Third-party data breaches have become an all-too-common occurrence, underscoring the importance of cybersecurity programs that include a vendor or third-party cyber risk management component. The history of third-party data breaches can be traced back to the early days of the internet. As online transactions became more common, companies started to collect and store vast amounts of customer data, such as names, addresses, and payment details.

Now, businesses rely more than ever on third-party vendors for various services, such as payment processing, cloud and infrastructure engineering, API integrations, customer support, and marketing. More of these third parties have access to sensitive customer data, and they have become an increasing target for cybercriminals.

According to research from independent analyst firm Forrester, “Forrester data reveals that 55% of security pros reported their organization experienced an incident or breach involving supply chain or third-party providers in the past 12 months.” Furthermore, in a 2022 report from Ponemon Institute it was reported that 55% of organizations, across all industries, stated that managing third parties was overwhelming and a drain on resources.

In recent years, we have witnessed several high-profile data breaches, including those of Target, Equifax, SolarWinds, and Marriott. These breaches have compromised sensitive information such as credit card details, Social Security numbers, and personal identification data, leading to identity theft, financial fraud, and other cybercrimes.

Since the end of 2022 and the beginning of 2023, several more third-party data breaches have already come to light, compromising the personal information of millions of individuals.

Here are some of the top recent third-party data breaches.

• Multiple Credit Unions In December, Ongoing Operations, which is owned by Trellance, announced that it was the victim of a ransomware attack. Ongoing Operations/Trellance is a cloud IT provider used by many credit unions. Service was disrupted for around 60 credit unions across the United States.

• Dollar Tree In November, Dollar Tree notified consumers that it had been the victim of a data breach affecting almost 2 million people after the hack of service provider Zeroed-In Technologies. The threat actors stole data containing the personal information of Dollar Tree and Family Dollar employees between August 7 and 8, 2023. The information stolen during the attack includes names, dates of birth, and Social Security numbers. Other Zeroed-In customers apart from Dollar Tree and Family Dollar may have also been impacted by the security breach, but this hasn’t been confirmed yet.

• Okta In October 2023, Okta’s third-party, Rightway Healthcare, informed them that an unauthorized actor gained access to an eligibility census file maintained by Rightway in its provision of services to Okta. The security incident exposed personal and healthcare data of nearly 5,000 Okta employees and their dependents.

• The Metropolitan Police In August, the Metropolitan Police in the U.K. announced a security breach involving the IT system of one of its suppliers. The vendor that was breached has access to names, ranks, photos, vetting levels and pay numbers for officers and staff. There is no information yet on when the breach occurred or how many personnel could be affected.
• MOVEit Vulnerability Exploit In June, it was confirmed that numerous organizations, along with several U.S. government agencies had experienced intrusions related to the exploitation of a vulnerability in MOVEit Transfer, an enterprise file transfer tool developed by Progress Software. A CISA joint advisory brief can be read in its entirety here. The CL0P Ransomware gang has been identified in exploiting this vulnerability for monetary gain. While the scale of the cyber attacks is still being assessed, third parties have been affected by this exploit.
• AT&T In March 2023, AT&T announced that approximately 9 million wireless accounts had their customer proprietary network information accessed when an unauthorized person breached a third-party vendor’s system. The vendor, who wasn’t named, provides marketing services. While information, such as names, email addresses, phone numbers, the number of lines on an account and wireless rate plans were accessed, no Social Security Numbers, account passwords, financial information, or other sensitive personal information was stolen.
• Chick-fil-A In March 2023, Chick-fil-A stated that they suffered a credential stuffing attack between December 18th, 2022, and February 12th, 2023. The automated attack against used account credentials (e.g., email addresses and passwords) obtained from a third-party source. During this time, threat actors hacked a total of 71,473 Chick-fil-A accounts. The compromised accounts included personal information, including name, email address, Chick-fil-A One membership number, mobile pay number, masked credit/debit card number, and the amount of Chick-fil-A credit on the accounts.
• LinkedIn In March 2023, LinkedIn disclosed a data breach that affected more than 700 million users. The breach occurred when hackers exploited a vulnerability in a third-party software library used by the company. The stolen data included users’ names, email addresses, and other personal information. LinkedIn has encouraged users to update their passwords and has implemented additional security measures to prevent future breaches.
• T-Mobile In January 2023, T-Mobile suffered a data breach that exposed the personal information of over 40 million customers. The breach occurred when hackers gained access to the company’s systems through a third-party vendor. The stolen data included customers’ names, phone numbers, and addresses, as well as their Social Security numbers and driver’s license information. T-Mobile has since offered free credit monitoring to affected customers and implemented additional security measures to prevent future breaches.
• Uber In December 2022, Uber confirmed a third-party data breach after a threat actor posted Uber and Uber Eats employee email addresses, IT asset information, and corporate reports data online. The hackers were able to gain access via the company’s vendor, Teqtivity, a known tech and IT asset-tracking solution. Security researchers say that the leaked data contains enough information to conduct targeted phishing attacks on Uber employees.

These data breaches highlight the risks associated with third-party vendors and the need for organizations to have strong cybersecurity measures in place. But, according to a survey by the Ponemon Institute and Shared Assessments, 62% of organizations do not monitor the cybersecurity and privacy practices of their third-party vendors.

To reduce the risk of third-party data breaches, companies must take additional precautions beyond looking at SOC2s and sending out questionnaires (or reviewing a recently validated one) of vendors. It is expected that the vendor review process at these identified organizations is strong, yet they fell victim from a third-party association. In addition to reviewing security policies, procedures and agreements, and limiting access to least privilege for the vendors needs, we are seeing more companies beginning to incorporate external vulnerability risk assessments into the security rating of vendors that updates on a monthly cadence with new assessments. This is providing visibility of the external cyber risks to a third-party risk management program – the same view that attackers have – and enabling more helpful and proactive discussions between clients and vendors about risk prioritization and remediation.

For more information, download our ebook, “Six Steps to an Effective Third-Party Risk Management Program” or schedule a demo to see how we can help you with your Third-Party Risk Management program.

Sources:

Ponemon Institute and Shared Assessments survey: https://sharedassessments.org/wp-content/uploads/2019/11/Third-Party-Risk-Management-Benchmarking-Study-Final-Report.pdf

Predictions 2022: Cybersecurity, Risk and Privacy, Forrester Research, Inc., Oct. 28, 2021