2019 has been an instructive year for data breaches caused by a 3rd-party With an onslaught of regulations all around the globe, such as HIPAA, GDPR, and now CCPA coming into effect, data breaches and the following enforcements covered cyber security headlines. Here is a recap of third-party caused data breaches that hit the news in 2019.

We analyzed 66 major data breaches caused by third parties that are mentioned in the news in 2019. We asked questions as to whom, what third-party, and how, in search for the culprits behind a breach. Here are the top 5 use of a third party that caused a breach.

Online Payment Software is the champion in attracting hackers

Hackers gained access to credit and debit card information of citizens due to a flaw in the Click2Gov utility-payment software. Some of the incidents occurred in utility payment systems of City of Marietta, City of San Angelo, Pompano Beach City.

A cyber attack aiming on PayID, a third-party vendor of an Australia’s Westpac Bank, impacted almost 100,000 Australians’ and their personal information.

Takeaway:  The weakest link of the system is no longer the employees, but third-parties including software that use sensitive personal information.

Educational Platform Providers

  • The breach occurring at Chegg, a popular educational technology company serving George Washington University, affected thousands of the university’s community members’ information. Exposed data included usernames, passwords, and addresses.
  • A data breach occurring on the web platform AIMSweb 1.0, a tool used by educators around the globe affected tens of educational institutes and cascading about 600,000 students. The performance assessment tool is used by educators around the globe and operated by Pearson Clinical Assessment.

Takeaway: Consider the sensitivity level of personal information both residing in your organization and beyond the perimeter. Keep track of where your data extends!

Collections & Claim Processing for HealthCare

Healthcare is a major industry with different players in the ecosystem. Organizations outsource most of the services to third-parties such as collections and claim processing services. With HIPAA enforcement and fines hitting the news headlines, organizations need to be more careful about where PHI extends beyond their perimeters.

  • A breach that occurred at the American Medical Collection Agency (AMCA), affected the major healthcare companies that used AMCA’s services and eventually about 20 million Americans. AMCA’s breach led to the exposure of patient names, dates of birth, addresses, phone numbers, dates of service, providers, and balance information as well as credit card and bank information. 
  • Around 45,000 patients’ records were compromised at Rush Systems for Health due to a claim-processing third- party vendor. While medical history was not disclosed, patient names, addresses, Social Security numbers birth dates and health insurance information were exposed.

Takeaway: Take HIPAA seriously! Keep track of where your PHI data extends! Beware of your business associates (a.k.a third parties ) and revise your terms of agreements with these parties!

Website Scripts: The Malicious Ones

The famous British Airways and Ticketmaster breach increased attention to JavaScript vulnerabilities on web sites. The so-called “Skimming” or “Magecart attack” targeted finance-related data. British Airways is currently facing a £183M fine imposed by UK’s GDPR watchdog, ICO.

  • Magecart attackers inserted card-skimming scripts into the subscription website for the Forbes print magazine. The affected site was brought down not long after the issue was found.
  • Another Magecart card-skimming code has been implanted to checkout and wallet page on the payment portal of Macy’s. The malicious code is believed to capture financial and other personal data submitted by customers, including names, physical addresses, ZIP codes, e-mail addresses, and Payment card numbers, card security codes, and expiration dates.

Takeaway: An ecosystem map of CDN (Content Delivery Network) and the security perspective is a must. Black Kite is currently the only company that checks CDN security among security- rating service providers.

Data Centers & Hosting Providers

Many companies use cloud services to store sometimes sensitive data and perform cloud-based applications. They also leverage hosting providers to manage their websites.

Although cloud and hosting providers are usually secure, sometimes misconfiguration of servers or cyber attacks expose sensitive data.

  • Image-I-Nation Technologies, a third-party providing software and hosting services to Equifax, Experian and TransUnion have been breached. The attack took place through unauthorized access to the software firm’s database containing personal information. The exposed data possibly included Social Security numbers, names, dates of birth and home addresses.
  • The Plead malware, leveraging a MiTM attack, took aim on ASUS web storage software, ASUS’s cloud storage service. The vulnerability puts the users of the cloud platform at risk.
  • An unauthorized user accessed a server in a data center that NordVPN was renting from an unnamed provider. This attack exposed some of the browsing habits of customers who were using the VPN service to keep their data private.

Takeaway: Discover all your 3rd and 4th party service providers and cloud storage servers that your company use. Check for misconfiguration of cloud storage servers

Third-Party Apps and SDKs 

Facebook has long been under scrutiny by the UK’s watchdog ICO through violations of users’ data by its third-party apps. This year has not been different in terms of data breaches and privacy violations.

  • More than 540 million records, including account names, IDs, passwords and user activity of Facebook users were exposed, through a third-party of Facebook, named Cultura Colectiva. The records were found to be online on one of Amazon’s publicly accessible cloud computing servers.
  • A late-2019 compromise has been found on Twitter. This was due to a software development kit (SDK) called “One Audience”. The SDK gave its developers unauthorized access to user data. Users’ most recent tweets were accessible to the developers if they were to log into these apps through Twitter accounts.

Record-breaking Fines / Record-breaking Exposure

Between January 2019 and December 2019, around 430 breaches were reported to HIPAA. Among them were there some record-breaking third-party breaches that exposed millions of patients’ records. 2019 has also been a year for seeing the outcomes of some 2018 third-party breaches as in the case of TicketMaster and British Airways breach. British Airways is struggling with a GDPR fine of 183 M pounds (although the fine is not final) for putting approximately 500,000 customers’ personal information at risk; not counting multiple class-action suits against the company.