Third-party data breaches have become an all-too-common occurrence, underscoring the importance of cybersecurity programs that include a vendor or third-party cyber risk management component. The history of third-party data breaches can be traced back to the early days of the internet. As online transactions became more common, companies started to collect and store vast amounts of customer data, such as names, addresses, and payment details.
Now, businesses rely more than ever on third-party vendors for various services, such as payment processing, cloud and infrastructure engineering, API integrations, customer support, and marketing. More of these third parties have access to sensitive customer data, and they have become an increasing target for cybercriminals.
According to research from independent analyst firm Forrester, “Forrester data reveals that 55% of security pros reported their organization experienced an incident or breach involving supply chain or third-party providers in the past 12 months.” Furthermore, in a 2022 report from Ponemon Institute it was reported that 55% of organizations, across all industries, stated that managing third parties was overwhelming and a drain on resources.
In recent years, we have witnessed several high-profile data breaches, including those of Target, Equifax, SolarWinds, and Marriott. These breaches have compromised sensitive information such as credit card details, Social Security numbers, and personal identification data, leading to identity theft, financial fraud, and other cybercrimes.
Since the end of 2022 and the beginning of 2023, several more third-party data breaches have already come to light, compromising the personal information of millions of individuals.
Here are some of the top recent third-party data breaches.
These data breaches highlight the risks associated with third-party vendors and the need for organizations to have strong cybersecurity measures in place. But, according to a survey by the Ponemon Institute and Shared Assessments, 62% of organizations do not monitor the cybersecurity and privacy practices of their third-party vendors.
To reduce the risk of third-party data breaches, companies must take additional precautions beyond looking at SOC2s and sending out questionnaires (or reviewing a recently validated one) of vendors. It is expected that the vendor review process at these identified organizations is strong, yet they fell victim from a third-party association. In addition to reviewing security policies, procedures and agreements, and limiting access to least privilege for the vendors needs, we are seeing more companies beginning to incorporate external vulnerability risk assessments into the security rating of vendors that updates on a monthly cadence with new assessments. This is providing visibility of the external cyber risks to a third-party risk management program – the same view that attackers have – and enabling more helpful and proactive discussions between clients and vendors about risk prioritization and remediation.
For more information, download our ebook, “Six Steps to an Effective Third-Party Risk Management Program” or schedule a demo to see how we can help you with your Third-Party Risk Management program.
Ponemon Institute and Shared Assessments survey: https://sharedassessments.org/wp-content/uploads/2019/11/Third-Party-Risk-Management-Benchmarking-Study-Final-Report.pdf
Predictions 2022: Cybersecurity, Risk and Privacy, Forrester Research, Inc., Oct. 28, 2021