Posted January 15, 2020
Third-party data breaches have been problematic for the better part of a decade. The infamous Target breach of 2013, for instance, only happened because the retailer’s network credentials were stolen from an authorized HVAC vendor. Tens of millions of people were affected, and Target lost hundreds of millions of dollars in the recovery process.
Now, nearly seven years later, third-party breaches have once again stolen the spotlight – but in a very different way.
The 2013 breach is seared in our memories because of its magnitude. But if you look at the scale of third-party data theft that occurred throughout 2019, there’s almost no comparison: 2019 was the year of the third-party data breach.
Putting Data Theft into Perspective
For context, the Target breach affected an estimated 60 million people, which is huge by most standards. But a quick glance at just a few of the largest third-party breaches this past year make it pretty clear that 2019 hads 2013’s number:
- DoorDash: 4.9 million people affected.
- American Medical Collection Agency (AMCA): 20 million people affected.
- Facebook: 540 million people affected.
Each of these breaches stemmed from intrusions that originated from third parties. And while each is larger than the last, the true worry is the frequency with which these breaches have occurred.
In fact, the uptick was actually documented late last year. A survey found that nearly 60% of companies in 2018 were the victim of third-party data breaches, which was a notable increase over the year prior.
Who Exactly Is Affected?
In the past six months, a slew of industry-specific news articles and columns have expressed concern about how their sector is being affected by the problem of vendor breaches.
For example, in July, research from Law.com found that, percentage-wise, external breaches – which includes third-party vendor intrusions – were the most common source of data exposure for law firms from 2007 to 2019.
Health care has also been hit hard. This summer, a U.S.-based medical billing company, AMCA, reported a hack that lasted from Aug. 1, 2018 until March 30, 2019. According to ZDNet, the incident led to theft of data from “corporate clients including Quest Diagnostics, LabCorp, BioReference Laboratories, Carecentrix, and Sunrise Laboratories.” The estimated number of affected Americans is now into the 20 millions. AMCA has since filed for Chapter 11 bankruptcy protection.
To be certain, this is hardly an isolated incident. Researchers estimate that by the end of year, data breaches will have cost health care $4 billion in 2019.
Other industries that have been heavily affected by third-party breaches include, but aren’t limited to:
- Retail and hospitality.
- Government agencies.
- Online service providers.
It makes sense that businesses would want to work with third-party vendors. Companies want to focus more on their core competencies while circumventing the expense of bringing supporting operations in house. But that can, and often does, come at the cost of a much larger network perimeter that is far more difficult to defend.
The ‘Ripple Effect’
Some third-party breaches are highly targeted. A hacker goes for a particular company in a direct effort to infiltrate one of that company’s clients.
Many others, however, are opportunistic.
Often, when an organization gets hacked, customer data is compromised. That compromised data, in turn, can lead to further compromise of other companies or individuals. Hackers are well-aware of this, which is why they often sell stolen data on the web.
A username and login for a particular business account, for instance, might also unlock another business account. Fraudsters will pay for the stolen credentials and then “stuff” them into as many online services as possible in hopes that the victim has used the same login information on multiple accounts.And it can keep going like this, in a chain whereby parties with four or five degrees of separation from the initial incident become affected. These subsequent compromises are known as “ripple events.” According to DARKReading, they can cost as much as thirteen times more than a single-party security incident.
Looking Into to 2020: What Can be Done?
Third-party breaches are clearly problematic, in terms of both their immediate and deferred impact on organizations. Solving these problems will require the right combination of expertise and technology.
Adopt zero-trust security architecture
For starters, more organizations need to adopt zero-trust security. Everything and anything on the network must prove its trustworthiness in real time. This is crucial for defending against third-party breaches that can spill over into your organization. It’s also valuable from an anti-phishing perspective. Analyzing login factors such as location and time of day can help determine whether a user is a hacker or a legitimate employee.
Offer employee cyber awareness training
Secondly, employee awareness and education can go a long way toward keeping employees from propagating the ripple effect of breaches. Something as simple as teaching workers to use a different login and password for every single account can help prevent credential stuffing that otherwise extends the scope of an intrusion. Training is also valuable for helping personnel spot suspicious emails from vendors that may be indicative of a compromise.
Use third-party risk monitoring resources
Finally, there’s the technology aspect to preventing third-party breaches. Most businesses typically lack visibility into vendor networks, which makes it harder to mitigate potential risks that originate within those third parties. Consequently, entire pockets of your threat landscape may as well be invisible to you.
In order to address this lack of visibility, LookingGlass scoutPRIME® enables always-on monitoring for tens, hundreds or even thousands of organizations that your company does business with. The data collected can be used to generate reports that enable you to make better decisions about how you manage vendor risk within your organization.
With 2019 nearing its end, there’s no better time than the present to start planning for how you can improve third-party risk management in the year ahead. Contact LookingGlass today to learn more about scoutPRIME.