Third-Party Data Breaches: A Growing Reality We Can't Ignore

Third-party data breach statistics reveal a growing problem that threatens the financial stability and reputation of companies across all industries. On average, companies allow 89 vendors network access each week, leading to a 22% increase in data breaches since 2015. Despite this, 74% of organizations overlook key risks when selecting vendors and prioritize cost over security. The cost of not taking third-party security risks seriously will be far greater than the cost of prevention.

Below is a list of some of the most noteworthy data breaches related to a vendor or a third-party.

1. Equifax: In 2017, sensitive information of around 147 million consumers, including social security numbers, birth dates, addresses, and credit card numbers, were leaked due to a vulnerability in the open-source software, Apache Struts. Equifax waited for over a month to warn its shareholders. Settlement documents show that the breach cost approximately $1.38 billion.
2. Target: In 2013, third-party HVAC vendor credentials were stolen, which allowed cyber attackers to exploit weaknesses in Target's system, install malware, and access personal details of around 70 million customers, and payment accounts of about 41 million customers. The breach resulted in expenses worth $236 million and more than 140 lawsuits filed against the company.
3. Home Depot: In 2014, approximately 109 million consumers were affected by the breach, which compromised the credit card data of around 56 million customers, as well as separate files containing around 53 million email addresses. Attackers used a Home Depot third-party vendor's login credentials to install memory-scraping malware on over 7,500 self-checkout POS terminals. The breach cost Home Depot about $179 million.
4. Marriott International: In 2018, unauthorized access was made to the Starwood guest reservation database in the USA, affecting sensitive information including credit card details, passport numbers, names, gender, and dates of birth of around 500 million guest accounts. The vendor breached was the Starwood guest reservation database. The cost of the breach was about $72 million.
5. Under Armour: In 2018, around 150 million MyFitnessPal accounts were compromised, including usernames, hashed passwords, and email addresses. Under Armour acquired the app in 2015 for $475 million. The breach resulted in a consumer class action lawsuit filed against Under Armour.
6. Saks, Lord & Taylor: In 2018, credit and debit card data of more than 5 million people were stolen due to a vulnerability in the payment system of Saks Fifth Avenue and Lord & Taylor. The stolen cards were reportedly being sold for around $125 each on the dark web.

To be defensible, proactive steps must be taken, here are some details on key points for managing vendor risk:

1. Perform a thorough risk assessment: Conduct a thorough risk assessment of all third-party vendors before onboarding them to identify potential vulnerabilities and risks.
2. Establish clear security requirements: Clearly communicate security requirements to third-party vendors and ensure that they comply with them.
3. Regularly monitor third-party activities: Regularly monitor third-party activities to identify any unusual behavior or activities that may indicate a security breach.
4. Develop a comprehensive incident response plan: Develop a comprehensive incident response plan that outlines how to respond to a data breach or cyber attack involving a third-party vendor.
5. Conduct regular security awareness training: Ensure that employees and third-party vendors are aware of the latest cyber threats and how to prevent them.
6. Implement a continuous monitoring program: Implement a continuous monitoring program to detect and respond to potential cyber threats in real-time.
7. Maintain ongoing communication: Maintain ongoing communication with third-party vendors to ensure that they are aware of any changes in security requirements and to address any concerns or issues that may arise.

By following these tips, organizations can effectively manage vendor risk and ensure that their business relationships are successful and sustainable.