Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
Recently Added Articles as of November 14
This week’s headlines highlighted several third-party data breaches, including more fallout from last year’s MOVEit breach and two healthcare data breaches. Check out this week’s news below.
Medical records compromised in a third-party data breach: Over 300,000 patients' records of protected health information were compromised after a third-party data breach at Presbyterian Healthcare Services. The healthcare organization’s third party was a law firm that stored information including Social Security numbers, medical record and patient account numbers, and health insurance information.
Stolen data from third-party MOVEit breach posted on the dark web: The 2023 MOVEit breach is still causing ripple effects for several organizations. A threat actor posted at least 25 datasets on a hacking site, which includes millions of records. The stolen data encompasses organizations like Amazon, MetLife, and US Bank. The stolen data is employee information, which includes names, email addresses, and phone numbers. About 2.8 million Amazon records were allegedly exposed in the dataset, making it the most of any other company so far.
Adopting a proactive strategy for third-party risk management: Third-party risk management is a critical activity for organizations to perform as the reliance on third parties grows. It’s becoming more of a necessity to combat third-party risks proactively, with continuous monitoring of their activities and risks. Risk intelligence can be a useful tool to monitor third-party risks and prevent problems before they become a larger issue.
The threat of third-party data breaches at financial institutions: Cybercriminals are turning to third parties that have weaker defense practices in place in order to gain access to financial institutions. Experts at a recent summit said financial institutions are now requiring risk management frameworks for their third parties. As the use of third parties increases, the attack surface expands, which forces financial institutions to consider their third parties’ security practices.
CISA alerts to patched vulnerability: A now-patched critical security flaw with Palo Alto Networks was added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog. The vulnerability allows attackers to take over administrative Expedition accounts. CISA said the vulnerability has been actively exploited, which Palo Alto said it’s looking into. Organizations should look to apply the patch as soon as possible.
Third-party data breach impacts a healthcare organization: A third-party data breach impacted healthcare organization TriHealth. The records are from an OB/GYN group that joined the healthcare organization in 2020. The information includes names, addresses, Social Security numbers, and claims and clinical information.
Recently Added Articles as of November 7
In this week’s news, Nokia investigates claims of a third-party data breach, a UK regulator urges financial institutions to be prepared for third-party operational resilience, and a majority of critical security flaws are due to third parties. Check out all of this week’s news below.
Third-party risk is becoming a top concern for financial institutions: Third-party risk and resilience are crucial elements for financial institutions to consider and review, according to a recent report. The report said third-party risk became one of the top risks in the financial industry, which is likely due to several high-profile third-party incidents and breaches. Regulators also require the financial industry to manage third-party risks. Financial institutions should perform risk assessments, particularly with high-risk third parties, and ensure third parties have strong security practices in place. Reviewing third-party contracts and including provisions around security, business continuity, and performance can also help mitigate the risks.
Nokia investigates a possible third-party breach: Nokia is investigating a potential third-party data breach after a hacker claimed to have stolen source code. The hacker said it gained access to the data from a third-party contractor that helped Nokia develop internal tools. There’s no evidence at this time that the hacker has the data, but Nokia is still investigating the claims.
UK financial regulator urges operational resilience after CrowdStrike incident: New guidance from the UK Financial Conduct Authority (FCA) is warning financial institutions to be prepared for third-party tech outages. The guidance comes after the CrowdStrike incident over the summer, which caused massive outages after a faulty update. The FCA said financial firms that already need to comply with operational resilience were better positioned to recover after the CrowdStrike incident. The regulator emphasized that financial firms need to focus on operational resilience and have well-defined and tested strategies.
New malware imitates phone calls from financial institutions: A new version of an Android malware uses voice phishing to trick people into handing out sensitive information. The attack can take complete control of a mobile device and victims are tricked into calling fraudulent phone numbers. The malware can imitate financial institutions with a new, lower interest loan offer. The malware is extremely sophisticated, so people should use extreme caution when giving out any personal information over the phone.
DocuSign exploited to send fake invoices: Cybercriminals are creating and distributing mass fake invoices that appear genuine by bypassing email security protections from DocuSign. When victims sign the fake documents, threat actors are able to authorize payments. This type of abuse has happened frequently at DocuSign, which should always be reported when spotted. Use caution when signing any documents you didn’t expect, and always verify the email and its sender before clicking links.
Third-party privacy risk can lead to an increased risk of data breaches: Privacy is becoming a greater expectation for organizations to follow, including ensuring third parties adhere to privacy regulations and expectations. Organizations often share sensitive data with third parties or outsource tasks, like database management, to third parties. Experts said this can often lead to third-party data breaches, which is why it’s important to review data practices and how much data they share with third parties.
Third-party cybersecurity risk poses a threat to organizations: Cybersecurity is an increasingly important focus for organizations as more data breaches occur and impact sensitive information. Third-party cybersecurity risks in particular can pose danger to organizations that don’t assess and monitor their third parties. Organizations should seek to hire employees that can help mitigate these risks and use technology to aide their processes.
More than 78% of critical security debt is due to third-party vulnerabilities: A new study said 50% of financial institutions have high-severity security flaws in their apps. These vulnerabilities can be exploited and lead to costly data breaches for financial institutions. This includes third-party code vulnerabilities, which accounts for 78.6% of critical security debt. If a third-party breach occurs due to a vulnerability, financial institutions may be held accountable for noncompliance with regulatory requirements.
.gif?width=1920&name=Sample-Graphic-Animation%20(1).gif)
