There are many articles written about third party data breaches. The truth is that there’s only one effective way to ensure that you are not affected if a connected third party is breached, and your data is compromised.
But before we get there, we’ll look at:
- What a third party data breach is (and isn’t)
- The implications of a third party breach
- A real recent example of a third party data breach
- The only thing you can do to stay truly protected (except for never sharing any data, which is almost impossible today)
First, a little-known fact: Did you know that third party attack vectors are responsible for 29% of all data breaches? That means that around 1 in 3 breaches is a result of a third party compromise – making it critical for every organization to have a plan in place to protect data with third parties, without relying on these entities to protect your sensitive data.
TL;DR: The only way to effectively maintain visibility and control over your data is with ITsMine. But let’s look at the problem in detail:
What Is a Third Party Data Breach
A third party data breach is when your data, residing with a third party, is compromised. It’s also known as triple extortion.
Imagine your lawyers get hacked. They probably have all your employee contracts in their file system. Financial information. Customer agreements. Basically everything confidential that you’ve ever created or worked on, could be available publicly on the dark web in an hour.
This is an example of a third party data breach.
The third party could be a lawyer, an accountant, a payment provider or processor, a CRM – you name it, and you probably have some form of sensitive data residing on another organization’s servers – that is, outside of your company boundaries.
So what do you do? Do you just throw up your hands and give up, hoping that these third parties will guard your data effectively?
This is a problematic approach, as it’s well documented that service providers like lawyers generally tend to have lower levels of protection than, say, financial institutions.
The good news is that there is a way to ensure visibility and control over your data, even when it’s residing with third parties – but we’ll get to that momentarily.
The Effects of a Third Party Data Breach
The effects of a third party data breach can be nothing short of catastrophic. These can include:
Fines: Regulators are being more aggressive with their fines. According to the GDPR for example, fines can be up to 20 million Euros or 4% of global turnover whichever is higher.
Loss of revenue: Data shows that organizations experiencing a data breach experience a significant loss of revenue and/or drop in their valuation.
Loss of customer trust: Customers trust you with their most sensitive data, and expect you to guard it closely. In many cases, they don’t even know data is shared with third parties, leading to an even bigger trust issue.
Breach notifications: Breach notifications really are a nightmare. In many instances, organizations experiencing some form of breach will have to notify current customers and suppliers, previous customers and suppliers, multiple regulators, and the list goes on. On average, breach notifications cost $370,000 per incident.
In a recent case, the Centers for Medicare & Medicaid Services (CMS) notified over 946,000 Medicare beneficiaries of a data breach involving its contractor, Wisconsin Physicians Service Insurance Corporation (WPS), which occurred due to vulnerabilities in Progress Software’s MOVEit file transfer system. Exploited by the Clop ransomware group in May 2023, the breach exposed sensitive data including names, Social Security numbers, and Medicare information. CMS, WPS, and law enforcement are still investigating the issue.
One of the most serious – and misunderstood – elements of a third party data breach are the legal and cyber insurance aspects of a breach.
In many cases, a contract limits the amount of damages payable, sometimes to the extent of amounts that have changed hands. So if your data with say an HR platform is compromised, and they’ve charged you $50,000 total, that’s the maximum you can claim in damages. Even if you now get sued for millions of dollars, or even if it “just” costs hundreds of thousands of dollars to clean up the mess.
Real Examples of Third Party Data Breaches
There have been several recent examples of real third party data breaches that have had serious consequences:
Fortinet
Fortinet, a US-based cybersecurity company, experienced a third-party data breach when a threat actor gained unauthorized access to its Azure SharePoint instance, stealing 440GB of data.
Nokia
Nokia is investigating a potential data breach involving a third-party vendor after a hacker, IntelBroker, claimed to have accessed and stolen Nokia’s source code. The threat actor alleges the breach occurred through a third-party contractor’s SonarQube server, compromised via default credentials, and claims to have obtained sensitive data such as source code, SSH and RSA keys, and credentials. While Nokia has found no evidence so far that its systems or data were impacted, it is dedicating resources to monitor the situation closely. The investigation remains ongoing.
American Express
American Express informed customers about a data breach involving a third-party merchant processor that experienced unauthorized access to its systems. Even though American Express confirmed its own systems were not compromised, the incident highlights the ongoing risks associated with third-party service providers. Security experts recommend proactive data security measures to mitigate such risks. This breach follows similar recent incidents, showing the critical need for enhanced accountability and data protection in financial supply chains.
Industries at Risk
While all industries are at risk, some – such as finance and healthcare – are in even more danger. A recent report notes that 35% of third-party breaches affected healthcare organizations.
How To Prevent a Third Party Data Breach
Essentially, there is one surest way to prevent a third party data breach.
And that is to maintain visibility and control of your data, no matter where it is – whether it’s on your own systems, or with a third party.
Until now, this was the holy grail of third party data protection. It was the ideal, but thought to be unattainable.
Until ITsMine introduced its BeyondDLP solution, which ensures visibility and control of data even beyond company boundaries.
Through solutions such as its Virtual Vaults, ITsMine allows organizations to:
- Get alerted in real time to any potential breach
- Be able to instantly provide full disclosure to regulators or third parties regarding which files have been affected and which haven’t (which can effectively remove the need for breach notifications, as well significantly reduce cyber insurance risk)
- Kill any important files that were with the third party, even if the attacker holds them on an external offline system
This capability is nothing short of revolutionary. You, your Board, your customers, your cyber insurers, and multiple other stakeholders can confidently know that third party data risk is proactively taken care of.
To learn more, contact ITsMine today.