The average company can’t do business without their third parties. Vendors, suppliers, partners, distributors, and contractors — third parties make it so much simpler to build, distribute and sell a product or service.
Unfortunately, third parties open their clients up to extra risk as well. According to the Ponemon Institute, when a third party is involved in a breach, the average cost of the data breach rises by 14%. It can also take longer to detect the breach, meaning attackers are in your system for longer. Third-party breaches are also quite common. In a separate report by Ponemon, more than half of respondents said they’d suffered a data breach as a result of a third party while 44% said that the breach was recent. Most of those breaches happened because third parties had been given too much privileged access to data and systems.
With that in mind let’s take a look at some of the most recent third-party data breaches, how they happened, and the havoc they caused.
1. Accellion
Size of breach: More than 100 organizations
Time to clean up: Ongoing
Accellion released four fixes in January of 2021 to address weaknesses exploited by malicious attackers using their File Transfer Appliance service. This happened a month after Accellion identified a zero-day weakness in the same service and published a patch to remedy it. Unfortunately, criminals — including ransomware group Clop and financial crime group FIN11 — had already leveraged the vulnerabilities, both before the patch was released and afterward, when some organizations didn’t apply the patches right away. We still may not know the full extent of the breach; but in Accellion’s January 2022 settlement of its $8.1 million class-action data breach lawsuit, the number of individuals impacted by the breach was estimated at 9.2 million, including 3.51 million patients.
2. The Saudi Arabian Oil Company
Size of breach: 1 terabyte of data
Time to clean up: unknown
In July of 2021, The Saudi Arabian Oil Company, also known as Saudi Aramco, saw 1TB of their data — including information about employees, clients, sites, reports and project documents – put up for sale on the dark web, starting at the price of $50 million. The threat actors that claimed to have stolen the information said it had been stolen in 2020. Saudi Aramco says a vulnerability at a third party was responsible for the breach.
3. Microsoft
Size of breach: 38 million records
Time to clean up: 1 month
In May of 2021 an analyst discovered that 38 million records containing personally identifiable information (PII) across 47 organizations had been breached due to a breach of Microsoft Power Apps. In this case, Microsoft was a third-party whose data leak affected large US companies like American Airlines and Ford. Governmental bodies in New York, Maryland, and Indiana were also impacted.
4. Ciox Health
Size of breach: 32 healthcare organizations
Time to clean up: 7 months
In January, a breach at clinical data technology company Ciox Health exposed the information of more than 30 healthcare organizations. Although there is no information about exactly how many records were exposed, Ciox announced that an unauthorized third party accessed one Ciox employee’s email account between June 24 and July 2, 2021, and may have downloaded emails and attachments containing confidential patient information relating to billing inquiries and other customer service requests. Ciox began working with its customers to notify impacted patients on December 30 and will provide enhanced cybersecurity training to its employees.
5. ParkMobile
Size of breach: 21 Million records
Time to clean up: 1 month
In March of 2021, mobile parking app ParkMobile announced that, due to a vulnerability in third-party software that the company uses, they’d experienced a breach. The records of 21 million users, including license plate numbers, email addresses, phone numbers, and vehicle nicknames – were accessed and shared on a Russian language crime forum. The investigation of the breach was concluded within a month.
6. The Red Cross
Records exposed: 515,000+
In January, the International Committee of the Red Cross (ICRC) confirmed a cyberattack against servers holding its data had compromised the personal and confidential data of more than 515,000 “highly vulnerable people,” including people separated from their families due to conflict, migration and disaster, missing persons and their families, and people in detention. While the attack targeted the ICRC servers, it was carried out through an attack on an external company that hosted the servers. The impact of this attack involves more than finances or legal action; officials shut down the systems affecting the Red Cross’s Restoring Family Links network, which affects the agency’s ability to run a program that reunites family members separated by conflict, disaster, or migration.
7. QRS
Size of breach: 320,000 records
Time to clean up: 3 months
In October 2021, QRS, a vendor of Electronic Health Records (EHRs) began notifying its clients of a data breach that may have exposed the personally identifiable information (PII) and protected health information (PHI) of nearly 320,000 individuals that had occurred in August 2021. QRS hosts an electronic patient portal for certain healthcare providers. A cyber-attacker compromised the security of one QRS dedicated patient portal server. QRS says it immediately took the server offline, notified law enforcement, and engaged a forensic security firm to investigate the incident.
8. Entira Family Clinics
Records exposed: 199,628
Time to clean up: 1 year
A year after the breach occurred, Minnesota-based family medicine group Entira Family Clinics announced they’d been the victim of a third-party breach. In a letter sent through the Office of the Maine Attorney General, the medical practice said it “recently discovered” a data breach that occurred within Netgain Technology, a cloud hosting provider. Netgain was breached in late 2020, at which time it notified affected companies. However, Netgain is currently facing class-action lawsuits as a result of the 2020 breach.
How can SecurityScorecard help?
As the above breaches show, it’s crucial to manage third-party risk, but often businesses work with a wide range of third parties, and managing those relationships can become a cumbersome task. As a result, many organizations have opted to use intelligent tools that leverage existing data on cyber security risk in order to implement their third-party IT risk management processes.
If you believe you have been breached, it is imperative that you begin a process of incident response and digital forensics. Platforms such as SecurityScorecard’s Security Ratings and Threat Market help identify and prioritize third-party cyber risks. Trusted by the world’s leading brands, Security Scorecard can help you strengthen your risk management framework, reduce risks and increase compliance.