Third-Party Vendor Breaches: Causes, Key Statistics, Recent Incidents, and Effective Mitigation Strategies

In modern business operations, most organizations extend their activities beyond their immediate boundaries, relying heavily on a network of third-party vendors and suppliers. This interdependency, while crucial for seamless workflows and operational efficiencies, inadvertently expands the attack surface, introducing a spectrum of vulnerabilities that could not just disrupt business processes but also inflict severe financial and reputational damage.

In other words, an organization’s cybersecurity posture is not confined to its own systems and firewalls. Instead, the security measures, or the lack thereof, implemented by their third-party partners can have profound implications for their own security. Cybercriminals would not miss on such opportunities, having found gateways through which they can access not just one organization’s assets but potentially infiltrate the systems of multiple companies interconnected through business relationships. This multiplier effect can amplify the impacts of a breach, leading to catastrophic outcomes.

AI illustration of a vendor security breach (Bing Image Creator)

Historical data on cyberattacks illustrate this risk vividly. Take, for instance, the infamous 2017 Equifax breach which compromised the personal and financial information of approximately 147 million customers. The breach, originating from an exploit in Apache Struts – a tool used to build web applications – resulted in staggering losses upward of $1.38 billion.

Equally instructive are the breaches experienced by Target in 2013 and Home Depot in 2014. Target’s breach led to the compromise of the payment information of about 41 million customers and personal details of roughly 70 million others, all originating from a breach at a third-party HVAC vendor. Similarly, Home Depot suffered a breach that compromised the credit card details and email addresses of approximately 109 million customers, facilitated through the credentials of a third-party vendor, which were used to plant malware on thousands of self-checkout POS terminals.

These incidents serve as a grim reminder of the dangers lurking within third-party associations. In this article, we aim to help you explore the dynamics of third-party vendor related breaches and notable incidents from recent years. Further, we will provide key takeaways to help organizations fortify defenses against such breaches in the future.

What Are Vendor Breaches and How Do They Happen?

Vendor breaches, a critical concern in the realm of cybersecurity, occur when the systems of a third-party vendor – a company that provides your organization with tools or services – are compromised. This compromise can lead to the theft or unauthorized access of data belonging to another organization that has entered into a business relationship with the vendor. Such breaches vary significantly in scale and motive, ranging from financial gain to hacktivism.

A Short Case Study: The SolarWinds Incident

A notable example of a non-financially motivated vendor breach is the SolarWinds incident in 2020. This sophisticated supply chain attack used the company’s Orion software as a conduit to infiltrate government and private sector systems worldwide, demonstrating the extensive reach and devastating impact of such breaches.

Causes of Vendor Breaches

Vendor data breaches can arise from various vectors. While many are the result of deliberate attacks by cybercriminals employing social engineering tactics like phishing, or other initial access methods, a significant number are caused by simpler, preventable issues such as misconfigurations or unpatched systems. This highlights the necessity for organizations to select vendors that prioritize strong cyber hygiene and robust security policies.

Finding from the report “Close Encounters of the Third (and Fourth) Party Kind”

Emphasizing the detail on vendor choices, a 2023 report revealed that 98% of organizations globally are connected to at least one third-party vendor that has experienced a breach. This report also found that third-party vendors are five times more likely to have poor security practices compared to direct hires or internal systems.

Cyber Attack Methods Commonly Seen in Third-Party Vendor Related Breaches

Recent trends show a rise in ransomware attacks and vulnerability exploitations within these breaches. Also notably, the MOVEit and GoAnywhere MFT vulnerabilities have been exploited by ransomware groups like Cl0p and BlackCat in the past year, leading to significant threats of data leaks and ransom demands without the actual encryption of data – a method known as extortion through data exfiltration.

Moreover, it is crucial to consider the ripple effects through fourth-party vendors, which can significantly amplify the potential for damage. What is more critical is that half of all organizations have indirect connections to at least 200 fourth-party vendors that have previously suffered breaches, increasing the risk landscape exponentially.

Alert: Your Vendor Has Been Breached!

Having explored the concept of third-party vendor breaches, their common causes, and associated trends, let’s now discuss how to recognize early signs of a breach in your vendor’s systems to mitigate risks and prevent further escalation. Here are several common indicators that could suggest your vendor may have been compromised:

• History of Previous Breaches

A vendor’s history of security incidents is a critical indicator of their vulnerability to future breaches. If a vendor has experienced breaches in the past, it is essential to evaluate their response and the measures they have implemented since. Significant and visible efforts to enhance security postures and routine procedures are promising signs of improved resilience. With that mentioned, vendors should maintain transparency about their security practices, establishing a foundation of trust.

By conducting a thorough check on your vendor’s historical security incidents, you can gauge their commitment to safeguarding data. Tools like SOCRadar’s Supply Chain Intelligence module can provide insights into your third parties’ cyber exposure levels, offering a clear view of any recent security breaches.

Monitor cyber exposure levels of your 3rd party companies with SOCRadar’s Supply Chain Intelligence

• Suspicious Events on the Vendor’s Side

Unusual activities, such as the fake twin of the vendor’s website, can be a red flag. Spoofed sites may lead to malicious versions that mimic official ones, thereby making it crucial for vendors to communicate potential risks promptly.

Another sign can include the vendor’s website experiencing downtime, perchance, due to cyberattacks like Distributed Denial-of-Service (DDoS); maybe the site is involved in a watering hole attack, where it is used to distribute malicious payloads – an example of this was seen in the SmoothOperator supply chain attack that targeted the 3CX systems and customers.

The Supply Chain Intelligence module from SOCRadar not only tracks these exposures but also provides summaries regarding changes in threat levels, including specific threats from both the surface and dark web.

Key findings page from a 3rd party company’s sample report (SOCRadar Supply Chain Intelligence)

• Social Engineering Tactics

There is also the risk of social engineering attacks, where threat actors impersonate vendors or compromise vendor accounts. Organizations might receive suspicious emails, phone calls, or requests that seem out of the ordinary in case of these attacks. Thereby, individuals are always advised to exercise heightened caution with unexpected communications and verify the legitimacy of urgent requests, particularly those involving sensitive information or permissions.

Being vigilant about these signs and employing comprehensive monitoring tools can provide early warnings of potential breaches. By staying informed and prepared, organizations can better manage the risks associated with third-party vendors and protect themselves against the cascading effects of supply chain attacks.

Top Third-Party Vendor Related Breaches in Recent History

Over the past few years, several high-profile breaches have underscored critical security gaps associated with outsourcing and third-party collaborations. Here, we explore some of the significant incidents that have shaped the recent discourse around third-party cybersecurity risks.

AT&T Third-Party Breach – March 2023

AT&T, one of the leading telecommunications giants in the US, suffered a breach through one of its third-party vendors providing marketing services, the name of which was not publicly disclosed.

This incident compromised the Customer Proprietary Network Information (CPNI) of approximately 9 million wireless accounts, and the accessed data included names, email addresses, phone numbers, the number of lines on an account, and wireless rate plans.

Fortunately, the breach did not extend to Social Security Numbers, account passwords, financial data, or other highly sensitive personal information. However, the exposure of such extensive customer details posed a significant risk of phishing scams, as attackers could potentially impersonate AT&T to deceive customers in the aftermath.

SmoothOperator Supply Chain Incident – March 2023

The North Korean hacker group UNC4736, which is believed to be linked to the Lazarus APT group, orchestrated this attack, which compromised the 3CX VOIP desktop client.

This incident stands out as the first recorded “double supply chain attack” involving compromised software chains of both 3CX and X_Trader, a now-discontinued trading platform.

The attack compromised over 242,519 IP addresses and had a profound impact on a number of high-profile organizations, with clients like American Express, AirFrance, BMW, and Coca-Cola among those affected.

MOVEit Transfer’s Mass Exploitation by Cl0p – May 2023

In late May 2023, users of MOVEit Transfer, a widely utilized file transfer solution, began noticing abnormal data transfers as their data was being illicitly extracted by the notorious Cl0p ransomware gang.

Despite prompt patching by Progress Software, the Cl0p ransomware group used their previous infiltrations for mass exploitation and continued to exploit unpatched instances of the software. Throughout 2023, their attacks led to substantial disruption, impacting over 2,500 organizations worldwide and affecting more than 77 million individuals.

Learn about Cl0p’s operations and tactics on SOCRadar’s Dark Web Threat Profile

This breach had a significant impact on many organizations; for instance, Maximus reported 11.3 million individuals affected, Welltok reported 10 million, and Delta Dental of California and its affiliates reported 6.9 million.

Ongoing Operations Ransomware Attack – December 2023

Ongoing Operations, a cloud IT provider owned by Trellance and servicing around 60 credit unions in the US, fell victim to a ransomware attack in December of the past year.

This attack disrupted services across its client base, including notable disruptions at institutions like Mountain Valley Federal Credit Union.

The breach, attributed to the exploitation of the Citrix Bleed vulnerability (CVE-2023-4966), resulted in several days of operational downtime, demonstrating the cascading effects of third-party vulnerabilities on critical financial services.

Access details on identified vulnerabilities with SOCRadar’s Vulnerability Intelligence. This includes lifecycle updates, current exploitability based on EPSS scoring, availability of PoC exploits, threat actors targeting it, and more.

Dollar Tree and Okta Incidents – 2023

In addition to these headlines, two other significant breaches occurred in 2023 that should be highlighted. The retail giant Dollar Tree suffered a data breach affecting nearly 2 million individuals due to a cyberattack on its service provider, Zeroed-In Technologies.

Similarly, Okta, a leading identity and access management company, was informed by Rightway Healthcare of unauthorized access involving the sensitive data of nearly 5,000 Okta employees and their dependents.

Historical Breaches: Toyota, Uber, and Microsoft Exchange Server Breaches

Looking slightly further back, in 2022, Toyota and Uber both experienced significant breaches through their third-party vendors.

Toyota had to suspend operations at 14 manufacturing plants in Japan following a cyberattack on Kojima Industries, a manufacturer of some interior and exterior components, while Uber’s breach occurred through its vendor Teqtivity, an IT asset management software provider, affecting over 77,000 Uber employees.

An even earlier but still pertinent example of vendor third-party breaches is the HAFNIUM attacks on Microsoft Exchange Servers. This series of breaches reportedly compromised the systems of approximately 30,000 organizations worldwide, exploiting the widespread trust in Microsoft’s security measures.

Collectively, these incidents emphasize the need for strong security measures not only within one’s organization but across all interactions, including the third-party vendors. As the digital ecosystem grows, the interconnected relationships between different entities require a proactive approach to cybersecurity.

Key Points to Consider in the Aftermath of Vendor Data Breaches

When managing third-party vendor breaches, a swift and strategic response is required to mitigate damage and strengthen future defenses. Understanding the depth of the breach and taking corrective measures early can save your organization from significant losses and reputational harm, as well as regulatory implications.

Here are essential recommendations to manage such breaches effectively, complemented by targeted SOCRadar features that support these actions:

• Immediately ascertain if attackers still have access to the system and try to understand the breach’s origin and the attackers’ motives. This can provide insights into attackers’ TTPs and help prevent possible future incidents.

SOCRadar can alert you to critical security incidents, including third-party breaches, providing quick and actionable insights to kickstart the response process.

Alarm: Company 3rd Party Activity Detected (SOCRadar Alarm Management)

• Determine the type and sensitivity of the compromised data. Check compliance requirements against regulations like GDPR and proceed with the necessary legal steps, including notifying affected individuals.

With SOCRadar’s Dark Web Monitoring, you can track whether sensitive data – including personal and financial information related to your company, customers, or corporate entities – has been leaked or is being sold on hacker forums, Telegram channels, and similar platforms.

SOCRadar’s Dark Web Monitoring

• Continuously monitor your third-party vendors’ security measures with advanced tools that provide visibility into data exposure risks. Regularly reassess their security practices to ensure they align with your organization’s standards.

Utilize SOCRadar’s Supply Chain Intelligence to monitor vendors’ digital activities and evaluate their cyber exposure levels comprehensively.

Analytics Dashboard on SOCRadar’s Supply Chain Intelligence

Conclusion

In modern business ecosystems, third-party vendor breaches are a significant cybersecurity threat that can lead to extensive financial and reputational damage. Effective management of these risks involves swift identification and response, thorough compliance checks, strategic data protection, and ongoing monitoring of vendor security practices.

In this article, we have explored the dynamics of third-party vendor related breaches, including their causes, common vectors, and early signs. We also highlighted notable incidents, such as the AT&T breach and the Ongoing Operations ransomware attack in 2023, briefly examining these cases to underscore the risks involved.

By adopting proactive strategies and leveraging tools like SOCRadar’s comprehensive security solutions, organizations can not only mitigate the damage from these breaches but also strengthen their defenses against future incidents. This approach ensures that both the organization and its interconnected network remain secure in a landscape where third-party relationships are essential yet vulnerable to cyber threats.

For additional insights into third-party incidents and the supply chain landscape, you can explore our other blog post titled “How to Monitor Your Supply Chain’s Dark Web Activities?”