NormShield Blog

Major Third-Party Data Breaches Revealed in April 2020

Data breaches caused by third parties cost millions of dollars to large companies and are often devastating to small businesses. A recent survey conducted by the Ponemon Institute reveals that 53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate. 

Third-parties are companies that support your organization and often have access to, share, or maintain data critical to your operations. Third-parties include a broad range of companies such as data management companies, law firms, e-mail providers, web hosting companies, subsidiaries, vendors, service providers, subcontractors. Essentially any company whose employees or systems have access to your systems or your data is considered a third party. However, third-party cyber risk is not limited to these entities. Any external software, hardware or firmware that you use for your business can also pose a cyber risk. There are several tools to assess third-party cyber risk and ways to prevent software supply-chain attacks. Knowing your potential risks allows your business to make adjustments and protect itself from becoming the next cyber breach headline.

We regularly update the list of major third-party (aka supply-chain) attacks and breaches revealed in the news. In this blog you will find the most recent breaches for the month of April. 

UseNeXt, Usenet.nl

UseNeXT and Usenet.nl, two of the largest newsgroup platforms on the internet, were hacked through a third-party partner company.

Users utilize these platforms to discuss various current headlines and debate the latest news. Both UseNeXT and Usenet.nl provide online users with a paid service that allows them to connect to networks in a faster and more secure manner, as modern free Usenet access is slow and is not inherently secure.

The potential victims have been warned against possible exposure and unauthorized use of their personal information including

  • First and last name 
  • Billing address 
  • IBAN and account number

UseNeXT’s recent notice reads, “We are currently analyzing what damage may have occurred. For security reasons, all systems are currently offline. Therefore, we cannot be reached via the Internet, email or call center.”

The hack is believed to have occurred through a security hole in the network of an unnamed third-party company providing services to both UseNeXT and Usenet.nl.

Marriott

Incurring numerous data breaches in the past 18 months, the hotel giant is now investigating  a new breach which puts 5.2 million customers’ personal data at stake. According to the announcements by company officials, the information confiscated in this latest data breach includes:

  • guest names 
  • addresses 
  • birthdays 
  • emails 
  • phone numbers
  • loyalty reward program numbers for both the hotel chain and partner airlines  

The data exposure is believed to have happened through a hack using login credentials of two employees of a franchised hotel in Russia. It is not clear at the moment whether the access was unauthorized, or a result of  foul play.

The breach was discovered when an unusual amount of guest data accessed through an in-house app was used to track customers’ check-in dates, birthday celebrations and towel preferences. Although an uptick in activity was noticed in late February, the beach is believed to date back to  mid-January according to a company official.

In 2018, Marriott had another large data breach exposing nearly 300 million guests’ data, including sensitive information like passport numbers, payment cards and travel details. This breach caused Mariott to face a record-breaking class-action lawsuit, one of the largest in history.

RIGUP Energy Sector Clients

A misconfigured Amazon S3 bucket news traced back to RigUp, an Austin-based labor and marketplace provider, which connects independent contractors with companies across the U.S.

A security firm discovered an open bucket in early March that contained tens of thousands of files labeled with the name ‘RigUp’. The files included sensitive information  regarding several organizations and individuals in the U.S. energy sector. 

The Amazon database exposed more than 76,000 files, which included

human resource files from RigUp’s clients, contractors, job seekers, and candidates for employment. The sensitive information included:

  • employee and candidate resumes 
  • personal photos 
  • paperwork and IDs related to insurance policies
  • professional IDs 
  • profile photos (incl. US military personnel) 
  • scans of professional certificates in various fields

It is not clear at the moment whether the database was dumped by hackers or another source. 

Aside from personal information, the database also contained project proposals and applications, project outlines, technical drawings for drilling equipment, and corporate insurance documents.

Cognizant’s Clients

Cognizant, a New Jersey-headquartered third-party IT services provider, 

was the most recent victim of the Maze ransomware. 

As one of the largest consulting companies in the Fortune 500, the firm also has a business agreement with Facebook to help the social giant moderate content on its platform. 

The company’s latest announcement reads, “Cognizant can confirm that a security incident involving our internal systems, and causing service disruptions for some of our clients, is the result of a Maze ransomware attack. Our internal security teams, supplemented by leading cyber defense firms, are actively taking steps to contain this incident.”

Included in the aftermath of the attack is a disruption to Cognizant’s clients. What client information and data is exposed currently remains unknown.

The same ransomware group targeted Chubb, Cyber Insurer in March, threatening to publish the sensitive files.

Michigan State University

The breach that hit Michigan State University in late April is said to have affected about 300 customers of the University’s e-commerce site: shop.msu.edu.

The university was notified of the breach through its e-commerce vendor Volusion.

The third-party vendor provides online payment processing to thousands across the country, making the incident a nationwide data breach.  The breach is believed to have affected customers who submitted their credit card information to the University’s e-commerce site between Sept. 7, 2019 and Oct. 8, 2019.

MSU Chief Information Officer, Melissa Woo, announced, “While there was no breach to Michigan State University’s networks or systems, this breach of a third-party vendor is concerning and compels us to do what we can to help those impacted by sharing this important information. We know that the best tool in protecting yourself from identity theft and preserving your personal information is accurate information and swift action.”

According to Volusion’s statement, the affected PII could include: 

  • names 
  • phone numbers 
  • addresses 
  • credit card numbers 
  • CVVs and expiration dates 

The social security numbers of the customers were not exposed.

Featured image courtesy: Image by TheDigitalWay from Pixabay