsheet.

As a result of this breach, the companies might be fined by the Information Commissioner’s Office in the UK (ICO) under the GDPR.

Mercy Health-Lorain Hospital
Mercy Health-Lorain Hospital is a healthcare group in Ohio, and in January 2020, it notified patients regarding a data breach.

RCM Enterprise Services was responsible, a third-party vendor providing revenue cycle management services. Patients were mailed medical invoices, but it was found that these included social security data.

Mitsubishi Electric
In June 2020, Mitsubishi Electric confirmed that it had suffered from a data breach at the start of the year.

This came to light when security engineers noticed suspicious activity on the company network. Further investigation found that unauthorized third parties might have accessed the network and that personal and corporate information might have been leaked.

Apparently, a hacker group in China accessed the network of a subsidiary company of Mitsubishi, then laterally moved into systems in the company’s Japan offices. It is not yet clear whether any sensitive data related to government defense contracts or business partners have been stolen.

Japanese newspaper Asahi Shimbun suggested that the hackers accessed data on negotiations, joint projects, and research documents of over ten government organizations, as well as data from private-sector companies in telecommunications, auto, power, and railway industries.

BlueBear
BlueBear is a network platform providing accounting and management software to schools and districts in the United States. In 2020, it was announced that it had been breached during October and November 2019.

Personal information, including card numbers, names, and passwords, may have been stolen from parents who used it to buy supplies or pay school fees.

P&N Bank
P&N Bank in Australia advised its customers that it had experienced a data breach where sensitive information could have been exposed.

The breach was a result of its CRM platform, which was operated by a third party, and exposed information including names, contact details, ages, account numbers, and more.

The attack’s exact details are unknown, but it is thought that access to the CRM occurred on December 12 during an upgrade. The system was shut down immediately as soon as the breach was discovered.

Largest Third-Party Breaches in 2018

Enterprises and SMBs suffer when it comes to third-party breaches, which are the most expensive kind of incidents for them. In 2018, each data breach cost SMBs an average of $120k, up on 2017 from $88k.

For enterprises, the average total impact of a data breach was $1.23 million, according to Dark Reading, which is up 24% compared to 2017.

Read on to find out about some of the largest data breaches to occur in 2018.

Saks Fifth Avenue and Lord & Taylor
In April 2018, it was reported that Saks Fifth Avenue and Lord & Taylor suffered a breach that exposed over 5 million records.

Cybercriminals obtained credit and debit card numbers via software in an insecure point-of-sale system. They managed to extract information going right back to May 2017.

This is a clear example of how the parent company suffers reputational damage when its subsidiaries are affected by a breach. It’s so important for companies to treat their divisions as extensions of the organization. Hackers will often exploit the interconnectivity between the parent organization and subsidiaries, as was the case here.

BestBuy, Sears, Kmart, and Delta
In April and May 2018, data breaches were reported at BestBuy, Sears, Kmart, and Delta. What was the weak link they all had in common? [24]7.ai, a vendor of chat and customer services, was hacked.

This compromised information, including credit card data and addresses of customers, and customer records in the hundreds of thousands, were stolen.

It’s important to understand how digital assets are interconnected and understand who is responsible for maintaining their security.

Corporation Service Company
Corporation Service Company reported in May 2018 that it had suffered the theft of nearly 6,000 records via a breach.

CSC is a domain registration service provider, and hackers stole information from Fortune 500 clients. Unauthorized access by a third party was detected during a routine security monitoring, according to SC Media.

A cyber risk program is essential to avoid such breaches when organizations provide sensitive data to vendors. Many large enterprises have hundreds of thousands of third parties in their ecosystems.

MyFitnessPal
MyFitnessPal is a subsidiary of Under Armour, and in February 2018, it announced that it had lost over 150 million records after user accounts were hacked. Email addresses, usernames, and scrambled passwords were stolen.

With growth through acquisition being a common strategy, organizations must consider the cyber risk presented by each new acquisition because the parent company owns that risk.

Universal Music Group
Universal Music Group was hacked in June 2018. It is thought that a contractor did not protect an Apache Airflow server, leaving data exposed, according to Threatport, which exposed everything on the company’s cloud data storage. Passwords, AWS Secret Keys, and FTP credentials were all exposed.

This shows how damaging a contractor with a lack of security can cause a company. Knowing which digital assets the contractors use to improve security and lock down the most sensitive areas is essential. This type of breach will continue until organizations monitor third parties more carefully.

Applebee’s
Applebee’s was reported to be hacked in January 2018. At over 160 of its restaurants, malware was discovered on POS systems, according to threatpost. This led to the exposure of credit card information.

POS service providers have been a weak link for many retailers, which use them to process card data. Cybersecurity programs for retailers are often immature, and third-party programs don’t even get on their radar.

Chili’s
Another POS attack affected Chili’s in May 2018. During this attack, data was stolen, including credit card numbers and names.

Events like this clearly show the need for prioritizing supply chain cybersecurity because many companies outsource these services.

MyHeritage.com
Nearly 100 million accounts were breached at MyHeritage.com in June 2018. An archive was discovered by a security researcher on a third-party server containing users’ details, including DNA test results.

MyHeritage.com stored the DNA test results on different servers to the ones managing user accounts. It was the largest data breach of the year, according to BleepingComputer.

Different Types of Third Parties

It’s important to look at third parties in context. For example, there is a big difference between a cloud service provider and a management consultant.

Cloud service providers, for example, are third-party companies that offer cloud-based platforms, applications, storage, and infrastructure services.

  • SaaS (software as a service) – This is a software licensing and delivery model where software is hosted centrally and licensed on a subscription basis.
  • PaaS (platform as a service) – These are used to develop and manage applications without the complex need to build and maintain the infrastructure required to launch an application.
  • IaaS (infrastructure as a service) – This is where instant computing infrastructure is managed online. The infrastructure is managed by a cloud computing service provider, and you manage your software.

It’s also important to know that most models referenced above provide data storage.

  • Service Providers – These are third-party organizations that provide different services to companies, including lawyers and accountants.
  • System Vendors – These third-party organizations provide technologies sold as systems.
  • Technology Vendors – These third parties sell technologies like frameworks, security tools, and databases.

Vendor Teams

These days, Cyber Vendor Risk Management is a discipline in its own right. It is particularly suitable if a centralized vendor or procurement team has responsibility for cyber risk.

Teams are made up of internal security assessors (ISAs), the legal team, owners, and the security team. Ideally, the project management team is the procurement team because they understand the requirements and what evidence will be acceptable.

The security team plays an important role in defining the requirements and making sure the vendor team understands them. Then the legal team reviews the contract.

After the risk assessment, the ISAs can review the evidence, and the results can be discussed with the vendor team. Finally, the business owner provides information on key functions and vendor requirements.

With our solution, your vendor teams have a framework they can use to launch your program or improve it.