Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. 

Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog,  you will find the most recent breaches for the month of May. It should be noted that several of these breaches are still being substantiated as more data is collected. 

1. Bank of America 

An eyebrow-raising third-party breach announcement came from Charlotte-based financial institution, Bank of America Corp., revealing a data breach on business client information through their Paycheck Protection Program (PPP) in late April.

The U.S. Small Business Administration platform, which was designed to give lenders the chance to test the PPP submissions, was the center of the hack. Client information was revealed on April 22 when the bank submitted details of PPP applicants onto the test site of the platform. As a result, many SBA-authorized borrowers and their vendors were able to access details about the customers.

Compromised information could include: 

  • Address or tax identification number 
  • Name 
  • Social Security number 
  • Phone number 
  • Email  
  • Citizenship status

“This would have been an isolated incident at a third-party merchant (like a store) that may have impacted a very small number of cards, not a security breach at Bank of America or one of its vendors,” says BofA spokeswoman Betty Riess.

While the bank’s spokeswoman would not disclose how many accounts have been compromised, she said the organization is taking necessary measures to fix identified security vulnerabilities. 
This incident is an example of sensitive information in the company and payment chain needing to be protected through the entire cyber ecosystem. A “cyber ecosystem” creates a target-rich environment for hackers to exploit vulnerabilities with the aim of stealing personal data and identities and even company secrets. However, it is not always the company itself, rather third parties that malicious agents target. Therefore, other businesses such as third-party service providers and intermediaries with company interaction must also practice the same level of security measures.

2. TrueCaller

Image Courtesy: Gerd Altmann from Pixabay 

Although there are still uncertainties surrounding the possible data exposure from TrueCaller, researchers [1] uncovered an allotment of Truecaller user data available for sale on the dark web. The sale is offered through the account “TooGod”, however, it is unclear who leaked the data.

47.5 million Truecaller accounts are shown on the dark web for sale, which includes:

  • Full names
  • Email addresses 
  • Mobile numbers 
  • Facebook IDs 
  • Age
  • City
  • Gender 
  • Telecom service provider

The app is mainly used to identify spam callers, while it can also help identify nearly any number that is not on a user’s contact list. The app has 250 million users, of which 100 million daily active users were compromised, mostly in India. The account sum was valued at $1,000. 

Truecaller denies the security incident and claims that the data has been altered to look like theirs. 

“We were informed about a similar sale of data in May 2019. What they have here is likely the same dataset as before”, said Truecaller in a media statement. “It’s easy for bad actors to compile multiple phone number databases and put a Truecaller stamp on it. By doing that, it lends some credibility to the data and makes it easier for them to sell.”

3. BHIM

BHIM users were exposed due to a misconfigured Amazon S3 bucket incident. As a mobile payment platform, BHIM’s breach exposed the financial and personal details of more than seven million people. The Amazon S3 bucket served as a database for a website campaign where users registered for the app, which was developed by CSC e-Governance Services in partnership with the Indian government. 

The 409-gigabyte data contained in the bucket is believed to date back to February 2019.

The leaked user-data includes:

  • Aadhaar number 
  • Name
  • Gender
  • Date of birth
  • Biometric details
  • Permanent Account Number (PAN) 
  • Scanned copies of Caste and Religion certificates 
  • User’s picture 
  • Residential details
  • Professional degree 

India’s National Payments Corporation has denied any exposure of BHIM app’s user data. 
The announcement reads, “We have come across some news reports which suggest a data breach at BHIM App. We would like to clarify that there has been no data compromise at BHIM App and request everyone to not fall prey to such speculations. NPCI follows a high level of security and an integrated approach to protect its infrastructure and continue to provide a robust payments ecosystem.”

4. FLORIDA DEO

A breach potentially endangering Floridians seeking unemployment was revealed recently. 

The incident exposed full names and social security numbers of people who have applied for unemployment benefits to the Department of Economic Opportunity (DEO). The DEO has confirmed that some applicants’ personal information was inadvertently sent to a private email server operated by a third party. 

“It is not clear if this information was viewed or accessed by other third parties,” announced a DEO official. 

The DEO said they have reached out to applicants affected by the incident and are providing identity protection services for free. 

Since March, more than 1.6 million people have applied to Florida DEO for unemployment benefits, however, less than 100 people claim to have been affected by this breach. 

The Florida Department of Economic Opportunity said in a statement:

“We have notified individuals that were part of a data security incident associated with Reemployment Assistance claims. This issue was addressed within 1 hour after we became aware of the incident. While the incident was handled within 1 hour, in an abundance of caution, we are making available identity protection services at no charge to affected individuals, and we have also advised them to report any unauthorized activity on their financial accounts. At this time, we have not received any reports of malicious activity.”

5. MNS Clients

A breach taking place between April and June of 2019 on Management and Network Services (MNS) corporate accounts, was just revealed this May. 

The OH-based third-party vendor provides administrative support services to post-acute healthcare providers. In connection with these services, MNS has access to information from providers’ patients or individuals.

In August 2019, MNS discovered that several corporate email accounts, five of which contained protected health information of patients and clients, was accessed in an unauthorized manner.

The exposed information included:

  • Names 
  • Medical treatment information 
  • Diagnosis information/codes 
  • Medication information 
  • Dates of service 
  • Insurance provider 
  • Health insurance numbers 
  • Date of birth
  • Social Security number

A limited number of individuals additionally included:

  • Driver’s license number 
  • State ID card number
  • Financial account information

References

[1] https://news.sky.com/story/coronavirus-cybercriminals-target-healthcare-workers-with-email-scam-11956617