Notable third-party data breaches to learn from for 2022

2021 saw some of the most damaging data breaches in the history of information technology. Though cyberthreats have been rising for years, the pandemic introduced further challenges, many of which have been directly connected to the dramatic rise of remote work.

Although insider threat remains a serious problem for many organizations, many of the biggest threats of recent times are rooted in vulnerabilities in increasingly complex supply chains and other external threats.

These third-party risks continue to evolve and grow as organizations struggle to adapt to the long-term changes whose introduction has been accelerated by the pandemic. Chief among these changes is the normalization of distributed work, which is undoubtedly here to stay.

Mitigating third-party risk has never been harder, as we have learned from some of the biggest incidents of the past year. Here are some of the most noteworthy third-party security breaches from last year, and what we can learn from them.

Accellion develops security software products used by more than 3,000 organizations around the world. Yet despite their industry, they suffered a series of severe data breaches beginning from the end of 2020 through early 2021.

The data breach occurred due to a vulnerability in their File Transfer Appliance (FTA), a legacy file sharing service, which was already 20 years old at the time. The attack itself was attributed to FIN11, an infamous advanced persistent threat (APT) actor based in Russia.

Click Studios is an Australian developer of enterprise password management software. Many security experts agree that using password managers offers a good balance of security and usability by giving passwords an extra layer of protection. On the other hand, if the password manager itself is hacked, attackers may potentially be able to access all of an individual’s login credentials.

The incident occurred when attackers were able to exploit the application update mechanism to install malware on victims’ computers which could, in turn, expose any passwords stored in the password manager. Although Click Studios was fairly quick to respond with a critical hotfix, the software was still vulnerable for 28 hours.

Many people do not think of password managers as third-party suppliers, but the truth is, like any other software, they are part of the broader supply chain. After all, any passwords or other credentials stored in such a service are ultimately under the protection of a third-party vendor which, just like any other organization, may also be targeted in an attack.

Kaseya provides management software for IT teams and managed services providers (MSPs) making it an integral part of the supply chain for thousands of organizations. In July 2021, they suffered a ransomware attack at the hands of the ransomware-as-a-service (RaaS) syndicate REvil, based in Russia.

The attack exploited a vulnerability in Kaseya’s remote monitoring and management software VSA, used by MSPs to monitor availability and integrity across their service portfolios. REvil exploited the vulnerability to install a fake update, which was actually ransomware. While no sensitive data was exfiltrated during the attack, numerous on-premises and cloud servers had to be shut down as a precaution, ultimately resulting in costly downtime for as many as 1,500 companies worldwide. The gang demanded $70 million worth of Bitcoins from those infected by the ransomware, though most still had recent backups and did not end up paying.

Since most smaller businesses depend on MSPs to provide and manage their IT services, Kaseya is actually a fourth-party supplier to many end users. Although REvil has since been eradicated, the attack highlights the need to carefully evaluate security across all downstream supply chain partners as well.