There were numerous breaches that took place in 2022 due to poor third-party risk management. Businesses got breached and because of operational vulnerabilities, their end-users (other businesses) were then also impacted by the breaches. It’s tough to imagine that you’ve been doing everything you can to be safe just for you to be unknowingly vulnerable because of a vendor. We would all like to trust our vendors and business partners and believe they are taking the necessary precautions to be safe and lower the risk, but the reality is that we cannot assume. Let’s review some of the third-party breaches and a guide every company should use for vendor due diligence.
Email provider WordFly, admitted to having a network disruption on July 10th. Yesterday, the Toronto Symphony Orchestra warned its patrons that their personal information may have been compromised.
“We have come to learn that WordFly was subject to a ransomware attack,” the TSO said in its email. “As part of the incident, the attacker exported customers’ information from the WordFly environment, including patron information that WordFly was handling on behalf of the TSO.” (cp24)
Gaming company Bandai Namco confirms a ransomware attack, after a couple of weeks of rumors going around. Their Asian regions, excluding Japan, were breached by a third party on July 3rd, 2022. Information belonging to the company seems to be on the dark web, implying they were the victim of a double extortion. A double extortion is when a company refuses to pay the ransom, the cyber criminals release private data on the dark web.
The company stated: “There is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about [the] existence of leakage, scope of the damage, and investigating the cause.” (techcentral)
The hotel chain Marriott, got breached for the third time in the last five years. Luckily this time, only 20GB of data was stolen. Up to 400 customers and employees will be notified that their information might be compromised. A good portion of what was stolen was internal documentation. The hacker / criminals have yet to identify themselves. The hotel chain notified law enforcement. (CyberScoop)
Sunwing passengers were stranded as a result of a breach which took place at one of their external partners; aka 3rd party vendor, Airline Choice. According to Airline Choice, hackers accessed and compromised systems containing data. Many people were told their flights were delayed. Others were stranded, unable to get on a flight. Boarding and check-in features were impacted and it became a nightmare for both passengers and Sunwing staff. 188 flights were impacted because of the hack. (CityNews)
The attack on a German library service happened earlier this April and they are still trying to get services back to normal. Apparently attacked by the Lockbit Ransomware Group, they targeted the library’s service provider. The platform has over 200 libraries across Europe offering e-books, electronic newspapers, magazines, audio books and music. (TheRecord)
Based on the above attacks and countless other we hear about, we recommend scheduling a meeting with the person or team responsible for IT within your organization.
Before the meeting, explain the importance of the meeting and why you are requesting it in the first place. Your reasons may include
We also recommend requesting their governance and policy handbook, the contact information of their data protection officer and a list of vendors they use to protect their environments.
Third-party risk management will be the baseline for security for companies in the near future. Employees will not risk choosing a vendor that may later cause embarrassment and potential lawsuits. Employees won't sacrifice their job for a vendor. There's too much at stake. And so, vendor risk management will be the norm.
Access monthly conversations with IT & Tech Leaders about the hottest cyber security topics in the industry.
Assurance IT's mission is to help 100,000 companies become cyber resilient through our services and our free content. Join today.