Lessons learned from notable third-party data breaches of 2021

Jan. 27, 2022
A new year leads to new challenges, but organizations should refer to history to help mitigate risk

According to Kaspersky, third-party incidents were the most costly enterprise data breaches in 2021, and with good reason. In third-party breaches, attackers gain access to sensitive enterprise data via often less-secure vendors, business partners or suppliers. Such breaches can be disastrous for organizations, resulting in regulatory fines, lawsuits, loss of business and customer trust.

Whether it’s because organizations don’t perform the necessary risk assessments or are simply unaware of the dangers their vendors and suppliers can pose to their organization, many companies are clearly ill-prepared for such attacks. As a result, we have witnessed some of the most damaging third-party security breaches in history, and it doesn’t appear that we’ve seen the last of them. Here are just a few.

Accellion

When cybercriminals exploited unpatched vulnerabilities in Accellion’s File Transfer Appliance—used to move large, sensitive files within the network—they gained access to private data including Social Security numbers and banking information. The attack was first reported in late December 2020; however, more victims emerged throughout 2021. Organizations affected included the Reserve Bank of New Zealand, Kroger, University of Colorado, Qualys, Morgan Stanley and more. As a result, Accellion has been hit with multiple lawsuits due to the mishandling of data.

Lesson learned: When it comes to third-party breaches, the damage can continue to reverberate for a long time. In fact, it’s likely that we still have not seen the last of the Accellion victims.

Audi and Volkswagen

In March, Volkswagen Group of America, Inc. revealed that its vendor had left unsecured data on the internet between August 2019 and May 2021, which was accessed by an unauthorized party. Over three million customers were affected by this breach, 97% of whom were Audi customers and potential buyers. The data exposed information ranging from names, email addresses and phone numbers to Social Security and loan numbers.

Lesson learned: Widespread use of the cloud for data storage necessitates having systems in place to check vendors' data and storage practices, among other security best practices.

ClickStudios

ClickStudios’ password manager “PasswordState” fell victim to a data breach in April, when attackers exploited an app update mechanism to expose customer passwords through malware. The password manager, which is used by over 370,000 IT professionals, was vulnerable for a period of 28 hours. The company advised all customers to reset their passwords in the database to minimize damage.

Lesson learned: Many companies don’t realize that password managers are third-party suppliers and should therefore be treated as high risk. This cyber incident serves as a reminder that organizations must fully understand the level of risk posed by their third-party service providers and have ongoing visibility, insight and control of third-party security risk.

Cancer Centers of Southwest Oklahoma

The center’s third-party cloud-based storage provider, Elekta, was the victim of a data breach in April 2021. During the attack, unauthorized personnel accessed the protected health information of 8,000 oncology patients that included names, Social Security numbers, and details about medical diagnoses and treatments.

Lesson learned: Even oncology patients are not immune to cyberattacks. Unfortunately, every industry is a vulnerable target.

Codecov

Though this supply chain attack occurred at the end of January 2021, DevOps tool provider Codecov did not detect it until the end of April. In this attack, hackers obtained credentials to hide a line of malicious code on Codecov’s Bash Uploader script. According to reports, two-factor authentication was not required to upload the scripts. The result was that each time a developer downloaded the script, the malicious software ran on the customer organization's test machines, allowing attackers access to credentials and sensitive data.

Lesson learned: While there currently is no way to completely prevent software supply chain attacks like this one, there are still steps that organizations can take to protect themselves, including implementing MFA and performing code signature checks.

Kaseya

This attack occurred in July when the REvil ransomware gang exploited a vulnerability in Kaseya’s VSA remote monitoring and management software platform. Kaseya is used by managed service providers (MSPs) and managed security services providers (MSSPs), and thus was a fourth party of many customers—many of whom were not even aware of this. Both on-prem and cloud SaaS servers were shut down as a precautionary measure, and as many as 1,500 companies worldwide were affected. The gang demanded $70 million in bitcoin for the decryption keys, but most companies did not have to pay the ransom, as their backup had not been deleted.

Lesson learned: This incident caused a complete shutdown of businesses, underscoring the damage that could result from such attacks. Moreover, it underscored the importance of checking the security of all downstream supply chain partners. 

Voicecenter

Voicecenter, a call center service company, was attacked by cybercriminals who gained access through a server. The Deus hacker group claimed responsibility for this ransomware attack in which they threatened to release data concerning 8,000 companies that work with Voicenter. While foreign hackers demanded $1.5 million, evidence seems to indicate that it wasn’t just about money, but there were also international motivations for conducting the attack.

Lesson learned: Keep in mind that service providers provide a wealth of data that can be used and sold for high profit, making them a prime target for cybercriminals.

Preparing for and responding to third-party breaches

In order to work with third parties, it is imperative for organizations in every industry and of every size to have a clear picture of a vendor’s security posture. At the same time, companies must prepare to respond to a third-party cyberattack by evaluating risks, securing third-party interactions and implementing a program to quickly get back online.

In particular, companies must:

●    Assess vendors before onboarding. Perform a comprehensive security assessment before working with a third party.

●     Train employees. Human error is one of the greatest causes of third-party breaches, as attackers often succeed with simple phishing links or stolen credentials. Good security awareness training is one of the most effective deterrents.

●     Document vendors. Keep clear and detailed third-party records for a full, easily accessible overview of a company’s suppliers that will also help track supplier cyber posture and ensure regulatory compliance. 

●     Continuously monitor. Select a monitoring solution to keep informed of any change in vendors’ security posture. With the threat landscape constantly evolving and the introduction of new software and technologies, organizations are more vulnerable to attack.

About the author: Demi Ben-Ari is the Co-Founder and CTO of Panorays. He is a Software engineer, entrepreneur and international tech speaker. He has more than 10 years of experience in building various systems both from the field of near real-time applications and Big Data distributed systems.