It’s common for organizations to bring in external vendors for necessary support such as maintenance, administration, and other services. To do their jobs, these vendors need appropriate access to relevant parts of your organization for variable periods of time. But managing third-party vendors can be complicated because many different departments use them, vendors require different processes than internal groups, and they may not employ the same level of security as your organization does.
Does your organization have a comprehensive view of all of its third-party vendors? If your answer was no, you’re not alone. According to a survey from the Ponemon Institute, 66% of companies surveyed had no idea how many third-party relationships they had or how they were managed, even though 61% of the surveyed companies reported having a data breach attributable to a third party.
It’s clear that while managing third parties can be complicated, neglecting this management creates substantial amounts of risk to data breaches. To illustrate this point, here are the five biggest third-party data breaches of 2022 so far, and what they can teach us about reducing risk.
In February 2022, the auto manufacturing company Toyota completely shut down operations in Japan after a major plastic supplier, Kojima, suffered a data breach. Because Kojima had third-party access to Toyota manufacturing plants, shutting down was necessary to protect their data. This third-party data breach also affected some operations of Toyota subsidiaries. Halted or decreased production may have hurt Toyota’s bottom line as it slowed down car production and reduced the number of cars Toyota produced by a few hundred.
To reduce your risk of a third-party data breach, it’s important to be aware of the security measures your third-party vendors employ, and to negotiate better ones if they are not up to your company’s standard.
At the end of 2021, health plan information and other personal information of Major League Baseball players and their families was stolen in a cyber attack. This attack targeted a consulting company, Horizon Actuarial, that provided services for the MLB Players Benefits Plan. Data from 38,400 individuals was compromised in this breach including 13,000 people who were members of MLB Players Benefit Plan. Horizon Actuarial didn’t notify impacted clients until March 2022.
Unless it’s in your contract, there is no guarantee that a third-party vendor will notify an organization quickly after a breach, which means that your data could be exposed and you don’t know it. Adding this language to contracts with third-party vendors is essential.
The protected health information (PHI) of over 520,000 people was compromised when Morley Companies, a business service provider, was attacked. This attack happened in August 2021 but individuals were not notified until February 2022. Morley Companies provides various services to many large corporations that are part of the Fortune 500 and Global 100 groups. This cyberattack left sensitive information such as social security numbers, addresses, names, and medical history of Morley Companies’ customers and employees vulnerable.
When a third-party breach like this occurs, it takes more time and money to fix than an internal breach or attack. Organizations who used Morley Companies as a third-party service provider had to devote time and resources to resolving this issue and to address the damage to their reputations that resulted. And Morley itself incurred costs as well. They brought in cybersecurity experts to examine their systems, and offered those affected complimentary credit monitoring and identity theft protection services. They also altered their cyber environment to prevent such situations in the future.
School districts across the United States, including districts in Connecticut, New York, and Colorado, have had sensitive information compromised starting in January 2022 and continuing through April. This data, which includes current and former student information, was compromised after a third-party vendor, Illuminate Education, was a victim of a cyberattack. Many school districts across the US use Illuminate Education’s software to track student information and progress.
When this vendor was breached, confidential student information was exposed. Over 800,000 records were compromised from New York school districts alone and potentially over 5 million students across the country who use Illuminate Education could now be at risk. And delays in reporting the breach allowed its effects to spread to other school districts.
The healthcare company Highmark had to rush to secure customer data in March 2022 after a third-party data breach. The third party, Quantum Group, was attacked and sensitive information about Highmark members was exposed in the breach. Quantum Group provides printing and mailing services for Highmark and had received member information in 2017 for these services. Quantum Group had received this information from Webb Mason, Highmark’s marketing vendor. This means that Quantum Group is really an “nth party.” They provide external services to a company who then provides other services to Highmark. Nth parties are challenging because they are farther removed from an organization. The attack illustrates the complexity that occurs when your third-party vendors use third-party vendors of their own. Although Highmark didn’t have a breach inside their own software, their relationship to a third or nth party made them vulnerable. Organizations would do well to track the vendors used by their third-party vendors. And institute a good third-party management program to reduce the number of incidents like this.
Saviynt’s Third-Party Access Governance can help your organization prevent third-party data breaches like these. Our cloud-native solution manages third-party vendors throughout their life cycle to give you simplified visibility into third-party risk. Saviynt’s Third-Party Access Governance product allows you to manage and reduce vendor risk through delegated administration, automation, self-service access requests, and distributed access reviews and certifications, all on a single platform.