Businesses Skating on Thin Ice Using Third-Party Services
Every year businesses lose millions of dollars in data breach incidents. A survey by Ponemon Institute revealed a 3% increase in third-party data breaches in 2018, with 59% of companies experiencing a breach due to third parties in 2018. And more than 7.9 billion records were exposed in the first nine months of 2019, which were expected to reach 8.3 billion, and data breaches were up 33.3% over 2018.
The data breaches are often influenced by the featured hacking, malware attacks, social attacks and the misuse of data by authorized users that involve third-party services. The concept of third parties is quite broad, which includes all entities with whom the business directly interacts or works. For instance, email providers, verification service providers, vendors, data management companies, subsidiaries, web hosting companies, law firms or any other organization whose employees have access to the company’s data or system are considered third parties.
The third-party cyber risk isn’t limited to these entities only. In fact, any other external software or hardware that is used by the organization equally poses cyber risks in terms of security breach and cyberattacks. With the increased ratio of data breach attacks, it feels as if a new business or organization falls victim every new day.
Data Breaches: A Snapshot
Every year the companies lose customer data in third-party data breaches and that number is increasing. Back in 2017, Select Restaurants, which had 12 different seafood restaurants across the U.S., was hacked through its point of sale (POS) vendor. The breach exposed customers’ sensitive financial data including names, card numbers, CVVs and expiration dates on cards. Upon further investigation, third-party network intrusion was found as the cause of the breach.
In the first quarter of 2018, the utility company Pacific Gas & Electric Company (PG&E) was fined $2.7 million for exposing 30,000 records about its information security assets online for more than two months in 2016. According to a report, the breach occurred due to improper copying of data by a third-party from the utility network to their own network.
In 2019, Quest Diagnostics and LabCorp both reported third-party data breaches that resulted in the breach of 11.9 million and 7.7 million records, respectively. These exposed records revealed consumers’ critical information including name, address, date of birth, phone number and much more. Both of the breaches were caused by hackers who accessed the American Medical Collection Agency’s (AMCA) system—a common third-party vendor for both companies. In fact, Quest Diagnostics fell victim to a data breach twice in the same year.
Also in 2019, Capital One also became infected with a third-party data breach, exposing about 100 million records of Americans containing names, dates of birth, phone numbers, addresses, emails and self-reported incomes. The cause reported was a configuration vulnerability in the servers of the vendor—a cloud computing company—that hosted the bank’s data.
Third-Party Data Breaches: A New Normal for Hackers
Data breaches are often a result of hackers’ keyboards. Cybercriminals are stealing and exploiting personal data stored by the organization. Data breaches are equally threatening to every company no matter its size; all that matters is the amount of personally identifying information (PII) stored. In 2018, Marriott International was breached, exposing the information of hundreds of millions of guests.
Marriott was targeted by hackers because it contained potential payoffs of lots of productive PII. Now the hackers are transforming their strategies and executing smarter tactics to achieve smaller yet more payoffs. This new strategy results in targeting vendors for third-party data breaches. Instead of going after one giant organization, hackers target vendors that work with multiple companies to gather more amounts of personally identifiable information.
Third-party vendors such as payment gateways, web plugins, email servers and others generally work with multiple industries at a time. Exploiting such vendors is even more beneficial for hackers since they can gain access to PII from a number of companies by compromising third-party security measures. This trend flourished in 2018 when 4.8 billion records were exposed due to third-party breaches—four times more than in 2017.
Data Breach Prevention
Third-party data breaches are the main concern for companies since it not only results in a negative impact on brand reputation but also hefty fines from regulatory authorities. According to Cybersecurity Ventures, cybercrime is estimated to cost the world $6 trillion annually by 2021. Taking into account the increasing trend of cybercrimes and data breaches, companies need to put forth efforts in managing their vendor security.
Businesses need adequate measures and efficient security practices to thoroughly ensure data safety. To develop such measures, GDPR serves as a baseline for businesses to update their data governance policies with time. It is essential for the companies to set encryption standards and permissions on the consumers’ files and swiftly remove any stale data to comply with data privacy legislation.
In addition, risk assessment is crucial for organizations to know where their vulnerabilities lie and what they can do to prevent hackers and cybercriminals from abusing the data. The data breach response plan must be examined timely to ensure more proactive measures to handle the situation in case of a breach. One of the factors that make data breaches a serious concern is it remains unidentified for a longer time as the vendors don’t even inform the companies. Therefore, putting a third-party data breach policy in place is important for companies.
