Third-party data breaches can happen at any time to any organization. This type of breach occurs when a vendor (or some other business partner) holding your company’s data suffers a breach, and your data is exposed. According to the Verizon 2022 Data Breach Investigations Report, 62 percent of all data breaches happen via third-party vendors.
Even worse, IBM and the Ponemon Institute report that on average, a company takes 277 days to identify and contain a third-party data breach. Why so long? One reason is that threat actors have become much better at operating in stealth mode once they enter the computer system. Another, more troubling explanation is that some third-party contractors and vendors may attempt to hide a data breach from clients to avoid damaging the partnership.
Regardless, the consequences and cost of recovering from a breach can be detrimental to your business and bottom line. The average cost of a data breach in the United States has been pegged at $9.48 million for 2023. Big targets include healthcare organizations, credit card companies, email service providers, and cloud service providers.
This post will cover examples of common third-party breaches, as well as what to do when a third-party data breach strikes your organization.
Examples of Third-Party Security Breaches
Third-party suppliers, partners, and vendors are prime targets for cybercriminals. Here are a few instances of third-party violations from recent history:
- Customers of Click Studios’ business password manager Passwordstate received a breach notification in 2021 after hackers used the app’s update mechanism to spread malware to users. It was unclear how many of the nearly 370,000 security and IT professionals who use Passwordstate at 29,000 organizations worldwide had been impacted by the incident. Click Studios instructed victimized customers to change every password in the Passwordstate database.
- Toyota, a leading global auto manufacturing company, experienced a third-party data breach in 2022. As a result, the company had to close its manufacturing plant in Japan temporarily to safeguard its data. Additionally, the breach had implications on the operations of other Toyota subsidiaries.
- The Cancer Centers of Southwest Oklahoma’s third-party cloud storage provider, Elekta, identified odd behavior on its network in 2021. It found that 8,000 cancer patients’ sensitive health information was accessed without authorization. As a result, names, Social Security numbers, locations, birthdates, and information about medical diagnoses and treatments were disclosed.
- The Saudi Arabian oil company Saudi Aramco had 1 terabyte of data stolen, which included details about its employees, customers, sites, reports, and project papers. The cybercriminals gave Aramco an ultimatum: pay $50 million to have the data deleted, otherwise it would be offered for sale on the dark web for $5 million. Saudi Aramco claims that a flaw at a third party caused the intrusion.
Common Data Breaches Caused by Third-Party Vendors
Phishing and ransomware attacks have been spiking, especially during the COVID-19 pandemic, when the number of employees working from home soared. Phishing and ransomware are standard cybercrime tools that may lead to the following types of data breaches:
- Unauthorized access via a company email account. General Electric experienced a breach that exposed employees’ personal data such as marriage certificates, passports, driver’s licenses, and tax withholding forms.
- Hacking of a telecommunications provider. Sensitive information of more than 50 million T-Mobile customers was exposed when an unprotected router was accessed.
- Lack of encryption. A vendor for Health Share of Oregon, which coordinates care for Medicaid patients, had an unencrypted laptop stolen, exposing the personal information of more than 650,000 people.
- Unsecure websites and improperly stored log-in information. A website bug allowed access to thousands of passwords and usernames for an Instagram account via the third-party Social Captain.
These breaches are bad enough on their own. Even worse, the sensitive information stolen by cybercriminals was already available for sale on the dark web when they were discovered. From there, even more scams are perpetrated on unsuspecting customers and clients whose phone numbers and addresses have been exposed.
Preventing Third-Party Vendor Data Breaches and Holding Vendors Accountable
Holding third-party vendors accountable can be difficult, especially if you don’t have a third-party security policy or program. Ideally, any third-party vendor should enforce the same strict standards and internal data security controls that your company follows.
So how do organizations best prevent third-party vendor data breaches? It begins with a robust and responsive vendor risk management policy, which can be divided into several action areas.
Consider information security during vendor selection
When selecting a vendor, you must consider how those vendors handle information security. Talk with your vendors early about their security processes; understand how they handle internal security along with your company’s. Only sign contracts with those vendors whose internal security processes align with your own security objectives.
Audit third-party vendors for compliance
An audit is the only way to see what’s really happening with your vendor’s security, so perform those audits whenever necessary (say, with particularly high-risk data you’re entrusting to a vendor). An audit evaluates how the organization executes against its security compliance framework, as well as its performance in previous audits. Look for indicators of compromise and how well the vendor assesses cybersecurity risk.
Require proof of the third-party vendor’s cybersecurity program
Proving the third-party vendor has an information security program is only half the battle over third-party breaches. The third-party vendor should be able to demonstrate that it takes risk management seriously and dedicates resources to its vulnerability management program.
Ask for the most recent results from internal risk assessments, penetration testing, and compliance frameworks. The third-party organization must have a robust risk management program, a supply chain risk mitigation strategy, and plans to remediate a potential data breach.
Ongoing third-party risk monitoring gives you continuous insights into the vendor’s cybersecurity program. Hold quarterly reviews to evaluate your vendor’s performance metrics and security posture.
Set clear policies and expectations for data storage and transfer
Collaboration with third-party vendors often involves sharing or transferring data. Data storage and transfer without a defined policy can expose companies to risks, including unauthorized access, data breaches, and failure to comply with data protection regulations.
By establishing clear guidelines, companies can set boundaries and expectations regarding data storage and transfer. This assures that third-party vendors treat organizational data with the same importance and standards as their data. Defined data storage and transfer policies act as a protective layer, ensuring data integrity at all levels.
Adopt a least-privileged model for data access
Many third-party data breaches have one thing in common: the third party was given more access than necessary to complete its job. Holding third-party service providers to strict least-privileged access management standards will improve your network security significantly.
Least-privileged access is the cornerstone of managing vendor risk. A breach will only do minor damage when the third-party vendor’s access is restricted to the lowest possible access level.
Continuous monitoring for third-party vendors
Third-party vendors play an integral role in your organizational supply chain. They can also introduce multiple risks, including data breaches and compliance violations when not properly monitored. That means evaluating vendors only at the beginning of the business relationship is not enough; you need to monitor your vendors on an ongoing basis.
Continuous monitoring assures that the organization remains informed of any changes in the risk profile of its third-party vendors. It also allows you to take new measures and adapt your compliance strategies accordingly. With ongoing monitoring, organizations can detect potential threats earlier and foster a culture of transparency and accountability with their vendors. That, in turn, strengthens the trust and reliability in the partnership, assuring both parties are aligned in maintaining the highest standards of security and compliance.
Measure fourth-party risk
In addition to third-party vendors, some organizations may also face fourth-party risk — that is, the risk from your vendors’ vendors. Many organizations overlook fourth-party risk essential, but assessing it is critical. Fourth-party relationships include any additional vendors, suppliers, and partners that your third-party vendors depend on. It covers the additional risks businesses are exposed to outside of those initial third-party partnerships.
Organizations often have visibility into their third-party vendors, but not into entities further down the supply chain. To manage this effectively, companies should require transparency from their third-party vendors about the vendors’ own supply chains.
What Do You Do if You Have a Third-Party Data Breach?
Let’s say you just became aware of a data breach at your company. What to do next depends on whether hackers stole information or the information was unintentionally published on the company’s website.
What actions must be taken, and who needs to be contacted if personal information has been exposed?
Secure your operations
Immediately patch any vulnerabilities in your own systems that may have contributed to the incident. Data breaches quickly become worse when there are several of them. Do everything possible to prevent it from happening again.
Secure any locations connected to the incident. If necessary, lock them and change the access codes. Then ask law enforcement and forensics professionals whether it is OK to restart normal activities.
Immediately mobilize the breach response team to stop further data loss. The specific actions to take may vary depending on the type of breach and how your company is set up.
Take down information
Quickly remove any personal information from your website affected by the data breach. Be aware that search engines “cache” or retain information for a while. Get in touch with them to ensure they do not archive personal information that was exposed.
Search for the disclosed data online to check if other websites have saved a copy. If you find something, contact those websites and urge them to take it down.
Interview the individuals who found the breach. Also, talk to anyone else who might be familiar with it. Finally, tell customer care center employees where to send information about the incident.
Alert necessary parties
Notify law enforcement, police, other impacted organizations, and affected individuals if the company has a data breach.
Find out what the company’s legal requirements are. All 50 states, the District of Columbia, Puerto Rico, and the Virgin Islands have laws mandating notice of security breaches involving personal information. Other countries have their own laws too.
Figuring out what to do in the heat of the moment can be overwhelming. Therefore, incident response plans are critical. Comprehensive response plans outline the roles, responsibilities, and activities that need to happen if there is a data leak or security breach.
Overcoming Resistance from Your Third-Party Vendor
Sometimes your third-party vendor may be reluctant to follow best practices, but that vendor is the only choice for the service you need. If that’s the case, vendor risk management comes down to how much risk your organization is willing to accept, and what cybersecurity measures you have in place to prevent the inadequate security of a third-party vendor from hurting your business.
You can convince your vendors about the importance of security standards through education. A third-party vendor may welcome a well-developed risk management plan in addition to security basics such as protecting against malware, ransomware, and phishing. Share information security training webinars and other materials to grow their interest.
No matter how you broach the topic, think “security first” when pursuing a third-party vendor relationship. It will ultimately lead to fewer third-party data breaches.
Improve Your Cybersecurity with ZenGRC
Cybercriminals will continue to attack and exploit businesses and consumers alike. It is important to keep track of the new cyberattacks and risks that pop up daily. ZenGRC is an intuitive, easy-to-use platform that monitors new compliance issues and regulations while you focus on your business.
Managing third-party providers and the risk they bring to your company can be challenging. A third-party risk management program like ZenGRC can streamline the onboarding and vendor risk assessment processes. Additionally, it uses inherent risk analysis to evaluate appropriate supplier controls and conduct supplier due diligence.
Managing third-party risk is essential regardless of the size of your business or the sector you are in. Take action before it’s too late and adopt a risk and compliance system that scales as your business grows, automatically analyzes risks, and identifies potential hazards.
Schedule a demo today and get the advantage of ZenGRC.
Why sign up for the Risk Insiders newsletter?
To stay in the know! Get new blogs, resources, CPE opportunities, industry research & more — direct to your inbox.
