A worrying trend has emerged in 2018 and is impacting organisations and their clients around the globe. Essentially, malware attacks on organisations have been increasingly targeted through their third-party service providers, utilising the company’s lax vendor security measures to exfiltrate sensitive enterprise and customer data. This trend has been recognised by security experts globally as one of the greatest cybersecurity risks facing organisations in 2018. Despite this, organisations are failing to take third-party risk seriously, and are paying the price. 
Demonstrating the prevalence of these third-party attacks, the first few months of 2018 have seen several major companies thrust into the spotlight over data breaches. Below are a few examples from this year.
Kmart, Delta Airlines, BestBuy and Sears
An unspecified cyber attack on [24]7.ai – a chat and customer services vendor – has exposed the online payment data collected by some of their client companies, including Kmart and BestBuy. Credit card information, CVV numbers, expiration dates, addresses and other personal data was compromised across various industries.
The malware attack occurred between 26th September and 12th October last year but was not reported until April/May this year. The companies affected have not yet determined how many customers have been impacted so far, but estimates show it could reach the hundreds of thousands.
A recent Ponemon Institute survey found that 56% of companies have experienced breaches caused by outside vendors, representing a 7% increase over the past year. CyberGRX CEO Fred Kneip says that to avoid these attacks, companies and their vendors must “start collaborating with each other more”. Utilising third-party services such as [24]7.ai should not be shunned and should not carry severe security risks. Instead, all that is required is effective security management and monitoring by the enterprises and vendors.
Corporation Service Company (CSC)
In an attack in May, hackers exfiltrated the personal information of over 5,600 CSC customers. The company – which provides various services for other organisations including domain registration – discovered that an unauthorised party had accessed its network and systems. CSC said they took immediate steps to stop the attack, contacted the authorities and brought in various cybersecurity firms to investigate. CRO of CyberGRX, Scott Schneider emphasized that “large enterprises that interact with thousands of third parties need to start paying closer attention to the security controls of the vendors, contractors, suppliers and customers in their digital ecosystem”.
In response, CSC has stated it will adopt a stronger security posture, implement two-factor authentication for various services, extend its firewalls and introduce 16-character passwords for employees.
FastBooking
The personal information and card details of guests from hundreds of hotels worldwide has been leaked in an attack against a third-party booking software company known as FastBooking. The company – which services approximately 4,000 hotels across 100 countries – was hacked on 14th June through malware installed using the application hosted on FastBooking’s server, allowing the attacker to exfiltrate data.
According to the company, the intruder accessed information such as guest’s names, nationality, addresses, emails and trip details such as check-in and check-out times. Unfortunately for some guests, payment details were also reportedly stolen.
In a press release, FastBooking revealed the incident impacted 380 Japanese hotels alone. Indeed, the first hotel chain to inform their customers of this breach was Prince Hotels & Resorts in Japan, which states the attack will affect 124,963 guests staying at 82 of their hotels.
Universal Music Group (UMG)
It was recently found that a contractor for UMG left the company data exposed when they failed to secure an Apache Airflow Server. This oversight left everything in UMG’s cloud data storage, including AWS configuration details and internal source code details, exposed to the open internet.
The exposure was picked up by experts from Kromtech Security Center in May this year. The incident occurred after a third-party contractor was hired to manage UMG’s IT systems, setting up an Apache Airflow server that clearly warns all users that “by default, all gates are open”. This incident goes to show how a single contractor with lax security control can enable the exposure of highly sensitive enterprise information.
Honda
Soon after the UMG incident, it was also discovered that a Honda affiliate in India had left two Amazon S3 buckets misconfigured for over a year. Contained in the buckets were various unprotected databases which held the personal information for over 50,000 users of the Honda Connect application.
The information leaked could allow an attacker to know where a person’s car is located, where they have been, their daily routes and more. This type of information in today’s age could give an attacker a map of someone’s life; where they work, live, study and visit. The buckets also contained personal information such as customer’s names, numbers, addresses, email addresses, contacts and passwords.
Kromtech, who were one of the first to discover this exposed data, stated that “it shows that many companies of all sizes are not paying any attention to their security…there is no excuse for that”.
Taking It Seriously
These incidents are a small selection of examples that demonstrate the need for organisations to take third-party security seriously and to implement effective management and monitoring of their vendor security policies. Third-party attacks have become an easy way for hackers to access the enterprise and customer data of large companies, causing significant damage and affecting hundreds of thousands of employees and clients.
CRO at CyberGRX, Scott Schneider finds that “too many organisations think that their responsibility to safeguard data ends where their network does, despite mountains of evidence to the contrary”. He emphasised that organisations must “fundamentally change the way they approach managing third-party risk, and that means more collaboration”.
Many experts, including Schneider, believe that these attacks will continue and have greater impacts unless something changes soon. The interconnectedness of our digital ecosystems is highly beneficial for businesses and customers, but there are important security aspects that must be addressed in order to ensure the safety of sensitive data. Organisations must develop and implement effective vendor compliance management programmes in order to protect their business, employees and clients.