Find out how security leaders are assessing their exposure and reviewing their supply chain risk management programs.
Third-party vendors are critical to your business – but they also introduce cyber risk. Indeed, supply chain attacks are now the preferred method used by threat actors, and 62% of network intrusions originate with a third-party – often someone in your software supply chain.
The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years.
Managing third-party cyber risk can be complex, but neglecting it poses substantial risks.
Let’s look at six of the biggest third-party data breaches in recent years, how they happened, and their impact. We’ll also offer a step-based approach for maturing your third-party risk management (TPRM) program.
In December 2020, SolarWinds (a provider of network and system monitoring software) confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ. The program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.
Because SolarWinds owned “the keys to the kingdom” for many organizations, it was an ideal target for disseminating an attack. Even organizations who did not use SolarWinds products were exposed to risk due to the prevalence of the company’s solutions within the supply chain. It’s estimated that 18,000 customers (including government agencies and 14% of the Fortune 1000) were impacted.
The financial fallout was also significant. Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). Moreover, BitSight’s analysis quantified the insured losses from the attack at $90,000,000. The breach also set the stage for other supply chain attacks.
Read more about The Future of Supply Chain Cyber Risk Management After SolarWinds and lessons learned from the failures that led to the attack.
In July 2021, Kaseya (a provider of remote management monitoring tools), warned that its software had been exploited to deploy ransomware on end customers’ systems. Kaseya is widely used and, as with SolarWinds, presented a significant opportunity for hackers to compromise multiple targets with ransomware. Because many of Kaseya’s clients are managed service providers (MSPs), it’s likely that smaller companies will also have been inadvertently compromised.
Because most security tools trust anything implicitly signed by Microsoft, the tech giant is a frequent target of cyber attacks, and many of these exploit the interconnected supply chain.
In March 2021, a series of breaches, known as the HAFNIUM attacks, compromised the on-premises Microsoft Exchange Servers of 30,000 global organizations. The attacks allowed hackers to access employee email accounts and install malware to facilitate long-term access.
Further demonstrating the surge in software supply chain hacks, just months later, 38 million records were exposed due to a vulnerability in Microsoft Power Apps (a popular low-code business intelligence tool). Perpetrators gained access to COVID-19 testing, tracing, and vaccination records, as well as employee information for major organizations using the tool, such as Ford Motor Company, American Airlines, and the New York Metropolitan Transportation Authority.
According to McKinsey, an auto manufacturer has around 250 tier-one suppliers, but the number proliferates to 18,000 across the full value chain – making these companies highly vulnerable to a third-party data breach.
For example, in March 2022, Toyota suspended production at 14 manufacturing plants in Japan after a supplier of plastic parts – Kojima Industries – was hit by a cyber attack. Toyota subsequently suspended operations of “all 28 lines at 14 domestic plants,” according to a company statement. The impacted output accounted for a third of global Toyota production.
Per McKinsey, even a short disruption of 30 days or fewer can put three to five percent of EBITDA margin at stake.
In December 2022, ride hailing giant Uber experienced a third-party data breach as a result of a compromised vendor. Teqtivity, which helps Uber track, monitor, and manage IT assets, confirmed that a hacker breached its systems and gained access to email addresses and other information pertaining to more than 77,000 Uber employees.
The hack follows a similar incident targeting DoorDash, where bad actors leveraged a connected vendor’s stolen credentials to access the food delivery giant’s internal systems and breach customer information, including credit card details.
6. U.S. School Districts
School districts are a lucrative target for hackers due to the volume of PII on their networks and limited security resources. Moreover, as EdTech tools gain traction, software supply chains have become a favored attack vector.
For example, a 2022 attack on Illuminate Education, a leading provider of student-tracking software, resulted in data breaches at the nation’s two largest school systems – New York City Public Schools and Los Angeles Unified School District – and countless more. The same year, 495,000 student records at Chicago Public Schools were exposed as a result of an attack on a third-party provider.
Mitigating third-party risk is critical (yet undervalued)
These and other third-party data breaches demonstrate the importance of managing third-party risks.
Yet, the KPMG study found that 61% of businesses underestimate the importance of TRPM. They also struggle to maintain a fit for purpose operating model, citing two key reasons:
- Technology investments fail to provide visibility into third-party risk.
- The challenge of limited resources makes it hard to understand and mitigate third-party risk at scale – across hundreds, if not thousands, of vendors.
Indeed, most businesses accept that it was luck, not their TPRM programs, that helped them avoid a major third-party data breach in the past few years.
How BitSight can help
As your vendor portfolio grows (most businesses work with an average of 1,000 suppliers), you need a way to scale your TPRM program while reducing the burden on security and risk management teams.
Below are some must-haves that can help you do this, regardless of the maturity of your TPRM program:
- Tier vendors or suppliers: It is not necessary to analyze each vendor in the same depth. Given limited time and resources, pay attention to those third parties that a) provide the most critical services, and b) have access to systems and sensitive data. Our tier recommender service can aid in grouping your vendors based on their risk and criticality to your business. As your TPRM program matures, you can expand its scope to cover a broader range of third parties and additional risk areas.
- Set vendor risk tolerance thresholds: BitSight’s data insights make it easy to establish an acceptable risk threshold a supplier must achieve to be considered a potential partner – and then measure them against it.
- Continuously and automatically monitor the security postures of third parties: With BitSight for TPRM, you’ll get dashboard views into the cyber health of each supplier (during due diligence and over the lifetime of the contract) and automatic alerts the moment risk is discovered.
- Collaborate with partners to reduce risk and exposure: To ensure rapid triage, share BitSight’s findings with your vendors so they can view hidden risk in their networks.
- Extend cyber risk insights to fourth parties: Because risk can quickly cascade across the supply chain, use BitSight for Fourth-Party Risk Management for an unprecedented view into security vulnerabilities across your entire vendor ecosystem.
- Unify vendor data and assessments: Organize vendor security and risk management data in a unified tool. For instance, BitSight Vendor Risk Management (VRM) spans all aspects of VRM with one fully integrated solution. You can make informed decisions about where to prioritize resources without needing to jump between disparate tools.
These best practices don't have to be standalone. You can automate third-party assessment, validation, vulnerability detection, and reporting at scale with an end-to-end TPRM solution that integrates with your existing vendor risk management tools, so you always stay on top of threats.