August 27, 2020//Ellen NeveuxLast Updated: November 24, 2020
When we originally wrote this blog post in 2018, we talked about the craziness that is third-party data breaches. Over two years later, things really haven’t calmed down much. The past few years have been filled with data breaches, cyberattacks, and unauthorized access. With all of these cyberattacks happening, it seems like there’s a new company making headlines for it each and every day. Let’s take a look at some of the third-party data breaches that broke headlines around the world.
In 2017, Select Restaurants left customers’ sensitive information – including name, card number, expiration date, and CVV– on the table. The company, which manages 12 seafood restaurants across the US, was alerted to the hack by their point of sale (POS) vendor. Further investigation showed a data breach across all the restaurant locations, stemming from a third-party network intrusion. According to Upserve’s comprehensive list of compromised restaurants cyberattacks on vendors and POS systems are quite common in the restaurant industry because these systems aren’t as secure as they could, or should, be.
In early 2018, an unnamed utility company was fined $2.7 million for leaving 30,000 records about its information security assets exposed online for 70 days back in 2016. Months after it was released that this company was Pacific Gas & Electric Company (PG&E). According to Data Breach Today, this breach happened after a third-party vendor had improperly copied data from the utility network to their own network.
In June of 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the exposed records were names, date of birth, address, phone number, date of service, and more, according to TechCrunch, and ranged from August of 2018 until March of 2019. Both data breaches were caused by a hacker that gained access to American Medical Collection Agency’s (AMCA) system, which is a third-party vendor that the two companies have in common.
2020 has been a wild year in terms of life in general. From the Coronavirus pandemic, to killer hornets, to sports being played in a bubble– it might seem like third-party data breaches have taken the backseat. That, sadly, isn’t the case. Though we’re all feeling fatigued when it comes to headlines and continued news, hackers aren’t going to sit back and wait for a more convenient time to steal data. The Bar Exam (the test that you have to take in order to become a lawyer) has crashed and also been hacked, people are worried about voting in elections, and you’ve probably received a couple of letters in the mail about a data breach that happened– but don’t worry, they’re offering you free credit monitoring. Usually, that move is too little, too late.
These events highlight the multitude of data breaches that occur every day (remember Tesla, Ford, and the Ticketmaster breach), which leads us to ask this question– how secure is your data, especially when it comes to your third-party vendor access?
Have you considered the consequences of becoming susceptible to a third-party data breach or ransomware attack? Data breaches that stem from third parties, vendors, or contractors are on the rise. In fact, the increase in third-party data breaches is due to the industrialization of the cybercriminal ecosystem and innovations such as ransomware, which makes cybercrime much more profitable and easier to carry out. Plus, the tools used for remote access, like virtual private networks (VPNs), aren’t properly secured to keep your network (and your company) safe from bad actors.
The biggest issue with any data breach is that it doesn’t just affect your company monetarily. You have to also consider the other risks, like:
A lot of companies focus their efforts on ensuring that their internal employees are educated and understand the importance of not clicking on links in emails, changing passwords every 90 days, and not sharing passwords. But, when we don’t consider the same education and importance for external users that have network access, we leave ourselves open to the possibility that a bad actor uses that as a way to get into your network.
And this isn’t hypothetical. It happens, and it happens a lot. Let’s look at three ways you can keep your data secure.
Without clear visibility into remote networks and third-party systems, it can be hard to know if a current or potential vendor may be vulnerable or compromised. You need to be able to identify possible red flags so you can take steps to protect your network from cyberattacks and other threats to your data. Interested to learn more about how to keep your data, your company, and your reputation safe? Download our helpful and interactive checklist that highlights the top 3 ways to identify a vulnerable vendor.