Vendor Risk Roundup: 3 Huge Breaches (So Far!) This Year
Wherever you look, it feels like cyberattacks are becoming increasingly common. Criminal hackers are making the headlines every day, stealing the personal information of millions of people, ranging from birthdays to Social Security numbers.
These hackers increasingly target software supply chains and third party services that organizations rely on. Why, you might be wondering?
Because attacking a supply chain allows them to compromise a lot of people at a time, instead of having to target each organization separately. We’re talking about not just scores or hundreds, but often tens of thousands of people through one breach.
Additionally, this type of attack bypasses the victim’s security measures and often results in the hack having a higher level of internal access. These types of attacks are very difficult to discern, allowing the hackers more time to infiltrate, steal data and install ransomware.
So on this grim note, let’s take a look at some of the more notable data leaks we’ve seen lately caused by third party breaches this year.
Examples of third-party breaches in 2021?
Florida-based information technology firm Kaseya was the subject of what is being called the largest ransomware attack on record. Early July, it was discovered that hackers had exploited a vulnerability in Kaseya VSA (Virtual System Administrator), a remote monitoring and management software package.
Affiliates of the Russian REvile ransomware group took responsibility, demanding $70 million in cryptocurrency to release a universal decryptor software key to unlock all affected systems. Why was this cyberattack particularly vicious?
Kaseya is a “managed service provider”, which means its systems are used by companies that are too small or financially unable to have their own IT departments. Kaseya regularly pushes out updates that are supposed to secure their customer’s systems – instead, the hackers managed to use those same features to push out malicious software to their customers.
In terms of damage, over 1,500 companies were affected by this attack worldwide. Many had to shut down completely. This act of targeting systems that are supposed to protect customers and using their features against them is what makes this attack particularly appalling.
Audi and Volkswagen
In March 2021, Audi and Volkswagen were notified that a vendor had left unsecured data between August 2019 and May 2021. This customer data had then been obtained by an unauthorized third party.
The data included information that had been gathered for sales and marketing purposes, and included everything from contact information to driver’s license numbers to loan numbers. The matter is still under investigation, according to them, but roughly 3.3 million customers and interested buyers were affected.
While this incident did not seem to include ransom, as with Kaseya, it is a formidable example of what can happen when sensitive data is left exposed. In the era of GDPR, especially, this is a vendor risk nightmare where serious penalties may be in the offing.
The lesson? In order to protect customer data, organizations should check that vendors are securing it securely on the cloud. It’s not just a matter of taking their word for it when it comes to cybersecurity measures.
Okay, this one is technically from December 2020 – but the number of people impacted by this unfortunate example of vendor risk is still growing, so it warrants a look.
As profiled by Bloomberg, “Accellion, Inc. provides secure collaboration and managed file transfer solutions. The Company offers productivity, enterprise content, file sharing and synchronization and storage, replacement, and backups and recovery. Accellion serves customers globally.” According to their own website, they have protected more than 25 million end users at over 3,000 global corporations and government agencies.
Unfortunately, this is a lot of end users and a lot of personal information could potentially be stolen. And that’s what came to pass: As of last month, the number of victims affected by this breach had reached a shocking 3.5 million. And, as we mentioned, this number is still growing.
The hackers utilized vulnerabilities in Accellion’s FTA (File Transfer Appliance) to expose sensitive and personal data, such as banking and health-related information. The FTA was released roughly twenty years ago to allow organizations to securely share files that were too large to send via email. According to HIPAA Guide, “The data leak site of the Clop ransomware gang was used to publish some of the stolen data to encourage payment of the ransom.”
This has resulted in a number of lawsuits against Accellion by victims in California and Washington state courts – and who can blame them? If you’re a company that relied on them, you’re possibly going to suffer a reputational hit as well.
Defending yourself against becoming a vendor risk headline
We’ll stop here before this gets too dismal. Most of these breaches have been or are being dealt with, but third party vendor risk is a real issue that every organization needs to be aware of and take steps to deal with.
Make sure you have an effective vendor risk management (VRM) program so both you and your customers can sleep easy at night. And so you can avoid showing up in lists like this someday..!
Watch our The Future of Compliance summit - now on-demand!
Hear advice from top risk & compliance experts on how to build business resilience and continuity for your enterprise.