No matter how securely an organization guards itself against cybersecurity attacks, it’s vulnerable if a third party it works with hasn’t taken proper precautions. This is sometimes overlooked as companies focus on the risks they run from hackers and cybercriminals instead. Let’s review three high-profile cyberattacks that were due to third-party relationships and what can be learned from them.
In 2017, Domino’s Australia experienced a data breach that resulted in personal customer information landing on spam email lists. Forbes reported that Domino’s “suggests that the fault may lie with a former supplier.” What’s notable is that while the pizza maker had ended its relationship with the supplier, the risk remained. As such, it is crucial for organizations to assess relationships before, during and afterwards. Even those that aren’t ongoing may come back to you.
Marriott International, Inc.
In 2018, Marriott International faced public scrutiny when a cyber incident exposed the records of about 339 million guests globally. An internal investigation by Marriott reported that the breach was the result of Marriott acquiring the hotel chain Starwood in 2016. The UK’s Information Commissioner’s Office (ICO) found that Starwood’s reservation system had been breached in 2014, even if the results weren’t known until four years later. The ICO then fined Marriott £18.4million (initially intended at £99 million) under GDPR for failing “to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.” This case highlights the critical need to assess cybersecurity dangers before, during and after a merger with another company. The threat was not detected at the time of the merger but was nonetheless present. As such, we believe cybersecurity hygiene will be a factor considered by investors moving forward.
This year, it came to light that sensitive employee information from a Fortune 500 company, General Electric (GE), had been exposed by a third-party data breach. The hackers gained access to an unknown number of employees’ bank accounts, Social Security Numbers, driver’s licenses, passports, birth certificates, and a host of other personal and private documents.
GE said the cyberattack was made against one of its service providers, Canon Business Process Services, Inc. This case is worth highlighting to make the point that cyber incidents don’t affect just customers, but employees as well. No matter whose information you store, it should be protected from unauthorized party access.
Regardless of your company’s size or the industry you operate in, a cyberattack could disrupt your operations at any time. Customers and investors do not care how an attack occurred, only that it happened. To protect your organization from business disruptions, legal battles, financial consequences and reputational damage, it’s paramount that you review not only your own security measures but those of your suppliers.
Effective vendor risk management provides you with intelligence that visualizes risks to your business, allowing you to take measures to counteract them.
To learn how you can improve your cybersecurity as well as the third parties you work with, view our on-demand webinar, A Risk-Based Approach to Vendor and Supply Chain Management.