Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost more than $370,000, for an adjusted average total cost of $4.29 million.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline. We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for the month of August. It should be noted that several of these breaches are still being substantiated as more data is collected.
1. Hope House Children’s Hospices, Fred Hutchinson Cancer Research Center, YMCA, University of Texas Tyler, and Feedmore due to BlackBaud
Multiple Blackbaud-related news involving breaches were released from different organizations in August. Hope House, housing hospices in Morda, near Oswestry, and Conwy, in North Wales, had fundraising and volunteer databases leaked due to a ransomware BlackBaud attack in May.
Hope House claims no financial information such as card numbers, account details or passwords were accessed in BlackBaud’s hack.
Hope House CEO Andy Goldsmith, said: “We take data protection very seriously and we are incredibly disappointed by this incident. We are in the process of contacting our supporters by email because we feel they have the right to know what has happened, and we have reported the incident to the UK’s regulator for data protection, the Information Commissioner’s Office, and the Charity Commission.”
A similar BlackBaud data breach announcement came from Seattle-based Fred Hutchinson Cancer Research Center, where its donation portal was impacted in the breach. The leaked personal information included
- phone numbers
- email addresses
- history of the donor’s relationship with the organization
168 North Dakotans’ files also included date of birth.
YMCA of the North, the new name of the Twin-Cities based youth organization, announced recently that its member information was leaked in the BlackBaud ransomware attack. The charity declared that the leaked data included
- physical address
- email address
- gift history
University of Texas officials also made an announcement in August that some of its data had been accessed in the BlackBaud breach. The university President Dr. Michael Tidwell explained that any bank information or social security numbers were not part of the leak. Blackbaud told UT Tyler the data included publicly available information as well as relationship history/engagement information.
“Immediately upon notification of the incident from Blackbaud, the UT System Administration and UT institutions have been working diligently by conducting an array of internal reviews with our legal, information security, and privacy experts to determine the exposure of our records, if any,” Tidwell said. “At this time, we are not aware of fraudulent activity that has occurred with any constituent records, and we continue to work with Blackbaud to learn more.”
Feedmore, Central Virginia’s Hunger-Relief organization was also among the beneficiaries of BlackBaud, whose donor data was leaked in the incident.
The U.S.-based cloud-service provider BlackBaud offers solutions to non-profit organizations including universities, churches, and foundations. The breach affected nearly half a million students at different campuses.
In a July 16 blog post, the company explained that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.” Although the company found no financial or social security details in those files, it decided to pay the cyber attacker to erase the stolen data. Such ripple effects in a third party ecosystem is not unusual. Threat actors in cyber ecosystems usually target weaker vendors or common-denominator vendors that may lead them to bigger prey, i.e. large organizations. According to research, financial loss from ripple events is 13 times larger than single party attacks.
A security incident involving unauthorized access to customer information by two support personnel has been confirmed by Instacart, a US-based grocery and pick-up service. The unauthorized access came from a third party vendor contracted by the company.
Instacart claims it identified the breach during a support protocol analysis and launched an investigation promptly across a forensic analytics team.
“As part of our ongoing review of support protocols, we’ve determined that two employees retained by a third-party support vendor we work with may have reviewed more shopper profiles than was necessary in their roles as support agents,” Instacart’s announcement reads.
The investigation’s official report confirmed that the two employees accessed ‘a small collection of shopper details’ that may have included:
- e-mail addresses
- telephone numbers
- driver’s licenses and a thumbnail picture of the driver’s license
Regarding the breach that affected 2,180 shoppers, Instacart informs users that no customer data was saved, downloaded or copied throughout this unauthorized access. According to Instacard, the company has strengthened extra security measures which introduced new authentication methods for platform users, including verification of shopper ID, safe login, automatic logouts and prohibited device switching. The firm also announced it informed potentially impacted customers, and provided them two years of free credit monitoring and protection as a safeguard.
3- South Dakota Department of Health
A COVID-19 related data breach announcement came from an FBI investigation in South Dakota. The incident occurred in June due to security misconfigurations in a third-party vendor database. The Health Department and law enforcement agencies share a database, but a third-party vendor opened the data to the public.
The database was used to determine the risks associated with law enforcement and COVID-19 at work in executing duties. The portal would enable first responders to find out whether there was a positive COVID-19 case at the address in which they were called to.
The data breach exposed information including:
- infection status
- dates of birth
- other PII
However, no Social Security numbers or financial data was leaked in the breach.
4- Jack Daniel’s
American wine and spirits giant Brown-Forman has become the latest big-name brand to suffer a significant ransomware-related data breach. The Jack Daniel’s manufacturer published little information about the incident but said it successfully stopped attackers from encrypting their files.
“We are working closely with law enforcement, as well as world class third-party data security experts, to mitigate and resolve this situation as soon as possible,” it added in a brief statement. “There are no active negotiations.”
The attackers announced via a news channel that 1 TB of corporate data is now in their possession and will be leaked in batches. The attributed hacker group for this attack is Sodinokibi (REvil), which, like Maze and other gangs, posts their stolen data on a dedicated site. Until now, it has already shared screenshots of file names as proof of its claims, similarly to previous attacks. REvil is one of the more advanced variants of ransomware, frequently exploiting vulnerabilities in remote access infrastructure such as Pulse Security VPNs to compromise its corporate users. The attack on Travelex, which eventually helped send the foreign exchange giant into administration is also suspected by REvil ransomware.