What is a Third-Party Data Breach? 5 Recent Examples

prevent third party attacks
Written by Kaitlyn Graham

What is a Third-Party Data Breach?

A third-party data breach is a security incident where an organization's sensitive data is compromised or stolen due to a vulnerability or cyber attack on one of its third party vendors. This type of breach happens outside the primary organization's own IT infrastructure but still impacts them, as the third-party vendor, contractor, or service provider has access to their data. 

Stolen data may include sensitive, proprietary, or confidential information such as credit card numbers, trade secrets, customer, or patient data. Third party breaches cost millions of dollars every year to companies of all sizes. The average total cost of a data breach is $4.35 million, and in the United States, it rises to $9.44 million.

Because attackers target a member of the victim’s supply chain, a third party data breach might also be called a supply chain attack. These attacks are often successful because third parties, including vendors, suppliers, contractors, or business partners, may have weaker security controls than the organizations they provide services to.

5 Recent Third-Party Data Breaches

Third-party vendors are critical to your business – but they also introduce cyber risk. Indeed, supply chain attacks are now the preferred method used by threat actors, and 62% of network intrusions originate with a third-party – often someone in your software supply chain.

The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop. According to a study by KPMG, 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years. 

Managing third-party cyber risk can be complex, but neglecting it poses substantial risks. Let’s look at five of the biggest third-party data breaches in recent years, how they happened, and their impact. We’ll also offer a step-based approach for maturing your third-party risk management (TPRM) program.

1. SolarWinds (2020)

In December 2020, SolarWinds (a provider of network and system monitoring software) confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ. The program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.

Impact

Because SolarWinds owned “the keys to the kingdom” for many organizations, it was an ideal target for disseminating an attack. Even organizations who did not use SolarWinds products were exposed to risk due to the prevalence of the company’s solutions within the supply chain. It’s estimated that 18,000 customers (including government agencies and 14% of the Fortune 1000) were impacted. 

The financial fallout was also significant. Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). Moreover, Bitsight’s analysis quantified the insured losses from the attack at $90,000,000. The breach also set the stage for other supply chain attacks.

Read more about The Future of Supply Chain Cyber Risk Management After SolarWinds and lessons learned from the failures that led to the attack.

2. Microsoft (2021)

Because most security tools trust anything implicitly signed by Microsoft, the tech giant is a frequent target of cyber attacks, and many of these exploit the interconnected supply chain. In March 2021, a series of breaches, known as the HAFNIUM attacks, compromised the on-premises Microsoft Exchange Servers of 30,000 global organizations. The attacks allowed hackers to access employee email accounts and install malware to facilitate long-term access.

Impact

Further demonstrating the surge in software supply chain security hacks, just months later, 38 million records were exposed due to a vulnerability in Microsoft Power Apps (a popular low-code business intelligence tool). Perpetrators gained access to COVID-19 testing, tracing, and vaccination records, as well as employee information for major organizations using the tool, such as Ford Motor Company, American Airlines, and the New York Metropolitan Transportation Authority.

3. Toyota (2022)

According to McKinsey, an auto manufacturer has around 250 tier-one suppliers, but the number proliferates to 18,000 across the full value chain – making these companies highly vulnerable to a third-party data breach.

For example, in March 2022, Toyota suspended production at 14 manufacturing plants in Japan after a supplier of plastic parts – Kojima Industries – was hit by a cyber attack. Toyota subsequently suspended operations of “all 28 lines at 14 domestic plants,” according to a company statement. The impacted output accounted for a third of global Toyota production. 

Per McKinsey, even a short disruption of 30 days or fewer can put three to five percent of EBITDA margin at stake.

4. Uber (2022)

In December 2022, ride hailing giant Uber experienced a third-party data breach as a result of a compromised vendor. Teqtivity, which helps Uber track, monitor, and manage IT assets, confirmed that a hacker breached its systems and gained access to email addresses and other information pertaining to more than 77,000 Uber employees.

The hack follows a similar incident targeting DoorDash, where bad actors leveraged a connected vendor’s stolen credentials to access the food delivery giant’s internal systems and breach customer information, including credit card details.

5. U.S. School Districts (2022)

School districts are a lucrative target for hackers due to the volume of PII on their networks and limited security resources. Moreover, as EdTech tools gain traction, software supply chains have become a favored attack vector.

For example, a 2022 attack on Illuminate Education, a leading provider of student-tracking software, resulted in data breaches at the nation’s two largest school systems – New York City Public Schools and Los Angeles Unified School District – and countless more. The same year, 495,000 student records at Chicago Public Schools were exposed as a result of an attack on a third-party provider.

How to Prevent a Third-Party Data Breach: VRM Best Practices

Third-party vendors are key to any business in today’s interconnected economy, providing critical services like billing, software development, or data storage. So how do you make sure your vendors do not create unnecessary risk? 

The answer is not to avoid third party relationships, but to engage only with vendors who show a robust security posture. This can be easily accomplished by thorough vendor risk assessments and continuous monitoring, as part of vendor risk management (VRM) and holistic third party risk management (TPRM) programs. Here are some ways in which a third party risk management program can help secure your supply chain and prevent a third party data breach:

  • Streamlining due diligence and vendor risk assessments to assess vendors before onboarding
  • Automating the onboarding and reassessment process for more agile risk mitigation
  • Facilitating continuous monitoring based on real-time data feeds and analytics
  • Increasing visibility over risk from third party and fourth party relationships
  • Customizing and updating security requirements upon newly discovered threats and vulnerabilities
  • Identifying vendors who no longer meet security standards and facilitating their offboarding without causing business continuity issues

Managing Third-Party Risk: TPRM 

These and other third-party data breaches demonstrate the importance of managing third-party risks. Yet, the KPMG study found that 61% of businesses underestimate the importance of TRPM. They also struggle to maintain a fit for purpose operating model, citing two key reasons:

  1. Technology investments fail to provide visibility into third-party risk. 
  2. The challenge of limited resources makes it hard to understand and mitigate third-party risk at scale – across hundreds, if not thousands, of vendors.

Indeed, most businesses accept that it was luck, not their TPRM programs, that helped them avoid a major third-party data breach in the past few years.

As your vendor portfolio grows (most businesses work with an average of 1,000 suppliers), you need a way to scale your TPRM program while reducing the burden on security and risk management teams. Below are some must-haves that can help you do this, regardless of the maturity of your TPRM program:

1. Tier vendors or suppliers

It is not necessary to analyze each vendor in the same depth. Given limited time and resources, pay attention to those third parties that a) provide the most critical services, and b) have access to systems and sensitive data. Our tier recommender service can aid in grouping your vendors based on their risk and criticality to your business. As your TPRM program matures, you can expand its scope to cover a broader range of third parties and additional risk areas.

2. Set vendor risk tolerance thresholds

Bitsight’s data insights make it easy to establish an acceptable risk threshold a supplier must achieve to be considered a potential partner – and then measure them against it.

3. Continuously and automatically monitor the security postures of third parties

With Bitsight for TPRM, you’ll get dashboard views into the cyber health of each supplier (during due diligence and over the lifetime of the contract) and automatic alerts the moment risk is discovered.

4. Collaborate with partners to reduce risk and exposure

To ensure rapid triage, share Bitsight’s findings with your vendors so they can view hidden risk in their networks.

5. Extend cyber risk insights to fourth parties

Because risk can quickly cascade across the supply chain, use Bitsight for Fourth-Party Risk Management for an unprecedented view into security vulnerabilities across your entire vendor ecosystem.

6. Unify vendor data and assessments

Organize vendor security and risk management data in a unified tool. For instance, Bitsight Vendor Risk Management (VRM) spans all aspects of VRM with one fully integrated solution. You can make informed decisions about where to prioritize resources without needing to jump between disparate tools.

These best practices don't have to be standalone. You can automate third-party assessment, validation, vulnerability detection, and reporting at scale with an end-to-end TPRM solution that integrates with your existing vendor risk management tools, so you always stay on top of threats.

scalable vendor risk management ebook

Know what it takes to create a VRM program that’s ready and able to stand up to the current state of affairs and find a step-by-step guide for creating a sustainable and scalable vendor risk management program from the ground up.