The Third Party Data Breach Problem
Data breaches via third parties are a growing problem impacting companies across many industries – and one that can be even more difficult to defend against. How can companies secure their assets against cyber attacks that target suppliers and partners or use information stolen in previous breaches?
Tax season is well underway, and the IRS is once again seeing a massive spike in tax fraud and corresponding attempts at stealing taxpayers’ personal information. Earlier in the month the IRS announced that it had discovered an automated attack in which malware was used to generate e-filing PINS for 101,000 taxpayers using Social Security Numbers obtained from previous data breaches. Those PINs and SSNs can be used by identity thieves to file fraudulent returns electronically and in further social engineering attempts, as evidenced by the IRS’ latest tax fraud warning.
Last tax season saw the IRS get hit by a wave of similar attacks as well – in that case attackers were able to spoof the IRS’ “GetTranscript” portal using data obtained through previous breaches. The common thread in these incidents? Successful cybercrime efforts using already exposed/stolen information. Yet the IRS itself was never hacked or compromised; though you could argue that steps should have been taken – such as the implementation of multi-factor authentication – at the IRS to make these systems more resistant to imposters.
This trend isn’t new by any means. Recent years have seen many examples of data breaches and other cybercrime being carried out via third-party compromises. High profile examples in 2015 included the PNI Photo hack that led to compromises of online photo services at CVS, Costco, Sam’s Club and more, as well as the data breach at Medical Informatics Engineering, provider of EHR software NoMoreClipboard, which made off with data on a targeted group of MIE clients. Before that, 2014 saw data breaches at Home Depot and Boston Medical Center due to third party compromise or exposure.
And of course 2013 had the Target data breach, the most publicized data breach via a third party compromise. That attack used a compromise of Target’s HVAC contractor to gain entry into Target’s POS environment and steal the credit card details of millions of customers. In Home Depot and Target’s case, the compromise was at a direct business partner – but that doesn’t have to be the case for attacks to succeed, as seen in the IRS examples.
These breaches are representative of a new problem that’s sure to plague businesses for some time to come: data loss and compromise via third parties. While most companies are still grappling with securing their own networks, data, and users, preventing against attacks that target business partners or incorporate previously stolen information adds a new layer of complexity to the equation. Many times enterprises will have vast supplier and partner networks made up of many smaller partners; these can be easier targets for attackers when the target enterprise itself has already implemented a security program in-house.
So what can be done to defend against these attacks? For one, companies must change the way they view security. As evidenced by many of these attacks, information security is no longer an internal effort, but instead must be accounted for throughout a company’s entire business network – up and down the supply chain. Any entity that a company does business with can make them vulnerable, and as a result companies must make security a top criteria when choosing the partners and suppliers with which they’ll do business. Where business relationships exist, security should be a collaborative effort between all stakeholders as much as possible. Rather than each member of your supply chain have disparate security programs that could lead to gaps in protection, businesses should collaborate to develop a coordinated security effort across all of their individual environments.
And finally, as more breaches take place and more stolen information becomes available on the black market, companies must update their existing security measures to defend against attacks that use previously stolen user information to spoof systems or carry out social engineering schemes. Cybercriminals are incredibly resourceful when it comes to putting that information to use in follow-on attacks – whether spoofing authentication systems or using it in social engineering campaigns. As a result, companies must build defenses assuming that some of their customers’ information has already been exposed and make it harder for criminals that have obtained that information to further compromise systems or individuals. Solutions like multi-factor authentication can prevent account takeovers and spoofing attempts that rely on stolen credentials or PII, while ongoing employee security training and solutions like data loss prevention can prevent employees from falling victim to targeted social engineering attacks that used previously stolen information to seem more authentic.