Can you afford a third-party data breach?

August 27, 2020

The past few years have been filled with third-party data breaches, cyberattacks, and unauthorized access. With all of these cyberattacks happening, it seems like there's a new company making headlines for it each and every day. Let's take a look at some third-party data breaches that broke headlines around the world.

Top third-party data breaches

In 2017, Select Restaurants left customers’ sensitive information – including name, card number, expiration date, and CVV– on the table. The company, which manages 12 seafood restaurants across the US, was alerted to the hack by their point of sale (POS) vendor. Further investigation showed a data breach across all the restaurant locations, stemming from a third-party network intrusion. According to Upserve's comprehensive list of compromised restaurants, cyberattacks on vendors and POS systems are quite common in the restaurant industry because these systems aren't as secure as they could, or should, be. In early 2018, an unnamed utility company was fined $2.7 million for leaving 30,000 records about its information security assets exposed online for 70 days back in 2016. Months later, it was released that this company was Pacific Gas & Electric Company (PG&E). According to Data Breach Today, this breach happened after a third-party vendor had improperly copied data from the utility network to their own network. In June 2019, both LabCorp and Quest Diagnostics experienced third-party data breaches that exposed 7.7 million and 11.9 million records, respectively. Included in the third-party data breach were names, date of birth, address, phone number, date of service, and more, according to TechCrunch, and ranged from August 2018 until March 2019. Both data breaches were caused by a hacker that gained access to American Medical Collection Agency's (AMCA) system, which is a third-party vendor that the two companies have in common. 2020 was also a wild year in terms of life in general. From the Coronavirus pandemic, to killer hornets, to sports being played in a bubble-- it might seem like third-party data breaches have taken the backseat. That, sadly, isn't the case. Though we're all feeling fatigued when it comes to headlines and continued news, hackers aren't going to sit back and wait for a more convenient time to steal data. The bar exam (the test that you have to take in order to become a lawyer) has crashed and also been hacked, people are worried about voting in elections, and you've probably received a couple of letters in the mail about a data breach that happened-- but don't worry, they're offering you free credit monitoring. Usually, that move is too little, too late.

Is your organization next in line for a third-party data breach?

These events highlight the multitude of third-party data breaches that occur every day, which leads us to ask this question– how secure is your data, especially when it comes to your third-party vendor access? Have you considered the consequences of becoming susceptible to a third-party data breach or ransomware attack? Data breaches that stem from third parties, vendors, or contractors are on the rise. In fact, the increase in third-party data breaches is due to the industrialization of the cybercriminal ecosystem and innovations such as ransomware, which makes cybercrime much more profitable and easier to carry out. Plus, the tools used for remote access, like virtual private networks (VPNs), aren’t properly secured to keep your network (and your company) safe from bad actors. The biggest issue with any data breach is that it doesn't just affect your company monetarily. You have to also consider the other risks, like:

  • Reputation risks: Can you keep yourself afloat if you've essentially told customers you don't know how to protect their data?
  • Compliance issues: It's fun when you're in compliance, but a data breach of any sort will get you some hefty fines from any mandate.

How to secure your data from third-party data breaches

A lot of companies focus their efforts on ensuring that their internal employees are educated and understand the importance of not clicking on links in emails, changing passwords every 90 days, and not sharing passwords. But, when we don't consider the same education and importance for external users that have network access, we leave ourselves open to the possibility that a bad actor uses that as a way to get into your network. And this isn't hypothetical. It happens, and it happens a lot. Let's look at three ways you can keep your data secure from third-party data breaches:

  • Evaluate your vendors: Just one unregulated third-party could allow a hacker access to your entire network. It is important to be selective when choosing your vendors. Take these steps when reviewing your vendors' likelihood of experiencing a third-party data breach:
  • Determine what data each of your third-party vendors needs access to.
  • Confirm that the internal assessments and controls of your vendors align with your organization’s assessments and controls.
  • Confirm that your vendors have strong security policies and procedures in place to ensure your company is in compliance with the latest regulatory requirements.
  • Enforce strong reporting and auditing: To ensure visibility of your vendors’ actions, regular security audits and in-depth report logs are imperative. It is important to monitor the "who/what/when/where" of every individual accessing your network. By monitoring and tracking all movements on your network, you’ll be able to detect vulnerabilities and weaknesses immediately – and address them swiftly.
  • Ensure powerful controls: By analyzing your third-party vendors’ security protocols, you can make sure your company’s security requirements are being met. Ensuring you have granular levels of control over the degree of access you grant each of your vendors – and what data specific individuals can see on your network – will help keep your data secure. Gaining complete control of your vendors’ access will minimize your exposure to third-party data breaches.

Without clear visibility into remote networks and third-party systems, it can be hard to know if a current or potential vendor may be compromised or vulnerable to a third-party data breach. You need to be able to identify possible red flags so you can take steps to protect your network from cyberattacks and other threats to your data. Interested to learn more about how to keep your data, your company, and your reputation safe from third-party data breaches? Download our helpful and interactive checklist that highlights the top ways to identify a vulnerable vendor.