
Third party breaches (data breaches that occur at a company’s vendors or somewhere along the company’s supply chain, usually) are a big risk. They can also be hard to track, and often companies have to rely on the third party itself to publicly disclose the breach before they themselves become aware of it and can then begin dealing with it. Third parties likely have a lot of their clients’ data, too, as data sharing is needed in order to render their services.
Every year, national and global supply chains (physical and digital) grow in complexity, which means that the network of a company’s third-party vendors (and then those vendors’ third-party vendors, and so on) is always growing. Some numbers: companies in the information services sector maintained on average 25 vendor relationships, which is the largest number of any sector and more than double the overall average of third-party vendors, which was 10. Healthcare averaged 15.5 vendors and the financial services industry averaged the lowest number, with 6.5.
But when fourth-party vendors (the vendors’ vendors, so to speak) are accounted for, it’s clear that there’s really no end in sight to the expansion of third-party-based threat surfaces. Half of organizations have indirect links to at least 200 fourth-party vendors, many of which have suffered prior breaches.
Third-party data breaches can be extremely damaging and can result in millions of dollars in fines, legal fees and penalties, as well as reputation damage. According to research done by the Ponemon Institute, third parties are involved in over half of the data breaches in the US, and a third-party breach costs, on average, twice what a normal breach costs (likely due to the fact that the third party doesn’t disclose the breach until too late, or because it affects multiple clients). Considering the impact to reputation, revenue, and possible decreases in share value, the overall cost of a vendor breach is estimated to be around $13 million.
Hackers have identified third-party vendors and contractors (especially smaller ones) as very juicy targets, because hackers can access larger, more secure companies’ data via the smaller, often less secure, contracted suppliers. Compromising a small plumbing contractor and using that organization as an entry point is far easier to do than directly hacking a Fortune 500 company with a fully staffed IT team and several layers of security controls.
Here are just a couple examples of recent, major third-party breaches that affected large corporations:
Okta Third Party Breach
In March 2022, the U.S.-based identity and access management platform Okta acknowledged that an attack against a third-party vendor they used caused a data breach that resulted in hackers obtaining the following information: JIRA tickets, lists of users, passwords, and MFA information.
Highmark Health Breach
In March, Highmark Health, a large healthcare financing system, reported a fourth-party vendor breach. The breach targeted Quantum Group (the fourth party), a printing and mailing services provider used by WebbMason (the third party), a company that Highmark Health had hired to perform marketing services. As a result of the attack, the sensitive information of about 67,147 individuals was exposed, including names, birth dates, Highmark member IDs, and prescription information.
Toyota Supply Chain Attack
Although this attack did not reportedly result in data leakage, on February 28, 2022, Toyota announced that the company was suspending operations on all 28 production lines at 14 manufacturing plants in Japan for a day due to a cyberattack at a supplier, Kojima Industries. A lot of other suppliers and related companies were also then affected. It’s a good example of how the vast network of companies connected to a major corporation can affect or be affected by cyberattacks at smaller companies. The ripple-effect is real. And this breach also shows how even very large, established corporations with a lot of investment in cybersecurity can be affected.
Properly vetting any third party with which you contract is vital. A solid historical breach and security research service will dramatically enhance your ability to analyze whether a vendor’s cybersecurity profile is safe enough for you to do business with them. HackNotice offers a research service that scours 40B+ hacker forum records (a number which grows daily, in real-time) for leaked credentials and breach histories. That way, you’ll be fully aware and empowered about vendor security from day one.
Cybersecurity can be a bit like a game of whack-a-mole. But don’t allow yourself to hyper-focus on any one specific first-party or end-user area. Keep in mind the vast network “beneath the surface” that consists of all your vendors, suppliers, and related fourth parties. Because studies show that a lot of danger lurks there.
References:
2. https://www.cybergrx.com/resources/anatomy-of-a-third-party-data-breach
3. https://www.cybersecuritydive.com/news/connected-breached-third-party/641857/
