Читать книгу Cybersecurity and Third-Party Risk - Gregory C. Rasner - Страница 17
Third‐Party Breach Examples
ОглавлениеThroughout many chapters in this book, you will find case study sections where we dive into some of these breaches. However, it is important to understand the scope and history of how often third‐party incidents occur. Many public breaches attributed to a particular company are, in fact, the result of a third party. One of the most well‐known examples is the Target breach. In fact, it was Target's Heating, Ventilation, and Air Conditioning (HVAC) provider that was breached to get access to Target's data.
Following are a few examples of the major third‐party breaches to show how easily they cross over any boundary (i.e., geographic, sectors, sizes):
Target (2013): The data of 70 million customers and 40 million credit/debit card information records was leaked by HVAC company Fazio Mechanical Services.
Lowe's (2014): Millions of drivers' records were exposed by SafetyFirst, a vendor that stored the exposed data in an online database.
JP Morgan Chase & Co (2014): Contact information for 76 million consumers and 7 million small businesses was exposed by a third‐party website used to sponsor a foot race.
Sam's Club, Costco, CVS, RiteAid, Walmart Canada, Tesco (2015): Millions of customer data records were hacked at PNI Digital Media, which is used for online photo ordering and printing.
T‐Mobile (2015): A total of 15 million personally identifiable information (PII) records were leaked by Experian, a customer credit assessment company.
Forever 21 and Hyatt Hotels (2017): An unknown number of credit card data records were released due to its POS system.
Uber (2017): Coding site GitHub's misconfiguration caused data for 57 million users to be exposed.
Equifax (2017): Highly confidential data for 143 million consumers was released due to an undisclosed third‐party tool used to build web applications.
Verizon (2017): The restricted data of 14 million customers was exposed by customer analytics provider NICE Systems.
Hard Rock Hotels & Casinos (2017): Sabre Corp, a travel reservation service, was exploited, causing a leak of credit card data for an undisclosed number of customers at 11 of its properties.
ShadowPad (2017): A server management software (made by NetSarang) used by hundreds of multinational and large companies worldwide exposed a still unknown number of protected data records.
Republican National Committee (2017): The PII for 200 million registered Republican voters was leaked via the third‐party Deep Root.
BevMo (2018): Online payment provider NCR Corporation was breached for over 14,000 BevMo customers.
Nordstrom (2018): A third‐party tool that managed the direct deposit permitted the personal information about Nordstrom's employees to be leaked.
Ontario Cannabis Store (2018): Canada Post, an online tracking tool, allowed the loss of the store's customer data.
SuperMicro (2018): A flaw present in the microchips used by major companies, such as Apple and Amazon, caused an unknown amount of data to be leaked.
Facebook (2018): Any platform that shared login credentials with Facebook resulted in the exposure of 50 million user accounts.
The Conservative Party (UK) (2018): CrowdComms, a conference application used by the Conservative Party, was the party responsible for the loss of protected data about Ministers of Parliament (MP), conference attendees, and journalists.
British Airways (2018): An undisclosed third‐party misconfiguration of JavaScript caused the financial and personal information of over 300,000 customers to be released.
University of Louisville (2018): Health Fitness, a fitness vendor, released employee names, employee IDs, and physicians' names.
Washoe County School District (2018): District teachers' emails, usernames, and passwords were exposed by an instructional tool provided by Edmodo.
MedCall Healthcare Advisers (2018): Over 150 businesses were affected by this third‐party breach, with 7 GB of medical information data being exfiltrated.
GoDaddy (2018): Sensitive records for over 30,000 servers were released by a misconfigured Amazon S3 bucket.
Air Canada (2018): An undisclosed mobile application provider caused the loss of customer data.
Fiserv (2018): This financial third‐party website provider was the reason that hundreds of banks had the records for their customers exposed.
Ticketmaster (2018): Inbeta, a provider of Ticketmaster's website application, caused a leak of customer data.
Universal Music Group (2018): Cloud‐storage provider Agilisium caused the loss of internal File Transfer Protocol (FTP) credentials, Amazon Web Services (AWS) secret keys and passwords, along with internal root passwords for structured query language (SQL) databases.
Chili's Grill & Bar (2018): Chili's POS system was breached, causing the loss of an undisclosed number of credit card data records.
Best Buy, Sears, Kmart, and Delta (2018): An online chat provider used by these firms lost over a million customer records in total.
Applebee's (2018): 160 restaurants and their customer data were released by the chain's POS system.
Western Union (2018): Private data about transactions was released by an undisclosed vendor who performed offsite cloud storage.
Ascension (2019): A misconfigured server at a third party exposed millions of bank loan and mortgage documents.
Amadeus (2019): The online booking systems for over 140 airlines worldwide had a critical flaw that allowed hackers to get access to the flight reservation systems.
Adverline (2019): A third party to online European sellers had malicious code injected, exfiltrating credit card information.
Click2Gov (2019): An online payment tool used by many U.S. and Canadian municipalities was compromised, releasing information on citizens in St. John in Canada and Hanover County in Virginia.
BankersLife (2019): Breached third party allowed the information about Humana's customers to leak.
BenefitMall (2019): A third‐party administrator for Highmark BCBS, Aetna, Humana, and United Health caused a leak of customer data.
Quest Diagnostics (2019): From August 2018 to March 2019, a hacker gained access to Quest's data at a billing collections vendor called American Medical Collection Agency (AMCA). A total of 11.9 million records were exposed.
Suprema (2019): A firm offering biometric security software exposed 27.8 million unencrypted records for over 6,000 firms, including U.K. Metro Police, Power World Gyms, and Global Village.
LensCrafters, Target, EyeMed (2020): Luxottica, a breached online appointment application provider, caused the loss of thousands of protected health information (PHI) records.
Insurance companies in Texas and Colorado (2020): Insurance carriers were impacted by a breach at Vertafore, which provides software to insurance companies.
First Federal Community Bank, Bank of Swainsboro, First Bank & Trust, Rio Bank (2020): ABS, a bank software provider, released the PII for the banks' customers.
Hotels.com and Expedia (2020): Channel manager vendor, Prestige Software, was breached, exposing names, credit card information, and reservation details.
Australian Stock Exchange (2020): An undisclosed amount of protected data was exfiltrated from the media‐monitoring vendor Insentia.
Google (2020): A law firm known as Fragomen, Del Rey, Bernsen & Loewy disclosed information that Google used for the I‐9 process (i.e., proof of ability to work in the United States).
City of Odessa (2020): Click2Gov, a frequently breached vendor, leaked details on how Odessa residents paid their utility bills.
Tribune Media and Times Media Group (2020): Marketing company, View Media, was breached, releasing information about 38 million U.S. residents.
Buffalo, NY, area hospitals; FeedMore; and Phipps Conservatory (2020): Blackbaud, a data management vendor, released the names, medical services numbers, dates of patient services, and a list of donors.
Rochester YMCA (2020): An undisclosed software vendor was breached for the names, addresses, and gift history of donors.
SEI Investments (2020): MJ Brunner, a third‐party software provider to SEI Investments, was breached, affecting customers at dozens of investment banks.
Bank of America (2020): Caused by an unnamed third‐party merchant, Paycheck Protection Plan (PPP) application business details, including Social Security numbers (SSNs), emails, addresses, and more, were released.
Citrix (2020): An undisclosed vendor disclosed Citrix's customer data, which was exposed on the Dark Web.
Marriott (2020): A Russian franchise operator was the reason for the second breach at this hotel chain in just two years. This time over 5 million records were compromised.
T‐Mobile (2020): An email vendor's breach was the reason that thousands of customer names, addresses, phone numbers, emails, rate plans, and more were exposed. This is the second public breach for T‐Mobile, with the last one occurring in 2015.
Radio.com (2020): Its cloud‐hosting provider misconfigured their instance, which resulted in its customers' PII being made public.
Chubb (2020): A third‐party service provider released internal sensitive data about Chubb.
General Electric (2020): Canon, which was used by GE for business processes, was breached, resulting in information on past and current GE employees and sensitive data being released.
Amazon, eBay, Shopify, Stripe, PayPal (2020): A third‐party application breach was the reason for the release of over 8 million records on sales information, customer names, emails, mailing addresses, and credit card information including the last four digits of account numbers.
SpaceX, Tesla, Boeing, Lockheed Martin (2020): Viser, a parts manufacturer, released partial schematics for a missile antenna and other restricted internal data.
Carson City (2020): Click2Gov caused the release of residents' names, addresses, email, debit/credit cards, card security codes (CVV), and bank account and routing numbers.
Idaho Central Credit Union (2020): A mortgage portal provider was hacked, releasing customer banking information.
Nedbank (2020): Nearly 2 million customer PII records were released by Computer Facilities (Pty) Ltd., a marketing and promotional firm.
Mitsubishi (2020): A large amount of internal restricted data was exfiltrated via an undisclosed vendor in China.
P&N Bank (2020): A third‐party customer relationship manager (CRM) hosting company caused the loss of nearly 100,000 customer records.
Ubiquiti Inc (2021): A maker of Internet of Things devices, it lost an undisclosed amount of customer names, email addresses, passwords, addresses and phone numbers due to a third‐party cloud provider.
Bonobos (2021): This men's clothing retailer had the data for over 7 million customers (addresses, phones numbers, account info, partial credit card information) stolen from its cloud data provider.
US Cellular (2021): The fourth largest wireless carrier in the U.S. exposed the private data of almost 5 million customers from its CRM software.
According to a Ponemon Institute survey in 2019, 60 percent of the companies surveyed admitted to not performing adequate cybersecurity vetting of their third parties. Thirty‐three percent replied they had no or an ad‐hoc cybersecurity vetting process. Fifty‐nine percent admitted being affected by a third‐party breach in the previous year. In that same survey, the companies also admitted to sharing their data on average with and requiring protection from a whopping 588 third parties. Following those numbers, this means over half the companies admitted to not performing their cybersecurity due diligence on nearly 600 third parties. Note, these statistics are pre‐COVID‐19 pandemic. However, post pandemic, the cyberattack increase was over 800 percent, according to the FBI as of May 2020. Prior to the pandemic, the problem was pronounced, with the breaches listed including Capital One, Home Depot, and others. However, the lack of due diligence and programs to review the cybersecurity of third parties by so many firms led to an explosion of breaches. And, as everyone is someone else's third party (i.e., every company is selling to someone and using vendors to assist in that effort), the problem was magnified to a boiling point.
