January 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of January 30

A total of 190 million people were impacted in the Change Healthcare breach in 2024, a healthcare third-party data breach compromised almost 294,000 patients, and Progressive paid $3.25 to settle a third-party data breach. Check out this week’s news below.

Progressive settles class action lawsuit over third-party data breach: Progressive settled a $3.25 million class action lawsuit over a third-party data breach. The lawsuit alleged Progressive failed to protect customer information at a third-party call center. Although the data breach didn’t originate with the insurance company, organizations can still face expensive lawsuits due to a third-party breach.  

UK company investigating third-party data breach claims: A UK telecommunications company is investigating a third-party data breach after alleged customer data was posted for sale on a hacking forum. The company, TalkTalk, discovered a third-party supplier’s system was breached, but no billing or financial information was stored on it. Data posted for sale included subscriber names, emails, and last-used IP addresses. The third party said an external party only gained access to a single provider’s data.  

190 million impacted by the 2024 Change Healthcare data breach: The number of those impacted in the 2024 Change Healthcare data breach has almost doubled to 190 million people. Change Healthcare is one of the largest third-party payment processing companies. The breach impacted healthcare providers, health insurance plans, and other organizations. Costs tied to the breach reached $3.1 billion. Security experts partially blamed the lack of security controls like multi-factor authentication.  

Third-party healthcare data breach impacts 294,000 patients: A Pittsburgh-based hospital system, Allegheny Health Network, announced a third-party data breach impacting 294,000 patients. The third-party firm hosts, manages, and secures computer systems used by the hospital system. Systems were taken offline immediately after the breach was discovered. Data stolen includes names, addresses, Social Security numbers, and health insurance information.  

Third-party risk management lessons from the Capital One outage: As we recently saw with the Capital One outage, third-party risk isn’t going anywhere. Although the third party caused the outage, customers look at the bank for accountability. To manage third-party risks, review contracts for service level agreements and the vendor’s uptime guarantee. Conduct regular risk assessments to review the vendor’s operational resilience. These steps help protect your organization from third-party incidents.  

U.S. federal contractors targeted in third-party data breaches: Most breaches (58%) at top U.S. federal contractors involve third-party attack vectors, according to new research. The federal supply chain is often under attack as threat actors seek to access sensitive and confidential government information. Experts recommended that federal contractors strengthen third-party risk management programs, while federal agencies should strengthen fourth-party risk management. Contractors should prioritize vendor vetting and agencies should review contractors’ third-party risk management programs.  

Recently Added Articles as of January 23

A third-party data breach impacted almost half a million hotel guests, a power outage at a third party disrupted dozens of banks (and millions of their customers), and third-party artificial intelligence usage is increasingly common among Canadian organizations. Catch up on this week’s news and headlines below!

Third-party data breach impacts hotel guests’ information: Almost half a million hotel customers’ personal information was compromised in a third-party data breach. Hotel management software provider Otelier was breached, according to a data breach notification site. The third party confirmed the data breach and has hired investigators. The hotels allegedly impacted include Hilton, Hyatt, and Marriott. Researchers said the incident likely stemmed from malware.  

Banking deposits disrupted after third-party power outage: Dozens of banks, including Capital One, faced disruptions over the weekend after a power outage at a financial services vendor. The outages started Wednesday and cause delays with deposits, payments, and transfers. The third-party vendor, Fidelity Information Services, said a local power loss and hardware failure caused the outage. Many customers were upset when their paychecks and deposits were delayed.

Best practices for fintechs to manage third-party risks: Fintech companies offer innovative products with the help of third-party relationships – cloud services, payment processors, etc. These relationships need to be managed to prevent risks. Review third parties carefully before entering a relationship. Check their financial stability, security and compliance policies, and compliance record. Set expectations in the third-party contract to protect your fintech. Monitor the relationship through regular check-ins, audits, and compliance reviews. Remember to use a risk-based strategy, where third parties with the highest risk receive the most attention.  

Most Canadian organizations relying on third-party artificial intelligence: Many Canadian organizations are expanding artificial intelligence (AI) usage and relying on third parties to provide data, training, or expertise. A recent study from IBM showed a minority of Canadian companies are experimenting with AI in-house. Experts say organizations should use caution with third-party AI. Third-party AI increases risks for cybersecurity, data governance, and compliance. Ask third parties about the AI system, where the data comes from, and its explainability.  

Protecting from supply chain attacks: Supply chain attacks continue to emerge as a top threat for organizations. They target the web of suppliers, vendors, and service providers organizations rely on. Incident response planning ensures organizations are prepared to respond to supply chain attacks. Thorough third-party due diligence and continuous monitoring allows organizations to catch potential threats early. Cyber insurance is also an important tool to mitigate damage from a supply chain attack.

How to build strong third-party partnerships: Building strong supplier relationships is critical for the success and growth of your organization. It involves high trust levels, communication, and a commitment to each other. The third-party contract is foundational to a strong partnership. It should legally protect all parties involved and minimize future disputes. Setting clear expectations on performance, availability, and quality also ensures a smooth partnership. Communicate regularly to minimize misunderstandings. Remember to share positive feedback and talk honestly about challenging situations.  

Recently Added Articles as of January 16

A third-party data breach impacted school districts across the U.S. and other countries, proposed HIPAA changes would strengthen cybersecurity mandates, and the Digital Operational Resilience Act takes effect tomorrow. Check out this week's news below. 

Evolving third-party risk management for cloud and SaaS technologies: Be prepared to manage rapidly evolving cloud and software as a service (SaaS) third parties, according to a recent report. Third-party programs often rely on static assessments, which don’t capture the complexities of digital vendors. Integration with identify and access management processes addresses the gaps in traditional third-party risk management. This includes enforcing multi-factor authentication (MFA) for third-party access and monitoring compliance with policies.  

Proposed HIPAA changes would strengthen cybersecurity mandates: The Department of Health and Human Services (HHS) proposed major changes to the Health Insurance Portability and Accountability Act (HIPAA) to address growing cybersecurity attacks. The healthcare industry has faced many attacks, including high-profile third-party breaches. The proposed change combines “required” rules and “addressable” rules and makes all cybersecurity rules mandatory for healthcare organizations. The change would also impact vendor management and require better onboarding practices.  

Third-party data breach impacts U.S. school districts: A third-party data breach impacted school districts across the U.S. and other countries. PowerSchool, a third-party software that stores student and staff information, was breached in December. Hackers were able to receive names, addresses, and Social Security numbers after using a user’s credentials to log in. The third party holds the information of more than 60 million students, although it’s unclear how many were impacted. PowerSchool is working with the FBI and CrowdStrike to investigate.  

Improving vendor risk management practices after U.S. Treasury breach: The third-party breach of the U.S. Treasury Department was just one incident where cybercriminals targeted the government through a third-party vendor. Third-party risk management is a critical activity for government agencies. Third parties often don’t have stringent security practices in place, especially if they’re a smaller company. Providing cybersecurity training creates awareness, and incident reporting ensures your organization is prepared to respond.  

Zero-day vulnerability likely the cause of Fortinet attacks: A zero-day vulnerability is likely to blame for recent attacks on Fortinet FortiGate firewall devices, although it hasn’t been definitively confirmed. The attacks are still ongoing. Organizations should never expose Fortinet device management interfaces to the public and instead limit access to trusted internal users. Regularly update firmware to patch vulnerabilities and other security issues.  

Second BeyondTrust vulnerability added to CISA catalog: The U.S. Cybersecurity and Infrastructure Agency (CISA) added a second BeyondTrust vulnerability to the Known Exploited Vulnerabilities (KEV) catalog. The flaw could allow an attacker to upload malicious files. BeyondTrust discovered the vulnerabilities after the December 2024 incident that impacted the U.S. Treasury. Organizations should apply necessary patches as soon as possible.

Preparing for DORA compliance: At the end of the week, the EU’s Digital Operational Resilience Act (DORA) takes effect. It’s designed to ensure the financial sector is operationally resilient. DORA implements strict requirements for third-party risk management – it's critical your organization is prepared. Reviewing best practices like regular software updates, critical vendor identification, and security training helps ensure compliance. Conduct a gap analysis to identify weaknesses and understand where your organization needs to improve.  

Recently Added Articles as of January 9

Several third-party data breaches occurred over the holiday break, the United Kingdom's recent third-party guidance for financial institutions became effective, and a new study showed the rising risk of third-party data breaches in the European Union. Catch up on all the important news and headlines below. 

Third-party data breach compromises U.S. Treasury Department: A third-party data breach allowed Chinese state-sponsored hackers to compromise the U.S. Treasury Department. Cybercriminals targeted third-party provider BeyondTrust and accessed a stolen key. This allowed the hackers to override security and get remote access. The third party alerted the Treasury Department to the major incident. 

OCC urges banks to manage supply chain cybersecurity risks: The Office of the Comptroller of the Currency (OCC) highlighted third-party data breaches in its Semiannual Risk Perspective. Threat actors are increasingly targeting third-party vulnerabilities and poor security practices. The regulator said banks need to stay on top of supply chains, particularly the information technology supply chain. 

Third-party system compromised in Exotar breach: Exotar was the recent victim of a breach after information stored on a third-party system was compromised. It’s unclear what types of information was compromised, but victims were alerted to the breach. Exotar provides identity and access management systems and the third party wasn’t identified. 

White House introduces Cyber Trust Mark for consumer smart products: The White House launched the U.S. Cyber Trust Mark, a cybersecurity safety label for internet-connected consumer devices. The label will be on smart products to help consumers choose a safe product. A QR code will provide consumers with security information like how to change the default password. For vendors to receive the Trust Mark, they must meet the National Institute of Standards and Technology (NIST) cybersecurity criteria. 

CISA warns of actively exploited vulnerabilities: The Cybersecurity and Infrastructure Security Agency (CISA) alerted organizations to critical vulnerabilities that are actively exploited in Oracle WebLogic Service and Mitel MiCollab systems. The bug lets attackers perform unauthorized administrative actions and access user information. Organizations should patch these flaws as soon as possible. 

United Kingdom financial regulators push for resiliency from third-party attacks: Financial institutions in the United Kingdom need to strengthen operational resilience and oversight of critical third parties. The Bank of England, Prudential Regulatory Authority, and the Financial Conduct Authority released a policy effective on January 1. Criteria for critical third parties isn’t clear, but regulators expect them to have incident management procedures and transparent reporting. Financial institutions need clear accountability to manage third-party risks, identify dependencies on third parties, and develop protocols to manage third-party disruptions. These practices will help institutions remain compliant with new expectations. 

Third-party cybersecurity a major risk in the European Union: Third-party data breaches are a top risk in the European Union, a recent study showed. According to the study, 98% of European organizations had a third-party data breach in the last year. This leads to operational disruptions, reputational damage, and regulatory scrutiny. Among industries, the energy sector performed the worst. Prioritize third-party risk management to avoid these consequences and mitigate the damage in the case of an event. 

Third-party data breach exposes customer credit card information: A third-party data breach exposed credit card data of ZAGG Inc. customers. The cybercriminal breached an app provided by the third party and injected malicious code that stole the card details. The app was immediately uninstalled from the third party’s stores, which removed compromised code. It’s not clear how many customers were impacted in the breach.