Major Third-Party Data Breaches Revealed in September 2020
Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 59% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. IBM’s Cost of a Data Breach Report 2020 states that third-party involvement was one of the amplifiers in a breach, increasing the data breach cost by $207,000.
Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline. We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog, you will find the most recent breaches for the month of September. It should be noted that several of these breaches are still being substantiated as more data is collected.
1- E-Commerce Sites using Magento
Around 2000 e-commerce stores running the Magento program were targeted in August, compromising thousands of customer information. All of these stores were running an older version of Adobe’s Magento software, for which Adobe ended the support as of June 30. Magento is an open-source e-commerce platform written in PHP, which was acquired by Adobe in 2018. According to a research [1], about 95,000 e-commerce sites still rely on the older version.
2020 has by far been the largest-scale of attacks towards e-commerce sites since 2015. For one store alone, tens of thousands of customers had their payment information compromised.
On a hacking forum, the user z3r0day posted the selling of a Magento 1 “remote code execution” exploit procedure for $5000, with a tutorial clip. Supposedly, no current Magento admin account is required. The user added “Magento 1 is end-of-life – no patches will be provided by Adobe to fix this bug,” which expands the exploit surface.
Adobe has urged customers to upgrade to the newer platform, which is Magento 2, also adding no further patches will be issued by Adobe for Magento 1, [2].
2- Warner Music Group
Photo by Nicholas Green on Unsplash
In accordance with the previous attack, Warner Music Group also released a data breach warning. The warning followed a sustained skimming attack on a various number of its e-commerce websites.
The web skimming attack was discovered by the WMS Security Team in the beginning of August. The team in charge believed the breach window was between April 25 and August 5, 2020.
Personal data compromised in the attack includes:
- names
- email addresses
- telephone numbers
- billing addresses
- shipping addresses
- credit card numbers
- card expiration dates
- CVC and CVV codes
A data breach notice sent by Warner to the affected customers claims “any personal information” customers entered into the affected websites “after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”
It is not clear whether the same exploit that z3r0day offered was leveraged in the attack.
3-Tribune Media, Times Media Group
Photo by Matthew Guay on Unsplash
Another breach news came from ViewMedia in early September, an online marketing vendor to major news groups.
An unsecured Amazon bucket belonging to the online marketing firm was discovered to be open by the researchers of a security firm. Nearly 39 million US user records are stored in the bucket, including:
- full names
- email and street addresses
- phone numbers
- ZIP codes
View Media is an online marketing company that specializes in email marketing, display advertising, design, hosting, direct mails, date sales, and other digital marketing services. The business provides American publishing brands including Tribune Media and Times Media Group with targeted marketing services.
The bucket also includes thousands of marketing newsletters, promotional flyer designs, banner advertising, and declaration of work documents produced for its customers by View Media.
Although the bucket does not contain financially sensitive information, the information harvested can be leveraged in a variety of ways including hackers can designate phishing emails to the victims.
The information can be used in identity fraud, along with other information; i.e, harvested on social media.
4- Buffalo N.Y. Area Hospitals, Innova Health, NorthShore University Health System
BlackBaud-related breach news continued in September. Hackers were able to access names, medical service numbers, and dates of service for patients who received care in Catholic Health facilities from 2016 through May of this year, according to the healthcare group.
“After a thorough investigation, Catholic Health determined that no medical information, social security numbers, addresses, bank account numbers or credit card information were included in the data breach,” a Catholic Health news release said.
Innova Health was also among a dozen of healthcare institutions that suffered due to the breach with the third-party cloud vendor. The Virginia-based health system is notifying more than 1 million patients and donors that their personal data may have been compromised by the cyberattack.
As another beneficiary to BlackBaud, North Shore said in a statement no patient medical records were accessed and that cyber criminals did not get hold of credit card, bank account or Social Security numbers.
Blackbaud paid hackers the ransom in return for the deletion of a backup file which housed the stolen information.
The U.S.-based cloud-service provider, offers solutions to non-profit organizations including universities, churches, and foundations. The breach affected nearly half a million students at different campuses.
In a July 16 blog post, the company explained that “the cybercriminal removed a copy of a subset of data from our self-hosted environment.” Although the company found no financial or social security details in those files, it decided to pay the cyber attacker to erase the stolen data. Such ripple effects in a third party ecosystem is not unusual. Threat actors in cyber ecosystems usually target weaker vendors or common-denominator vendors that may lead them to bigger prey, i.e. large organizations. According to research, financial loss from ripple events is 13 times larger than single party attacks.
5- Valley Bank, Pell City
According to the municipality and Valley Bank, some clients who pay the city of Pell City by paper check for their utility bills may have had their data compromised in a recent attack.
Senior Vice President and Head of Content Creative and Public Relations for Valley Bank’s corporate office in New Jersey, made an announcement that the breach occurred due to a third-party service provider, not Valley Bank.
“One of our third-party service providers experienced a security breach,” he said in a statement. “This incident was not a result of a breach of Valley’s security systems. We are working closely with this third-party service provider to alert affected customers.”
As of this writing, there has been no indication that the compromised data was used in a fraudulent activity or whatsoever. The extent of the compromised data is not clear at this stage.
[1] https://sansec.io/research/cardbleed
[2] https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020
Photo by Freepik
Photo byRoberto Cortese on Unsplash