With 2020 behind us, it is time to look back at what happened. In 2020 hackers were on top of their game again to go after people's data and details and successfully hack their way into governmental institutions. This article contains the five largest third-party data breaches of 2020.
While we are still getting more and more detailed information about the SolarWinds data breach every day, we can already conclude that this may be one of the biggest (third-party) data breaches of the year. Not only by the sheer amount of companies affected, but also which ones, such as the US Treasury, US State Department, Microsoft, and many companies from the Fortune 500.
Since the data breach became public knowledge, SolarWinds removed its customer list from its website. 425 (!) out of the fortune 500 companies are affected. A note must be made as only customers that downloaded the malicious update are affected. That said, more than 17.000 Customers did so.
So what happened? Solarwinds' network management product, Orion, was hacked around March and got a backdoor slipped into a software update. Organizations that downloaded and installed the corrupted version of Orion and unknowingly gave hackers access to their network. This results in Microsoft having large swaths of their source code stolen, for example.
The Fortune 500 company General Electric disclosed a breach in February with a data breach notification letter. They notified customers in March that a third-party data breach occurred between February 3 and 14 of the same year. The company was not aware of the breach until February 28.
The root cause of this breach lies with a third-party of GE, Canon. An email account at Canon got accessed by an unauthorized party the month before the hack. The hackers may have had access to GE employees' information and their beneficiaries, such as names, addresses, Social Security numbers, driver's license numbers, bank account numbers, passport numbers, dates of birth, and other bits of information.
As a result of this, GE and Canon set up a support hotline that affected individuals could call to get more information on the incident or acquire identity protection and credit monitoring services at no cost for two years.
Hotels.com / Expedia and more
As if the pandemic hasn't impacted the Hotel industry enough, they were once again the victim of a serious security event. In 2018 the Marriott hotel chain was hacked, affecting 339 million guest records and a fine of over 18 million British Pounds. This year multiple hotel industry organizations were affected as a commonly used third-party was breached.
Prestige Software, responsible for a hotel reservation system, had been storing sensitive information of hotel guests without sufficient security measures in place, resulting in millions of customers at risk. The data went as far as 2013. The data included credit card numbers (with CVV numbers), full names, addresses, and other identity details. Details about the exact amount of affected guests have not been shared. However, considering that almost the entire hotel industry uses Prestige Software, it could be even larger than the Marriott Hotel data breach.
So what happened? Prestige Software used AWS to store the data in an S3 bucket -- an online storage system. The system was configured to allow public access (without authentication) to the files. Anyone could access it. According to Prestige Software, there is no evidence that hackers accessed the data before being informed that their S3 bucket was publicly available.
The US Government makes a return in this list. A supplier of the US Government noticed the data breach earlier in 2020. However, according to experts, the breach goes back to as early as 2017. The leak was reported by Fidus Information Security that reported it to the unnamed supplier of the US government. The leak affected all California, New York State, and Texas residents, totaling about 78 million people.
The unnamed supplier processed sensitive personal data, such as birth certificate applications with information like names, dates of birth, current home addresses, email addresses, and phone numbers. This data was for specific people themselves and their family members and historical information, like past addresses.
The root cause? The unnamed supplier uses AWS and had their AWS S3 buckets publicly available, meaning, just as in the Prestige Software case above, anyone could have had access to this data.
One of the largest banks in Western Australia, P&N Bank, has notified its customers of a data breach in January of 2020. This breach exposed personal information from its customer relationship management system. P&N Bank contacted approximately 96,000 customers. According to the letter, hackers had accessed non-sensitive data only.
The CRM system used by P&N processed personal data such as name, age, residential address, email, phone number, customer number, account number, and account balances. Sensitive personal data, such as social security numbers, was not processed by the system.
P&N Bank hasn't disclosed the root cause of the data breach. They shared that the hack took place in December 2019 during a server upgrade for a third-party company that P&N Bank engages in providing hosting services.
With organizations leveraging more third-parties to provide their services, hackers find more avenues to breach organizations. Managing third-parties is, for this reason, becoming more and more important.
Getting control of your suppliers and partners ('processors' in the privacy realm) is crucial these days. At Riskly, we recommend setting up and fine tuning a third-party management process to manage third-parties. This process should be based on the importance of your vendors to your organization. While setting this up, consider the onboarding process, the monitoring of their performance, and make sure you have an adequate off-boarding process.
For some useful recommendations to set up and optimize such a process, feel free to read our guide Six recommendations to manage your third-parties successfully.