Written by staff writer.
Hackers continue to target third-party vendors to access the personal data of customers and employees. The ongoing breaches highlight the risk associated with third-party vendors and the need to scrutinize their cyber practices.
In March, LinkedIn disclosed a data breach affecting 700 million users when hackers exploited a vulnerability in a third-party software library used by the social media platform.
In August, hackers breached a third-party vendor servicing the London Metropolitan Police and downloaded the names, ranks, photos, vetting levels and pay numbers for officers and staff.
In September, Australian book retailer Dymocks attributed a breach at the company managing their loyalty program that resulted in the theft of data belonging to 1.2 million customers.
Last week, Okta, a San Francisco-based provider of cloud identity and access management solutions, said a breach at the third-party vendor managing the health insurance needs of its employees resulted in the theft of the personal information of 4,961 current and former employees.
“The recently reported breach involving a third-party vendor at Okta once again underscores the critical importance of organizations diligently monitoring their digital supply chain, which is made up of the vendors, suppliers, and other third parties that have network access,” said Lorri Janssen-Anessi, BlueVoyant’s Director of External Cyber Assessments.
Hackers stole the Okta employee data after accessing an eligibility census file maintained by a third-party vendor called Rightway Healthcare.
“The repercussions can extend beyond this initial breach,” said Janssen-Anessi. “The exposed employee information can make them susceptible to targeted phishing and impersonation scams, potentially leading to data or monetary theft. Even worse, these scams might be leveraged to obtain the employees’ credentials, enabling further damage to the company.”
Research in the United States by cloud cybersecurity company Astra suggests that over half of businesses fail to vet their third-party vendors properly. Nealy half of businesses said doing so was complex and time-consuming, and only around one-third of companies had begun automating the vetting process.
While the consequences of third-party breaches can be significant for entities like Okta, Dymocks, and LinkedIn, as well as their affected stakeholders, the attacks can result in massive reputational and financial damage for third-party vendors.
In Australia, Pareto Phone, a third-party vendor who operated call centres on behalf of charities, was breached this year, resulting in the loss of donor’s data. Pareto has since gone out of business. In the United States, Blackbaud Inc., a software provider for the philanthropy, healthcare, and education sectors, was recently ordered to pay USD49.5 million to settle a claim brought by its clients and their donors after a 2020 breach.
Janssen-Anessi says it is imperative for organizations to comprehensively identify all third-party entities they depend on for their operations, not just those concerning customer data. “Subsequently, they should assess which of these entities have access to sensitive data and whether such access is warranted,” she said. “Continuous monitoring of third-party vendors for vulnerabilities and a proactive approach to remediation should be integral parts of an organization’s cybersecurity strategy.”