The Top Third-Party Breaches of 2022 (So Far): Steps to Mitigate Risks

Organizations rely on more vendors and suppliers than ever before, and many of these third-party relationships involve data sharing and/or IT system access. This creates an intricate web of exposures, vulnerabilities and risks that that can be difficult for organizations to understand and manage. The number of third-party data breaches so far in 2022 attest to that.

Let’s consider the risks. Lack of governance over third-party relationships can lead to:

• Data exposure due to malware infection (such as ransomware) caused by poor configuration
• Attacks on resiliency and availability (such as from denial-of-service, or DDoS)
• Compromised stakeholder systems and accounts from social engineering campaigns
• Software supply chain compromises like those affecting Kaseya, SolarWinds, and their customers

In this post, I will review a few especially damaging third-party data breaches that have already happened this year. I’ll also share five techniques for reducing your third-party attack surface.

Top 2022 Third-Party Security Incidents

So far in 2022, we’ve seen a range of third-party breaches and incidents targeting manufacturing, schools, and healthcare-related services. Here are three of the most notable events:

Toyota

In February 2022, Toyota shut down operations in Japan after a major plastic supplier, Kojima Industries, suffered a data breach. Kojima had remote access to Toyota manufacturing plants, greatly increasing Toyota’s risk. As a result of the temporary shutdown, Toyota suffered financial and operational losses.

Illuminate Education

Between 800,000 and 5 million student records were compromised at Illuminate, with many delays noted in the detection and reporting of the breach.

Highmark

Healthcare company Highmark suffered a breach due to partner Quantum Group suffering a ransomware attack. Up to 657 healthcare entities were affected by this compromise.

5 Techniques for Assessing Third-Party Data Breach Risk

It's critical that we start expanding our risk assessment and remediation models to better accommodate for third-party organizations, many of which may not have adequate security controls in place. Even though it might feel like you have little control over the security practices of your vendors and suppliers, there’s still a lot you can do to better prepare for and detect third-party breaches and risks.

Here a few techniques you can employ right now:

1. Discover and inventory third-party organizations connected to your network. Be sure to focus on ingress and egress network access controls, authentication and authorization controls, and activity logging and monitoring.
2. Map access to sensitive data in your organization’s environment using data flows and specific network access conduits, as well as groups that are granted permissions to these data types.
3. Perform threat modeling for potential sources of a malware infection. Could a third-party malware outbreak lead to your environment being compromised as well?
4. Discover and inventory data (your organization’s data, that is) that is stored in or shared with third-party environments. Could you be impacted by a ransomware infection that hijacks their data stores and backups?
5. Update your third-party risk assessment questionnaires, incorporating questions about attack prevention, detection and response capabilities. In addition, increase the frequency of these assessments and utilize continuous threat monitoring for a constant feed of risk intelligence.

Next Step: Watch the On-Demand Webinar for Additional Tips

Want to learn more? Be sure to watch the on-demand version of my webinar, The Top 5 Biggest Third-Party Data Breaches of 2022 … and How They Could Have Been Prevented.