Third-Party Threat

Explore the rising epidemic of third-party data breaches: The Breach Epidemic Exposing Businesses Worldwide.

In today’s interconnected business landscape, third-party data breaches have emerged as a frontline concern, challenging the digital security of global financial institutions. With organisations weaving an ever-expanding web of suppliers, vendors, and service providers into their operations, the potential for devastating security breaches through these third-party connections has skyrocketed.

Recognising this critical vulnerability, the Digital Operational Resilience Act (DORA) has been introduced in the European Union to mandate stringent measures for financial entities, ensuring a robust defense mechanism against the rising tide of third-party cyber threats.

The Tangible Risk

The reality is stark: when a third-party vendor falls, it doesn’t fall alone. The ripple effects can be massive, leading to significant financial losses, operational disruptions, and lasting damage to reputational trust. High-profile breaches involving major corporations and their third-party partners have laid bare the extensive consequences of such vulnerabilities, underscoring the urgency of DORA’s implementation. This act mandates financial institutions to adopt comprehensive risk management frameworks that extend beyond their direct operations, encompassing the entirety of their digital supply chain.

Reported breaches as a result of 3rd party suppliers

Bank of America

How it happened: Infosys McCamish Systems, a service provider to Bank of America, was hacked, leading to a significant data breach.
What was breached: Customer personally identifiable information (PII) including names, addresses, social security numbers, dates of birth, and financial details like account and credit card numbers.
Impact: 57,028 individuals were directly impacted, exposing sensitive customer information and raising serious concerns about third-party vendor security.

Capital One

How it happened: Failure to establish effective risk assessment processes before moving data to the public cloud.
What was breached: Over 100 million customers’ data.
Impact: Fined over $80,000,000 for the breach, compromising SSNs, bank account numbers, and more.

Marriott

How it happened: Inherited compromised reservation system from Starwood, leading to two major breaches.
What was breached: Information on up to 500 million guests in the first breach; over 5 million accounts in the second.
Impact: Lawsuits, reputational damage, and compromised guest information including credit card details and passport numbers.

Target

How it happened: HVAC contractor victim of a spear-phishing attack, leading to network compromise.
What was breached: Credit card numbers, security codes, and personal information of over 70 million consumers.
Impact: Malware installed on POS devices, highlighting vulnerabilities in third-party services.

Adobe

How it happened: Exposed internal Elasticsearch database without password protection.
What was breached: Over 7 million user records, including email addresses and account information.
Impact: Risk of spear phishing and further account compromise.

Mercedes-Benz

How it happened: Leak through a third-party vendor’s cloud storage platform.
What was breached: Approximately 1.6 million records, including sensitive customer information.
Impact: Less than 1,000 customers had sensitive information leaked, but breach disclosed to the public.

Eye Care Leaders Ransomware Attack

How it happened: Ransomware attack on a third-party EMR platform.
What was breached: Medical records of 3.7 million people.
Impact: Significant breach in healthcare, affecting patients and providers.

Toyota Supply Chain Attack

How it happened: Cyberattack on Kojima Industries, a supplier, affecting communication and production monitoring systems.
What was breached: System functionality, leading to operational disruption.
Impact: Suspension of operations across 28 production lines at 14 manufacturing plants in Japan.

Okta Third-Party Data Breach

How it happened: A healthcare vendor exposed information of 5,000 Okta employees due to a compromised personal Google account of an Okta employee.
What was breached: Customer-uploaded session tokens and possibly more.
Impact: Breach disclosed, impacting Okta customer support system users and highlighting vulnerabilities through third-party vendors.

Lessons from the Frontlines

The breach landscape offers clear evidence that no entity, regardless of size or industry, is immune. From financial institutions to healthcare providers and global manufacturers, the patterns are clear. Each case underscores the vulnerability of even the most secure organisations to the failings of their partners, highlighting the need for rigorous third-party risk management as stipulated by DORA.

The act requires entities to thoroughly assess, monitor, and manage the digital operational resilience of their third-party vendors, ensuring these partners adhere to the same stringent security standards.

The Imperative for Action under DORA

The surge in third-party breaches signals a critical juncture for businesses worldwide, particularly within the financial sector. DORA demands a reassessment of how financial organisations select and manage their external partners. Rigorous due diligence, continuous monitoring, and transparent communication across the supply chain are mandated to ensure compliance with DORA and safeguard against operational and cyber risks. Financial services must establish robust mechanisms to respond to, recover from, and prevent ICT-related disruptions and threats, extending these protocols to include their third-party networks.

Moving Forward with DORA Compliance

Navigating the third-party threat landscape requires a shift in mindset—from reactive to proactive, from trust to verification. DORA serves as a beacon for financial institutions, guiding them towards a future where operational resilience is ingrained in every facet of their digital and third-party relationships.

By implementing DORA’s comprehensive risk management and resilience strategies, financial institutions can fortify their defenses against the ever-present threat of third-party breaches. The path forward involves not just safeguarding one’s own digital assets but ensuring that every link in the supply chain is equally protected, in alignment with DORA’s vision for a resilient financial sector.

In addressing the third-party breach epidemic, it’s clear that vigilance, collaboration, and investment in advanced security measures are paramount. The implementation of DORA’s guidelines offers a roadmap for financial institutions to enhance their operational resilience, ensuring they can withstand and quickly recover from the impacts of third-party breaches.

Learning from Supply Chain Attacks: A Retrospective Analysis

The surge in digital supply chain attacks offers valuable lessons on the evolving threat landscape and the critical need for enhanced cyber vigilance.

Assessing and Prioritising Risk Criticality

The complexity of modern supply chains requires organisations to not only identify risks but also to evaluate the criticality of each third-party service provider. As reliance on external vendors grows, it becomes vital for organisations to stratify these risks. This stratification should be aligned with how critical each vendor is to the organisation’s operations, allowing for a targeted approach to risk management.

The Importance of Swift Detection

Examples of swift containment , in contrast to more protracted breaches, emphasises the significance of early detection. There’s a clear benefit for a comprehensive oversight of the entire supply chain, extending to fourth and further removed suppliers. It is the prompt identification and response to such vulnerabilities that can mitigate the potential for widespread damage.

Addressing Third-Party Vulnerabilities

No matter how robust an organisation’s cybersecurity posture may be, the extended digital supply chain often presents softer targets for cybercriminals. It’s not uncommon for vendors to lack stringent cybersecurity protocols or to fall short on compliance, thereby offering attackers a more accessible entry point. This highlights the necessity for a unified security strategy that encompasses all aspects of the supply chain, ensuring that every link adheres to high cybersecurity standards.

Elevating Supply Chain Management with VENDOR iQ

In the complex landscape of UK financial services, VENDOR iQ stands as a pivotal ally, enhancing the resilience and oversight of your supply chain. Our surveillance services offer a comprehensive view of your critical suppliers and partners, ensuring operational excellence across the board.

Key Highlights:

Real-time Monitoring: Keep a vigilant eye on Tier 1 and Tier 2 suppliers, as well as the broader distribution chain, including IFAs and DFMs.
Proactive Risk Management: With over 5 billion data points at our disposal, we provide actionable insights to mitigate risks and uncover hidden opportunities.
Cost-effective Solutions: Our AI-powered analysis and real-time data access streamline your operations, yielding significant savings and enhancing compliance monitoring efficiency.

Transform Your Approach: Within hours, VENDOR iQ can seamlessly integrate into your existing processes, offering a 100x increase in the effectiveness of your compliance and operations monitoring. Our tailored financial health metrics and regulatory compliance insights, backed by expert support, ensure you’re always ahead of the curve.