Third-Party Security Breaches Sign of Growing Vendor Risk Problem

By Imarc

Posted on Jul 30, 2015

Third Party Breaches Continue to Remain in the Media

The long term effects of data breaches that have originated via third parties have the attention of executive boards of directors, but the C-level may not be as keen on dealing with the problem as you might think. These long term effects include: legal action from customers, damage to company reputation, costly post-breach remediation, and expensive forensic security services.

According to Booz Allen Hamilton, third parties are the number-one security risk to financial services firms in 2015. A new July report from PWC, however, shows that the C-level may not be as concerned about third-party risk as executive boards. The PWC “2015 US State of Cybercrime Survey” found the following results:

19% of CIOs are not concerned about supply-chain risks

Only 42% of respondents consider supplier risks

23% do not evaluate third parties at all

Most companies do not have a process for assessing security third-party partner capabilities before they do business with them

Third Party Breaches in July 2015

As part of our ongoing series to collect useful information and be a helpful resource in building the case for managing partner, supplier, and vendor risk more aggressively, we offer the following round up of news. PNI Digital Media and NoMoreClipboard continue to be specific event reminders of how the security of smaller organizations and lapses in security are affecting major retailers and hospitals, and the numbers of those affected continue to grow. The focus on stealing personally-identifiable information via third party systems continues to plague companies, and continues to receive media attention.

Walmart Canada looks into possible credit card data breach

Walmart Canada’s Photocentre website has been compromised and Walmart Canada is investigating the possibility that its domains had also been compromised. The photo center website is operated by a third-party vendor, PNI Digital Media, which was bought by Staples in 2014. A source close to the news publication site claims that the attack could have compromised 60,000 customers.

CVS probes card breach at online photo unit

The PNI breach, which compromised the photo database of Walmart earlier last week, has spread to CVS. has been taken down in regards to a possible breach of customer data from their website. Like the Walmart breach, it is not yet stated if CVS or Walmart databases were compromised through their photo center’s breach.

Improper data transfer leads to data exposure of 850,000 people

The Army National Guard reports that the data of 850,000 current members have been exposed due to an improper data transfer to a third party non DoD-accredited data center for a data analysis. Government institutions have “perfected poor security practices as an art form.”

Data breach affects some Louisville Metro employees

The news said: "A spokesperson for the city said a data breach occurred through a third party company that runs the employee health center at 400 South 1st Street." While not confirmed, SecurityScorecard noticed a NoMoreClipboard icon on the health center page for Louisville Metro. NoMoreClipboard continues to be in the news for a third party breach that has affected several health and medical centers across the MidWest, including some large hospitals in Indiana.

Edinburgh Council cyber attack exposes 13,000 email addresses

Roughly 13,000 email addresses were stolen from an Edinburgh City Council database after a security attack in late June. Attackers breached the council's England-based service provider to gain access to the systems.

Credit card breach at a zoo near you

Service Systems Associate states that it was part of a databreach that compromised its POS systems. Zoos and Cultural Center gift shops in over two dozen cities are seen to have been affected by this breach, yet SSA has not disclosed particular company names that have been compromised.

Expedia, Travelocity, warn customers of phishing scam

Big brand’s customers are targeted through a third party. The latest unfortunate victim is Expedia. Phishing attempts on customers occurred after customer data was stolen from an unnamed hotel partner.

Missing Link Networks breach affects winery clients

29 Wineries affected by breach in Missing Link Networks. Originally, Sonoma Wineries was publicized as being breached, but a further analysis into it describes how many wineries had a breach of data

Updated: 97% of malicious mobile malware targets Android

About 97% of mobile malware targets Android. Most malicious apps are hosted on third-party appstore repositories, marking that improper monitoring of third-party applications is a factor in both the real world and in mobile technology

Data breach alert: the rising threat of contractors

Contractors account for 18% of serious UK Breaches. 3 million people are employed in temporary contract jobs today, which do provide conveniency but are a big IT risk with BYOD. Access to independent and third party contractors have to be limited and monitored when conducting business with them to make sure that your data stays safe.

What the hacking team breach shows about bank vendor risk

Although US banks weren't on the customer list of the Hacking Team breach, vendor risk management remains a huge concern. Due diligence is the key in ensuring the vendors that banks deal do not compromise the bank in the long run. If the vendor gets compromised, different state laws requiring notification of risky events would be a nightmare for banks to have to deal with.

How SecurityScorecard Works

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!