Third-Party Breaches Of 2015: What We Learned Over The Year

2015 has been fantastic for some companies—but for those who dealt with a third-party breach or cybersecurity issue, it was likely more difficult. If this happened to your firm in 2015, you’re not alone. Consider these four large incidents:

The T-Mobile & Experian breach. Experian—a consumer credit monitoring firm—was breached, exposing personally identifiable information of over 15 million T-Mobile customers. This included “names, addresses, birth dates, Social Security numbers, driver's license numbers and passport numbers,” according to T-Mobile CEO John Legere.

The PR Newswire breach. In March of this year, hackers were able to break into PR Newswire, one of the world’s preeminent press release distribution services, and harvest customer usernames and passwords. According to Brian Krebs from Krebs On Security, the “stolen data was found on the same Internet servers that housed huge troves of source code recently stolen from Adobe Systems, Inc.,” which suggests the same hackers are to blame.

The Samsung breach. LoopPay (a digital wallet company) was breached a month after its acquisition from tech-giant Samsung. This Fortune article posits that the hackers may have been looking for LoopPay intellectual property, which “enables Samsung Pay to be compatible with older point-of-sale terminals by mimicking the magnetic strips on payment cards."

The CVS photo breach. Pharmacy chain CVS was breached earlier this year. The company had to take the online photo center—the source of the breach—offline for a time, and warn customers that their credit card data may have been compromised.

But instead of dwelling on the past, let’s highlight what these breaches have taught us. So without further ado, here are our four primary takeaways.

What Did We Learn?

1) Third-party security incidents are happening with increasing frequency.

When the massive Target breach happened in February 2014, no one could believe it was due to a third party—let alone a small HVAC company! But as the months and years pass, those in the cybersecurity industry have realized that this will continue to be a common threat vector.


security ratings snapshot example

Request your free Security Rating Snapshot to find the gaps in your security program and how you compare to others in your industry.

Get Your Rating
Button Arrow
2) The damage has become significant.

In the PR Newswire hack, 32 criminals were able to steal corporate documentation and make illegal trades, which brought them over $100 million in profit. We recently learned that Goldman Sachs and several other large financial institutions have decided to release their earnings via Twitter instead of using a third-party news source because of these kinds of security issues. It’s clear that third-party breaches are causing more-than-surface-level financial and reputational damages—they’re also hurting and ending client relationships.

3) Regulators have become much more interested in third-party breaches and cybersecurity issues.

In 2015, we’ve started seeing increased attention and focus by state and federal regulators on third-party risk and supply chain risk management. This will likely affect nearly all regulated industries, from the financial sector, to retail, to energy, and beyond. In an effort to educate businesses on security best practices and importance, the Federal Trade Commission (FTC) recently unveiled a campaign titled Start With Security. In an effort to protect consumer privacy, we’re expecting to see more regulations soon.

See Also: Regulators Continue To Emphasize Third Party Cyber Risk Management

4) The roles of senior executives and board members are becoming more important with respect to vendor risk management.

Evidence of this can be found in the T-Mobile/Experian breach. Following the breach, T-Mobile’s CEO made many negative statements about Experian and expressed that he was “extremely angry” about Experian's role in the breach of T-Mobile customers' data. We’re still waiting to see the extent of the impact of that breach on the T-Mobile/Experian relationship, but based on the way T-Mobile’s CEO has been talking, it seems that changes lie ahead.

One implication from his involvement in this matter is that cybersecurity and vendor risk management are topics that have made their way into executive-level conversations. Senior executives and board members have become more attentive to cybersecurity over the past few years, but with an increased number of third-party breaches, they’re also more attuned to managing their security expectations with vendors.

A Final Note

One final thing we know is that third-party breaches are going to keep happening.

Organizations are going to have to build better vendor risk management programs—in part because of the new risk outlook, but also because of regulatory requirements. As organizations develop their vendor risk management programs to handle future threats, they will need to look toward automation. And to effectively monitor and guard against continuous threats, their automated programs must have continuous monitoring capabilities.

As we’ve said before, the limitations of questionnaire-based approaches are numerous, and in today’s threat landscape, offering a “snapshot in time” simply isn’t effective.