The recent GoDaddy cyber attack that affected 1.2 million customers is yet another justification for IT and Risk managers, CISOs and those responsible for cyber security to convince their C-Suite that resources are required to identify the suppliers they are reliant upon and assess the information and cyber security controls these vendors have in place to protect your business.

Weakened supply chain information security can result in major damage and disruption. A series of high-profile, potentially devastating attacks on companies in recent years have illustrated that attackers have both the desire and the ability to exploit supply chain security vulnerabilities. This is a real and growing trend. As a result, the need to act is clearly evident.

Vendors typically require access to at least some of your critical data in order to add value to your business. You’re entrusting sensitive data to third-parties, from customer information to API keys. By handing sensitive data to your vendors, you are also accepting the vendor risk of a data breach. There are numerous types of sensitive data that can be exposed, each with its own set of exploits and consequences.

In October 2021, BlueVoyant, a cyber security firm, released survey results of 1,200 executives from large corporations in North America, Europe, and Asia. Almost every company surveyed had been negatively impacted by a supply chain breach. In fact, 93% had directly experienced a cyber security breach as a result of one of their suppliers’ security flaws. The same techniques used in direct attacks are often used to compromise supply chains such as malware, brute force attacks, social engineering or exploiting software vulnerabilities. The final goals of the hackers could be anything that would be targeted in a direct attack, such as extortion, theft of personal data or ransom.

These breaches can be disastrous for businesses, resulting in large regulatory fines, legal proceedings, long-term damage to the brand and loss of customer trust. They can also be quite profitable for cyber criminals, so it’s no surprise that third-party cyber-crimes are on the rise.

Some recent examples of high-scale cyber attacks…

To get an appreciation for the wide ranging impact of supply chain cyber breaches and the devastation they can cause, let’s take a look at some of the more recent large-scale cyber attacks.

SolarWinds

The 2020 SolarWinds attack was carried out by hackers thought to be working for the Russian government. The attackers gained access to the SolarWinds network via a zero-day weakness in a third-party application or device, using a brute force attack, or social engineering. FireEye, a cybersecurity firm with US government contracts, was one of the victims. FireEye was specifically targeted by the attackers in order to gather information on government targets. It’s worth noting that cyber criminals often have a long-term view – the initial SolarWinds attack was intended to collect information on organisations that were at least two levels downstream.

Once inside, the attackers lingered for some time, gathering information before injecting malicious software into the SolarWinds Orion applications monitoring platform. The compromised software was distributed to customers via software updates, where it was used to collect (steal) information. Victims of the SolarWinds attack included the US departments of Defense, Energy, Homeland Security, Treasury, State, Commerce, and Health. The attack also compromised major technology companies including Microsoft, Intel, and Cisco. SolarWinds estimated that 18,000 organisations may have downloaded the malware.

Accellion

The Accellion cyber breach began as a vulnerability in firewall equipment and evolved into a global breach of sensitive personal and corporate data. Cyber attackers exposed private data such as Social Security numbers and banking information by exploiting vulnerabilities in Accellion’s File Transfer Appliance, which is used to move large and sensitive files within a network. The hackers stole sensitive personal information such as social security numbers, financial data, medical information, and credit card details.

The attack’s motivation was criminal profit, and we’ve heard about the many victims throughout 2021. The Reserve Bank of New Zealand, the state of Washington, the grocery chain Kroger, the University of Colorado, the cybersecurity firm Qualys, and many others are among them.

Audi/Volkswagen

Audi and Volkswagen suffered a data breach affecting 3.3 million customers as a result of unsecured data being exposed on the internet by a vendor between August 2019 and May 2021. Over 97% of those affected were Audi customers or prospective buyers.

The exposed personal data included such information as first and last name, personal or business mailing address, email address and phone number. More than 95% of the sensitive data included driver’s license numbers and there were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.  The firm brought in cyber security experts to investigate, stating “Audi and Volkswagen are working with third-party cybersecurity experts to assess and respond to this situation and have taken steps to address the matter with the vendor involved.”

GoDaddy

Web hosting giant GoDaddy has recently reported a data breach in November 2021 warning that 1.2 million active and inactive managed WordPress users may be affected with their email addresses and customer numbers exposed. GoDaddy has said this exposure could put users at greater risk of phishing attacks.

Demetrius Comes, GoDaddy’s Chief Information Security Officer, stated in a filing with the Securities and Exchange Commission that the company discovered unauthorised access to its systems where it hosts and manages its customers’ WordPress servers. According to GoDaddy, the unauthorised person gained access to their systems around September 6th, using a compromised password. The breach was only discovered on November 17th, clearly a worrying delay.

 

Understanding the cyber risk is key

 

If you have outsourced services to suppliers, then you need to understand the vulnerabilities and threats that are introduced to your business information security by working with them. As part of a firm’s Governance, Risk Management, and Compliance (GRC), you must ensure that your vendors are as concerned about information and cyber security as you are. Since almost all organisations depend on vendors that leverage electronic supply chains, it’s important to perform regular cyber security due diligence on vendors, and continuously monitor them to be sure they follow good cyber security procedures on an ongoing basis. Contracts only go so far and are of little use in the short term if there has been a cyber security incident. Accellion and SolarWinds are both being sued for negligence around their security practices. Even if your organisation has the most comprehensive and effective internal security management programme, if any of your vendors fall short, you are exposed. 

 

How can we help?

There are a number of tools available to understand and convey the exposure to suppliers/vendors.  To find out how we can help you secure your supply chain, click here or get in touch.

 

Related Blogs/News

Why Cyber Security Must Be A Top Priority For The Medical Device Industry
Why Cyber Security Must Be A Top Priority For The Medical Device Industry
The post-covid normal – is your cyber security still fit for purpose?
The post-covid normal – is your cyber security still fit for purpose?
Why Organisations Should Use an ISO 27001 Consultant to Achieve Certification
Why Organisations Should Use an ISO 27001 Consultant to Achieve Certification