In 2024, third-party data breaches continued to grow as a concern due to the cybersecurity challenges for businesses worldwide. These breaches occur when hackers target external vendors, contractors or service providers that handle sensitive data on behalf of companies. The 2024 Verizon DBIR reported that “vulnerability exploitation made up roughly 90% of supply chain interconnection breaches, and supply chain breaches made up 15% of breaches this year, a 68% jump compared with last year.”
Even organizations with strong internal security have been blindsided this year because their trusted partners lacked proper safeguards. The result? Sensitive customer data, financial records, and corporate secrets leaked, leading to financial losses, reputational damage, and legal battles.
So, what exactly went wrong in these major breaches of 2024? Let’s find out.
Third-Party Data Breaches of 2024 (And Their Effect)
In 2024, several significant third-party data breaches occurred, impacting various industries and highlighting vulnerabilities in cybersecurity measures. Even 2023 was filled with third-party data breaches that cost business a fortune.
However, here is an overview of some of the incidents that happened in 2024, how they occurred and their effects:
1. Slim CD Payment Processor Breach
Slim CD, a Florida-based payment processor, suffered a cyberattack when hackers exploited vulnerabilities in its third-party systems. The breach went unnoticed for several months, starting in August 2023, and continued until January 2024.
Hackers gained unauthorized access to credit card information, transaction data, and personal details of users who had made payments through the service. The attack was only discovered during a routine security audit after almost an year because the hackers accessed certain credit card information from June 14 to June 15, 2024.
Impact:
The breach affected 1.7 million customers in the U.S. and Canada. Sensitive information like credit card numbers, expiration dates, and billing addresses were stolen which led to unauthorized transactions and financial fraud.
Many customers had to cancel their cards, causing stress and inconvenience. Slim CD faced reputational damage, financial losses, and potential lawsuits due to its delayed detection and response.
2. MediSecure Healthcare Data Breach
On April 14, MediSecure, an Australian healthcare company, relied on a third-party IT vendor for managing patient records and prescriptions. Hackers targeted the vendor’s systems and accessed confidential data by exploiting weak security protocols. This breach exposed critical health information, including names, medical histories, and prescription records.
Impact:
The data breach caused panic among patients as their private medical information was exposed. As a result, 12.9 million individuals were affected. Healthcare providers had to pause certain services to investigate the breach.
MediSecure faced government scrutiny, and authorities like the Australian Federal Police were involved in securing the systems. Trust in the healthcare provider dropped significantly, forcing MediSecure to implement better cybersecurity measures.
3. Ticketmaster Data Breach
In May, Ticketmaster suffered a massive data breach caused by vulnerabilities in its third-party cloud service provider. Hackers infiltrated the database, which stored ticket buyer information.
The attackers extracted sensitive data, including customer names, email addresses, phone numbers, and partial payment information. Hackers later advertised the stolen data for sale on dark web forums.
Impact:
The breach affected over 560 million customers, making it one of the largest breaches of 2024. Many customers faced risks of phishing attacks and financial fraud. Ticketmaster had to notify users, reset passwords, and offer credit monitoring services.
The breach also raised concerns about the reliance on third-party cloud storage, forcing businesses to reevaluate their partnerships.
4. National Public Data Breach
In April 2024, Hackers targeted National Public Data (NPD), a company responsible for providing background checks. The attackers gained access to NPD’s systems through a third-party contractor who failed to update their security patches.
This oversight allowed hackers to steal sensitive personal data, including Social Security numbers and addresses.
Impact:
The breach reportedly affected 2.9 billion people, as the stolen data was leaked on the dark web. Individuals were at risk of identity theft, fraudulent loans, and scams. NPD faced severe backlash and multiple lawsuits from victims. Government agencies also began reviewing data protection laws to prevent such breaches in the future.
5. Krispy Kreme Cyberattack
One of the most recent cyberattacks happened on Krispy Kreme on November 29. A third-party vendor managing Krispy Kreme’s digital infrastructure breached its online ordering system.
Hackers disrupted the IT systems by launching a ransomware attack, which temporarily disabled the company’s online payment portals.
Impact:
The breach forced Krispy Kreme to shut down its online services for days, causing financial losses. The shares of the company took a hit which went down by 33% so far.
Customers were unable to place online orders, which affected revenue during the busy holiday season. The attack highlighted the vulnerability of businesses when they fail to secure third-party systems properly, even though no customer data was reported stolen.
6. Stan Cash Payment Portal Breach
Hackers targeted the payment portal of Stan Cash, an Australian retailer, by exploiting outdated encryption protocols. For over a year, attackers accessed customer payment information undetected. The breach came to light when customers reported unauthorized transactions.
Impact:
The fraudulent charges, including $6,000 reported by one individual, impacted thousands of customers. The breach caused significant financial loss and frustration for affected users.
Stan Cash faced heavy criticism for its failure to secure customer data and promptly identify the breach. This led to regulatory scrutiny and demands for better security practices.
7. Byte Federal Bitcoin ATM Breach
Byte Federal, a Bitcoin ATM operator, suffered a breach due to weak security in its third-party transaction software.
Hackers gained access to the system, exposing identification documents (such as driver’s licenses and IDs) and transaction details of thousands of users.
Impact:
The leak of sensitive documents online affected around 58,000 customers. This breach raised concerns about the safety of cryptocurrency platforms and the need for stricter data protection laws in the crypto industry.
Byte Federal had to collaborate with cybersecurity experts to restore its systems and reassure customers about improved safety measures.
8. Rhode Island Benefits System Breach
The online system used to deliver health and welfare benefits in Rhode Island, known as RIBridges, was compromised through a third-party service provider. Hackers exploited outdated software vulnerabilities and accessed sensitive resident information.
Impact:
The theft of Social Security numbers, names, and banking information affected thousands of Rhode Island residents. Many individuals faced financial fraud and identity theft. On Dec 5, the government said that they received a ransom message claiming to have stoel 1 terabyte of data but the state found no compromise.
The state then worked with credit monitoring agencies to protect residents and introduced stricter security protocols to prevent future breaches.
9. AT&T Data Breach
AT&T faced one of the biggest breaches in 2024. Hackers exploited a vulnerability in AT&T’s third-party systems, giving them access to over 50 billion records of over 70 million AT7T customers.
The breach included sensitive customer information like names, phone numbers, addresses, and account details. AT&T discovered the breach in May but attempted to negotiate with the hackers to delete the stolen data.
Impact:
Millions of AT&T customers faced risks of identity theft, phishing scams, and financial fraud. The attackers demanded $370,000 in Bitcoin, which AT&T paid to prevent further data leaks.
However, customers criticized the company’s delayed response. The incident prompted AT&T to tighten its third-party cybersecurity measures. It also caused the company to pay $13 million to settle the federal investigation due to this data breach.
10. Change Healthcare Data Breach
In February 2024, Change Healthcare, a medical data company, was targeted by hackers who breached its third-party vendor systems.
The attackers exploited weak access controls, gaining entry to 145 million sensitive records that included patient names, dates of birth, Social Security numbers, medical records, and payment details. Change Healthcare’s IT team discovered the breach after detecting suspicious activity within the network.
Impact:
This breach caused widespread disruptions across healthcare systems. Patients couldn’t access their medical data, and hospitals faced delays in processing insurance claims. The exposed data increased risks of identity theft and insurance fraud.
Change Healthcare issued public apologies and provided free credit monitoring to affected individuals, while also reviewing third-party vendor agreements to improve security.
11. Dell Data Breach
In May, Dell’s customer portal was breached due to vulnerabilities in a third-party provider’s system. Hackers managed to steal 49 million customer records, which included names, addresses, phone numbers, and order details. Financial data remained secure, but Dell confirmed the breach after the stolen records appeared on hacker forums.
Impact:
Customers faced targeted phishing attacks as hackers used the stolen data to impersonate Dell support. The company immediately notified customers, reset account security, and worked with cybersecurity experts to patch vulnerabilities. Dell’s reputation took a hit, as customers criticized the company for failing to secure their data adequately.
12. Microsoft Midnight Blizzard Attack
A Russian state-sponsored hacking group, Midnight Blizzard, carried out a sophisticated cyberattack against Microsoft. They exploited weaknesses in Microsoft’s third-party email systems, giving them unauthorized access to internal emails and confidential company communications.
Impact:
The attack affected critical business operations, with internal information about Microsoft’s cloud services and product development exposed. Microsoft launched an investigation and enhanced its email security to prevent future breaches. The attack highlighted the increasing risks of state-sponsored cyber threats.
13. UnitedHealth Group Hack
In April UnitedHealth Group fell victim to a cyberattack caused by a vulnerability in their third-party billing system. Hackers breached the system and accessed millions of patients’ medical records, including sensitive health data, insurance details, and payment information.
Impact:
This breach disrupted healthcare operations and affected insurance claim processing for weeks. Patients experienced delays in receiving medical services. The company paid $22 million to the hackers to make it all go away.
After this, UnitedHealth Group provided affected individuals with credit monitoring and promised to improve security protocols across their third-party vendors.
14. Infosys McCamish Data Breach
A ransomware attack on Infosys McCamish Systems, a third-party service provider for Bank of America, exposed over 57,000 customer records in February.
Hackers accessed names, addresses, Social Security numbers, and some banking information after bypassing outdated security measures.
Impact:
Bank of America customers faced risks of identity theft and unauthorized financial activity. Notifications about the breach were delayed, sparking frustration and legal scrutiny. According to reports, over 6 million people were hit by this ransomware breach at Infosys.
15. American Express Data Breach
In March American Express faced a data breach when hackers targeted a third-party payment processor responsible for managing transaction data. The attackers accessed customer payment details, transaction histories, and contact information.
Impact:
Thousands of American Express customers faced unauthorized transactions and phishing attempts. The company quickly identified the breach, issued alerts to customers, and froze suspicious accounts to prevent further damage. Customers were offered fraud protection services.
16. PIH Health Hospitals Ransomware Attack
A ransomware group infiltrated PIH Health Hospitals’ third-party IT systems, locking access to 17 million patients’ records. The group demanded payment to restore access. This cyberattack happened just recently on December 5, 2024.
Impact:
Healthcare services were disrupted, leaving patients unable to access medical care or prescriptions. PIH refused to pay the ransom and rebuilt their systems with enhanced cybersecurity protections. Patients received support through alternate medical centers.
Key Takeaways From These Cyberattacks
The major third-party data breaches of 2024 reveal critical lessons for businesses, organizations, and individuals:
Cybersecurity Is a Shared Responsibility
The frequency of cyber security threats highlight the need for ongoing employee training, stronger password policies, and multi-layered security systems. Both companies and individuals must stay vigilant to prevent unauthorized access.
Timely Detection and Response Are Crucial
Delays in detecting breaches often led to greater damage, as seen in cases like the Change Healthcare and Dell breaches. Investing in real-time monitoring systems and swift incident response protocols is essential.
Ransomware Attacks Are on the Rise
Many organizations, like PIH Health Hospitals and the Port of Seattle, fell victim to ransomware attacks, where critical systems were held hostage. Having strong data backups and ransomware protection strategies is critical.
Customer and User Data Must Be Better Protected
Data leaks exposed sensitive personal information, including Social Security numbers, financial details, and medical records. Companies must encrypt all stored and transferred data to minimize risks during breaches.
Transparency and Communication Matter
Many breaches, such as the Infosys McCamish and Kaiser Permanente attacks, saw delayed notifications to affected individuals. Promptly informing users builds trust and helps them take measures to protect themselves.
Secure Your Business Today with FortifyData
Third-party data breaches are on the rise, causing massive financial, operational, and reputational damage for businesses. As seen throughout 2024, these attacks exploit vulnerabilities in external vendors, leading to millions of sensitive records being exposed.
To stay ahead of these risks, businesses need a proactive, real-time approach to Third-Party Risk Management (TPRM). This is where FortifyData steps in. By leveraging live data, continuous attack surface assessments, and auto-validated questionnaires, FortifyData provides unmatched visibility into the cyber risks of your third parties.
Why wait to react when there is always something you can do about third party risk?
FortifyData helps you identify your most vulnerable vendors, prioritize risks, and build stronger defenses.