NormShield Blog

Major Third-party Breaches Revealed in January 2019

Major third-party breaches revealed

A recent survey conducted by Ponemon Institute reveals that 59% of companies have experienced a third-party breach in 2018, which is an increase of 3% compared to previous year. Data breaches caused by third parties cost millions of dollars to large companies.

Third-parties include broad range of entities a company directly worked with, such as data management companies, law firms, email providers, web hosting companies, subsidiaries, vendors, sub-contractors; basically any company whose employees or systems have access to your systems or your data. However, third-party cyber risk is not limited to these companies. Any external software or hardware that you use for your business also poses a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks.

Major Third-party Breaches Revealed

We regularly update the list of major third-party (aka supply-chain) attacks and breaches that are revealed in the news and January was an active time for third-party data breaches. Here are January picks.

1. Ascension

Ascension

A misconfigured server of a third-party vendor exposed millions of bank loan and mortgage documents that belong to Ascension, a Texas-based a data and analytics company for the financial industry. The documents contain sensitive information for many major financial institution including CitiFinancial, HSBC Life Insurance, Wells Fargo, CapitalOne and some U.S. federal departments. The third party involved, OpticsML, provides OCR (Optical Character Recognition) services to convert paper documents and handwritten notes into computer-readable files.

2. 141 Airline Companies

Airline Companies

A critical flaw in online booking system managed by Amadeus allows attackers to reach flight information of individuals if reservation (PNR) number is known. The system provides service for 141 airline companies. The security researcher,  Noam Rotem, who discovered the bug, shows that the system does not have a brute-force protection, a lack of security that allows unlimited number of trials with randomly generated PNR numbers.

3. European e-commerce Sites

European e-commerce Sites

A malicious code injected to a third-party Javascript of an advertising agency, Paris-based Adverline, targets credit card information of online shoppers at European-based e-commerce sites. The attack discovered by TrendMicro and RiskIQ researchers is part of a long-run cyber attack series known as Magecart campaign. Other well-known breaches because of the same campaign are 2018 TicketMaster and British Airways attacks.

4. City of Saint John, NB and Hanover County

City of Saint John

The cities of Saint John in New Brunswick, Canada and Hanover County of Virginia have become the latest victims of attacks against Click2Gov, an online payment tool widely used by many U.S. and some Canadian cities. Unfortunately, payment information of 6,000 citizens in Saint John and thousands in Hanover County were compromised.

5. Humana

humana

Humana, a health insurance company, notified its customers about a third-party data breach that compromised name, address, date of birth, partial social security numbers, and some info about policy type of an unknown number of customers. The breach caused by one of the Humana’s business partners, BankersLife.

6. Companies that use PHP Pear

pear

A company may suffer third-party data breach if anyone in the company has downloaded PHP PEAR package manager from its official website in the past six months The maintainers at the PHP Extension and Application Repository (PEAR) found that original PHP PEAR package manager (go-pear.phar) has been replaced with a modified version that has a malicious content.

Open-source libraries like PHP PEAR are common in developers community and used for adding functionalities into their websites such as encryption or authentication. It is important to note that many hosting providers allow their users to install and run PEAR. Thus, the extent of the incident may be larger than expected.

7. Highmark BCBS, Aetna, Emblem Health, Humana, and United Health

Five Delaware companies, Highmark BCBS, Aetna, Humana, and United Health, experienced data breach caused by a third-party administrator for health insurance companies, BenefitMall. Benefit Mall provides online payroll, benefits, tax compliance & HR services and, as a result of data breach, 650 consumers’ data has been exposed.

8. LocalBitcoins

LocalBitcoins

LocalBitcoins, a peer-to-peer cryptocurrency exchange portal, announced a theft of almost 8 bitcoins ($28,200) from five victims. The portal claims that the theft caused by a third-party service used in its forum sites.

Sources: Links to relevant news and our updated list can be found at https://www.normshield.com/data-breaches-caused-by-third-parties/