Many organizations focus their security efforts on protecting their own assets but neglect to consider the risks introduced by their supply chain and third-party partners. GroupSense researchers’ latest findings shed a spotlight on this very issue.
Researchers detected a data dump of 1,128,031 records associated with an online blood bank that matches hospitals and donors with donation facilities. Compromised personal information in the dump includes donor names, addresses, dates of birth, gender, telephone numbers, name of the donation center visited, blood type and donor source.
Third-Party Risk Can No Longer Be Ignored
Third-party risk is usually thought of in the context of adversaries attacking a company through its third-party partners. For example, hacking a parts supplier to gain access into the manufacturer’s supply chain systems. In this case, the damage is two-fold. Firstly, donors are going to be less likely to contribute blood in the future if they cannot trust the security of the blood bank. This threatens an ample blood supply. Also, the information of millions was exposed and the possibilities for threat actors to use the information for malicious purposes is endless. Essentially, even though the attack did not extend beyond the blood bank, it has a potentially profound impact on the blood bank’s hospital partners and individual donors.
Further research revealed the blood bank left donor information unencrypted – making it far too easy for cybercriminals to steal and post on the dark web. Still, hospitals have a responsibility to protect patient data. Even if hospitals do a perfect job protecting their own data, they need to ensure the security practices of their partners are at a high level. If not, it can damage the reputation and productivity of their entire supply chain. This makes it incumbent on hospitals to conduct due diligence of their supply partners, to ensure supply chain resilience.
Figure 1: Threat actor posting the online blood bank records for sale on the dark web.
What Can Be Done?
What should we take away from this incident? The big takeaway is that third-party risk needs to be a standard component of cyber security programs. Conducting reconnaissance on supply chain members and other third parties is the only way to ensure there are no vulnerabilities that could affect your own organizations.
Here are some best practices to help get you started:
- Perform a third-party risk assessment of any vendors, suppliers or partners that manage your organization’s or your customers’ personal information to identify areas of weakness or vulnerability.
- Implement security guidelines third-party vendors must follow when managing your organizational or customer information. For example, mandate a website security certificate to ensure the safe transfer of information and to prevent unwanted access.
- Actively monitor for breaches or vulnerabilities from supply chain partners, in addition to your organization’s internal systems, to minimize the impact of a breach.
- Ensure employees, vendors and partners are aware of the various ways threat actors can steal information or compromise corporate systems. A well-informed and trained workforce and supply chain can be the first line of defense against cyberattacks.
Relying on other organizations to protect your valuable assets (or those of the entire supply chain) without sufficiently understanding their security practices can be dangerous. Identifying supply chain vulnerabilities and putting security guardrails in place to mitigate risk can be an effective and proactive cyber security practice to ensure data protection and data breach prevention.
GroupSense has helped hundreds of organizations assess third-party risk, strengthen supply chain security and actively monitor for stolen information on the dark web, following a third-party breach. Contact us to learn how we can help you assess not only your own digital risk, but the digital risk of your partners, to ensure your valuable assets and customer data remain secure.