What do Home Depot, Target, Jimmy John’s, Wendy’s, Scottrade, Gmail, and the National Security Agency have in common? Each has suffered a high-profile data breach related to third-party access in the past five years. It’s clear: Many organizations, across industries, are failing to put the necessary security measures in place to prevent or minimize the identity and access risks associated with third-party access.
The Security Risks Associated with Third-Party Access
Attacking vulnerable third-party vendors has become a top tactic for malicious actors in recent years. In fact, a recent study found that almost 9 in 10 (87 percent) organizations have faced a disruptive incident involving a third-party in the last three years, and 94.3 percent of companies are not confident in the tools used to manage third-party risk.
Many companies are simply unprepared, either because of the misguided belief that contractors aren’t around long enough to be dangerous or because they’re already too bogged down dealing with internal user access and security controls to give third-party access proper attention.
However, for intruders looking for weak links in the system, this is the perfect opportunity. After all, if it’s easy for a third-party worker to access your systems, there’s a good chance it’s easy for someone with more malicious intentions to as well.
Contractors with full access to a client’s network or an avenue to a privileged account can be an intruder’s golden ticket. An HVAC contractor’s login and password might be all that’s needed to wreak havoc—just ask Target.
Prominent Victims of Third-Party Breaches
Many of the most catastrophic data breaches in history have been the direct result of compromised third-party vendors and supply-chain partners. These data breaches made these organizations accountable to millions of people whose data was compromised and cost the affected organizations millions of dollars.
Here are just a few of the names on the ever-growing list of third-party breach victims:
Target - In 2013, hackers, using credentials stolen from an HVAC contractor, accessed Target’s networks and infected its POS systems with malware, making off with 41 million payment card numbers and PII data for 70 million customers. Total breach expenses amounted to $162 million from 2013 and 2014 alone.
Booz Allen Hamilton/NSA - An NSA contractor, Edward Snowden, revealed thousands of classified documents to journalists in the U.S. and abroad in 2013. Snowden went on to leak nearly 1.7 million classified documents, leading to major public outcry and legislation.
Home Depot - In 2014, credentials stolen from a third-party were used to access Home Depot’s network and deploy malware that compromised 50 million payment cards. The retailer eventually paid $19.5 million and $25 million settlements to affected customers and banks respectively, as well as $134.5 million in compensation to credit card consortiums.
Federal Office of Personnel Management - Hackers used credentials stolen from a contractor to access the Federal Office of Personnel Management (OPM) network, where they went undetected for 343 days and accessed confidential records of 22 million federal government employees.
Wendy’s - In 2016, criminals hacked a third-party point-of-sale (POS) service provider with remote access to registers in more than 1,000 Wendy’s restaurants, resulting in stolen payment card numbers and a class-action lawsuit.
Anthem, Inc. - Last year, an employee of Anthem Inc.’s third-party insurance coordination contractor accessed a file containing 18,500 individuals’ Medicare ID numbers, Social Security numbers, Health Plan ID numbers, Medicare contract numbers, and enrollment dates, with intentions of selling that information.
While the list of organizations in the headlines as the result of a third-party breach will continue to grow, your organization doesn’t have to be the next headline.
Download our eBook, How to Minimize the Identity and Access Risks Associated with Third-Party Relationships, to learn more about what makes third party remote access so risky and the steps your organization can take to mitigate these risks.