Can you afford a third-party data breach?

When we originally wrote this blog post in 2018, we talked about the craziness that is third-party data breaches. Over two years later, things really haven’t calmed down much. The past few years have been filled with data breaches, cyberattacks, and unauthorized access. With all of these cyberattacks happening, it seems like there’s a new company making headlines for it each and every day. Let’s take a look at some of the third-party data breaches that broke headlines around the world. 

Top third-party data breaches: 2017-2020

In 2017, Select Restaurants left customers’ sensitive information – including name, card number, expiration date, and CVV– on the table. The company, which manages 12 seafood restaurants across the US, was alerted to the hack by their point of sale (POS) vendor. Further investigation showed a data breach across all the restaurant locations, stemming from a third-party network intrusion. According to Upserve’s comprehensive list of compromised restaurants cyberattacks on vendors and POS systems are quite common in the restaurant industry because these systems aren’t as secure as they could, or should, be.

In early 2018, an unnamed utility company was fined $2.7 million for leaving 30,000 records about its information security assets exposed online for 70 days back in 2016. Months after it was released that this company was Pacific Gas & Electric Company (PG&E). According to Data Breach Today, this breach happened after a third-party vendor had improperly copied data from the utility network to their own network.

In June of 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the exposed records were names, date of birth, address, phone number, date of service, and more, according to TechCrunch, and ranged from August of 2018 until March of 2019. Both data breaches were caused by a hacker that gained access to American Medical Collection Agency’s (AMCA) system, which is a third-party vendor that the two companies have in common.

2020 has been a wild year in terms of life in general. From the Coronavirus pandemic, to killer hornets, to sports being played in a bubble– it might seem like third-party data breaches have taken the backseat. That, sadly, isn’t the case. Though we’re all feeling fatigued when it comes to headlines and continued news, hackers aren’t going to sit back and wait for a more convenient time to steal data. The Bar Exam (the test that you have to take in order to become a lawyer) has crashed and also been hacked, people are worried about voting in elections, and you’ve probably received a couple of letters in the mail about a data breach that happened– but don’t worry, they’re offering you free credit monitoring. Usually, that move is too little, too late.

Are you next?

These events highlight the multitude of data breaches that occur every day (remember Tesla, Ford, and the Ticketmaster breach), which leads us to ask this question– how secure is your data, especially when it comes to your third-party vendor access?

Have you considered the consequences of becoming susceptible to a third-party data breach or ransomware attack? Data breaches that stem from third parties, vendors, or contractors are on the rise. In fact, the increase in third-party data breaches is due to the industrialization of the cybercriminal ecosystem and innovations such as ransomware, which makes cybercrime much more profitable and easier to carry out. Plus, the tools used for remote access, like virtual private networks (VPNs), aren’t properly secured to keep your network (and your company) safe from bad actors.

The biggest issue with any data breach is that it doesn’t just affect your company monetarily. You have to also consider the other risks, like:

• Reputation risks: Can you keep yourself afloat if you’ve essentially told customers you don’t know how to protect their data?
• Compliance issues: It’s fun when you’re in compliance, but a data breach of any sort will get you some hefty fines from any mandate.

3 easy ways to keep your data secure

A lot of companies focus their efforts on ensuring that their internal employees are educated and understand the importance of not clicking on links in emails, changing passwords every 90 days, and not sharing passwords. But, when we don’t consider the same education and importance for external users that have network access, we leave ourselves open to the possibility that a bad actor uses that as a way to get into your network.

And this isn’t hypothetical. It happens, and it happens a lot. Let’s look at three ways you can keep your data secure.

• Evaluate your vendors: Just one unregulated third-party could allow a hacker access to your entire network. It is important to be selective when choosing your vendors.
  • Determine what data each of your vendors needs access to.
  • Confirm that the internal assessments and controls of your vendors align with your organization’s assessments and controls.
  • Confirm that your vendors have strong security policies and procedures in place to ensure your company is in compliance with the latest regulatory requirements.
• Enforce strong reporting and auditing: To ensure visibility of your vendors’ actions, regular security audits and in-depth report logs are imperative. It is important to monitor the “who/what/when/where” of every individual accessing your network. By monitoring and tracking all movements on your network, you’ll be able to detect vulnerabilities and weaknesses immediately – and address them swiftly.
• Ensure powerful controls: By analyzing your vendors’ security protocols, you can make sure your company’s security requirements are being met. Ensuring you have granular levels of control over the degree of access you grant each of your vendors – and what data specific individuals can see on your network – will help keep your data secure. Gaining complete control of your vendors’ access will minimize your exposure to third-party data breaches.

Without clear visibility into remote networks and third-party systems, it can be hard to know if a current or potential vendor may be vulnerable or compromised. You need to be able to identify possible red flags so you can take steps to protect your network from cyberattacks and other threats to your data. Interested to learn more about how to keep your data, your company, and your reputation safe? Download our helpful and interactive checklist that highlights the top 3 ways to identify a vulnerable vendor.