How can a third-party breach affect your organisation?
Updated: May 8
In our latest blog post, VISO's Information Security Officer; Rachel Hanlon explores the significance of third party breaches on sensitive data and how it can affect your business and its regulatory compliance.
A third-party breach can have significant implications for your organisation, especially if the third-party involved has access to your sensitive data. There are many ways a third-party breach can affect your organisation such as, data exposure, legal liability, operational disruption, regulatory compliance and reputational damage. This article highlights examples of some major breaches caused by third-party suppliers to illustrate just how easy they can infiltrate your organisation.
The Kaseya third-party breach was a ransomware attack that affected multiple organisations around the world. Kaseya is a software company that provides IT management solutions to managed service providers (MSPs), which in turn use the software to manage the IT systems of their own customers. An affiliate of a top Russian-speaking ransomware gang known as REvil used two gaping flaws in software from Florida-based Kaseya to break into about 50 managed services providers (MSPs) that used its products.
The attack began with a zero-day vulnerability in the Kaseya VSA software, which allowed the attackers to bypass authentication and gain access to the software. The attackers then deployed ransomware, known as REvil or Sodinokibi, to encrypt the data of Kaseya's customers and demand a ransom for its release.
The Kaseya breach is believed to have affected hundreds of organisations, including several managed service providers and their customers. The attack caused widespread disruption, with some businesses forced to shut down operations temporarily.
Kaseya responded to the breach by immediately shutting down its VSA servers and releasing a patch to address the vulnerability. The company also worked with law enforcement agencies and cybersecurity experts to investigate the attack and mitigate its impact.
The SolarWinds breach, also known as the SolarWinds supply chain attack, was a significant cyberattack. It targeted several US government agencies and private companies, including FireEye, a cybersecurity firm.
The attack was carried out by a sophisticated threat actor, believed to be a state-sponsored group, who gained access to SolarWinds' software development environment. The attackers were then able to inject malicious code into SolarWinds' Orion software, a network management tool used by many government agencies and private companies.
When SolarWinds' customers updated their Orion software, they unknowingly installed the malicious code, which allowed the attackers to gain access to the customers' networks. The attackers were able to move laterally within these networks, steal data, and potentially install additional malware.
The breach was discovered by FireEye, a cybersecurity firm that was also a victim of the attack.
FireEye alerted the US government, and an investigation was launched. The fallout from the SolarWinds breach has been significant. Several US government agencies, including the Department of Defence, the Treasury Department, and the Department of Homeland Security, were compromised in the attack. Private companies, including Microsoft, were also affected. The total number of organisations impacted by the breach is still being investigated, but it is believed to be in the thousands.
Target's network was compromised when cybercriminals gained access through a third-party vendor that had access to Target's systems. The attackers installed malware (ZeuS) on Target's point-of-sale (POS) systems, which allowed them to capture customer data such as credit card numbers, names, addresses, and other sensitive information. The breach went undetected for several weeks, during which time the attackers continued to steal customer data. When Target discovered the breach, they immediately began an investigation. The company eventually confirmed that the breach had occurred and that the personal information of up to 110 million customers had been compromised.
The fallout from the Target data breach was significant. The company faced numerous lawsuits, regulatory investigations, and public outcry. Target's reputation was damaged, and the financial impact of the breach was estimated to be over $200 million, approx. €181,218,141 & £160,666,631.
One of the key lessons learned from the Target breach is the importance of third-party risk management. Target's breach was the result of a vulnerability in a third-party vendor's system, highlighting the need for companies to have strong vendor management programs in place. Additionally, the breach underscored the importance of implementing strong security controls and monitoring systems to detect and respond to breaches quickly.
In February 2022, the manufacturing company Toyota had to shut down all operations in their main production environment after their third-party supplier “Kojima” suffered a data breach. Kojima had access to all Toyota manufacturing plants, therefore shutdown was essential to protect the companies' data. This breach reduced the number of cars Toyota produced.
Another example is the Evide hack that occurred only a couple of weeks ago, more details can be found in a blog created by our CEO Stephen Parsons - https://www.viso.ie/post/evide-hack-shows-how-we-must-take-third-party-security-management-more-seriously
To summarise, it is essential to have a robust third-party management program in place to minimise the risk of third-party breaches and to have a plan in place to respond swiftly and effectively to a breach, if it occurs.
If you need help in this area, VISO can provide advice, guidance and solutions to help gain a level of understanding of your cyber risk. Get in touch to hear more.
VISO are here to help. If you have any questions about Cyber Security, talk to us, in confidence today.