Posted on Jul 20, 2016
We reviewed the third party vendor breaches that made some of the biggest impacts on companies and consumers. Data breaches linked to a third party vendor have not let up and the issue is getting worse. Soha Systems Survey on Third Party Risk Management notes that 63% of all data breaches can be attributed to a third party vendor.
It’s has been an especially difficult year regarding data breaches as we’ve seen with the return of the MySpace and LinkedIn data breaches. Unfortunately, this teaches us that third party vendor data breaches should not be forgotten and their security should not be ignored. Even if years have passed between a vendor being breached, the consequences may still be yet to come to fruition.
Below, we’ve rounded up a list of data breaches attributable to a third party vendor in 2016 so far.
Hackers were able to use employee’s default PIN codes to log into W-2Express, an Equifax service. The default PIN codes used a common system - the employee’s Social Security number, and date of birth to access W-2 data. Hackers stole tax and salary data from a large number of W-2Express users.
Affected companies and institutions include Kroger, Stanford University, and Northwestern University. However, because the default PIN code system is in place for most of Equifax’s clients, many other companies could succumb to the same problem.
In a similar case, hackers registered accounts in the names of employees at over a dozen customer firms, including U.S Bancorp in order to steal W-2 data from an ADP portal. All parties were at fault due to poor security hygiene. As KrebsOnSecurity mentions, ADPs registration issue relies on static data, such as Social Security Numbers or addresses that is easily obtained on the dark web, especially as more large-scale third party vendor breaches occur. However, many of the affected firms had disclosed company-specific links to the ADP portal on easily viewable webpages, allowing savvy hackers to piece together employee information and the company ADP links to steal sensitive data.
Bizmatic, an ambulatory software and electronic health records vendor serving over 15,000 healthcare providers was hacked by intruders that used stolen credentials to install malware in the Bizmatic environment. While the attack took place in January 2015, Bizmatic was not aware until late 2015 and an affected healthcare provider, Vincent Vein Center, alerted the US Department of Health and Human Service (HHS) Office of Civil Rights (OCR) as late as June 2016. Specific information that may have been accessed and compromised includes name, address, telephone, SSN, DOB, Insurance Information.
A number of healthcare providers have all experienced ensuing fallouts as a result of the breach, specifically citing Bizmatic’s PrognoCIS tool, an electronic health record and practice management tool, as the cause of the data leak.
Acer suffered a data breach on its e-commerce site through an undisclosed third party for any customers who visited the site from May 12, 2015 through April 28th, 2016. Data compromised includes name, address, and complete credit card data, such as the expiration date and security code. While sensitive data like Social Security numbers weren’t leaked, the long length of time the website was affected places a wider audience at risk
Wendy’s was the victim of malware compromising their third-party point of sale (POS) systems, affecting a number of Wendy’s restaurants. Two different strains of malware were found on a number of different systems, after further investigation was underway, which compromised more than the originally estimated 300 restaurants. Wendy’s statement has pointed to a remote access tool used by malicious actors to target and obtain POS credentials, providing hackers a way in. However, a recent update from KrebsonSecurity has placed the number of affected locations to 1,025. As a result, Wendy’s is now a victim of a class action lawsuit on behalf of a credit union that alleges Wendy’s could have prevented or reduced the damage if they had acted faster.
A third party provider offering data hosting and software services was breached, leading doTERRA, an essential oils provider, to release a letter informing customer and wellness advocates that a slew of information including Social Security Numbers, credit card information, date of birth, names, addresses, telephone numbers, usernames, and passwords may have been compromised.
CiCi’s Pizza was hacked by way of its POS systems provided by Datapoint. Hackers may have obtained card data information by initially posing as technical support specialists for the POS systems.
KrebsonSecurity tried to uncover more data and it seemed like the entire Datapoint site was compromised (as Google prevented access to it) which can potentially lead to a larger and more widespread hack.
An East Coast law firm representing MultiColor, a global label provider, informed the company that, among other things, a hard drive containing MultiColor’s data was stolen, along with the credentials needed to access the drive. The potentially compromised information included names, Social Security numbers, and addresses, of current, former, and prospective employees.
Up to 4,000 patients of the Children’s National Health System (CNHS) may have had their information, including names, DOBs, medications, and doctor summaries compromised after a former medical transcription vendor inadvertently uploaded files on an FTP site that was viewable on the web. As of the time of writing, due to swift action, the CNHS has stated that they are not aware of any unauthorized access or misuse of the data.
LuckyPet customers may have been compromised through third party shopping cart software that was infected with malware to obtain customer information such as names, credit card data, and addresses from the LuckyPet pet store website. The infection seemed to have taken place in October of 2015 but officials weren’t made aware until March 2016. While no reports of misuse of information have been made, as we’ve seen with previous data breaches, it may some time before the data is used for malicious purposes.
An unauthorized person accessed the third party vendor that maintains payroll for The Archdiocese of Denver, compromising their names, Social Security numbers, and addresses. While the incident occurred in October 2015, victims have recently reported their information having been used for fraudulent purposes. The data breach may potentially affect 18,000 people.
In a story we’re seeing occur a number of times, malware has been found on POS systems on the Hard Rock Hotel & Casino resort. Names, card numbers, expiration dates, verification codes were compromised and reports of fraudulent activity associated with the data have been sent to the resort, prompting an investigation. Customers who used their cards in the resort from October 27, 2015 and March 21, 2016 are at risk.
A few patterns we can clearly see in this roundup are that major third party vendor portals are being accessed to download W-2 data affecting a large number of partner companies, the healthcare industry is still being heavily targeted, and point of sale (POS) systems across industries are compromising large amounts of credit card data.
Unfortunately, POS systems are some of the most vulnerable due to the relative ease of hardware compromise and the general insecurity of credit card magnetic stripes. And as we’ve noted before, the healthcare industry is becoming increasingly targeted by hackers due to the large amount of sensitive information available and the general lack of security providers and third party vendors are engaged in.
Data breaches through third parties are especially dangerous due to the amount of companies one breach can affect. Third party vendor security is more important than ever before and as a result, it’s critical that a vendor’s security posture is validated. To do so, engage in regular or ongoing vendor security monitoring to confirm that any data maintained with vendors remains secure.
Check out our list of 3 top third party risk management (TPRM) challenges, and the actions you can take to bolster your program. Learn more.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You’ve invested in cybersecurity, but are you tracking your efforts? Check out our list of 20 cybersecurity KPIs you should track. Read more.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.