Third-Party Security Breaches Sign of Growing Vendor Risk Problem
Third Party Breaches Continue to Remain in the Media
The long term effects of data breaches that have originated via third parties have the attention of executive boards of directors, but the C-level may not be as keen on dealing with the problem as you might think. These long term effects include: legal action from customers, damage to company reputation, costly post-breach remediation, and expensive forensic security services.
According to Booz Allen Hamilton, third parties are the number-one security risk to financial services firms in 2015. A new July report from PWC, however, shows that the C-level may not be as concerned about third-party risk as executive boards. The PWC “2015 US State of Cybercrime Survey” found the following results:
19% of CIOs are not concerned about supply-chain risks
Only 42% of respondents consider supplier risks
23% do not evaluate third parties at all
Most companies do not have a process for assessing security third-party partner capabilities before they do business with them
Third Party Breaches in July 2015
As part of our ongoing series to collect useful information and be a helpful resource in building the case for managing partner, supplier, and vendor risk more aggressively, we offer the following round up of news. PNI Digital Media and NoMoreClipboard continue to be specific event reminders of how the security of smaller organizations and lapses in security are affecting major retailers and hospitals, and the numbers of those affected continue to grow. The focus on stealing personally-identifiable information via third party systems continues to plague companies, and continues to receive media attention.
Walmart Canada’s Photocentre website www.walmartcanadaphotocentre.ca has been compromised and Walmart Canada is investigating the possibility that its domains had also been compromised. The photo center website is operated by a third-party vendor, PNI Digital Media, which was bought by Staples in 2014. A source close to the news publication site claims that the attack could have compromised 60,000 customers.
The PNI breach, which compromised the photo database of Walmart earlier last week, has spread to CVS. CVSPhoto.com has been taken down in regards to a possible breach of customer data from their website. Like the Walmart breach, it is not yet stated if CVS or Walmart databases were compromised through their photo center’s breach.
The Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-accredited data center for a data analysis. Government institutions have “perfected poor security practices as an art form.”
The news said: “A spokesperson for the city said a data breach occurred through a third party company that runs the employee health center at 400 South 1st Street.” While not confirmed, SecurityScorecard noticed a NoMoreClipboard icon on the health center page for Louisville Metro. NoMoreClipboard continues to be in the news for a third party breach that has affected several health and medical centers across the MidWest, including some large hospitals in Indiana.
Roughly 13,000 email addresses were stolen from an Edinburgh City Council database after a security attack in late June. Attackers breached the council’s England-based service provider to gain access to the systems.
Service Systems Associate states that it was part of a databreach that compromised its POS systems. Zoos and Cultural Center gift shops in over two dozen cities are seen to have been affected by this breach, yet SSA has not disclosed particular company names that have been compromised.
Big brand’s customers are targeted through a third party. The latest unfortunate victim is Expedia. Phishing attempts on customers occurred after customer data was stolen from an unnamed hotel partner.
29 Wineries affected by breach in Missing Link Networks. Originally, Sonoma Wineries was publicized as being breached, but a further analysis into it describes how many wineries had a breach of data
About 97% of mobile malware targets Android. Most malicious apps are hosted on third-party appstore repositories, marking that improper monitoring of third-party applications is a factor in both the real world and in mobile technology
Contractors account for 18% of serious UK Breaches. 3 million people are employed in temporary contract jobs today, which do provide conveniency but are a big IT risk with BYOD. Access to independent and third party contractors have to be limited and monitored when conducting business with them to make sure that your data stays safe.
Although US banks weren’t on the customer list of the Hacking Team breach, vendor risk management remains a huge concern. Due diligence is the key in ensuring the vendors that banks deal do not compromise the bank in the long run. If the vendor gets compromised, different state laws requiring notification of risky events would be a nightmare for banks to have to deal with.