The cost of a third-party data breach can reach millions of dollars every year for large companies and could be devastating to small businesses. These breaches can also incur additional costs beyond the usual financial, regulatory, and reputational damage. In this blog we explore some of the most resonant third-party data breaches where big companies incurred huge losses.
The cost of a third-party data breach, illustrated by 5 examples
Target
In 2013, at the height of the shopping season, retail giant Target discovered their systems had been breached between November 27 and December 15.
The initial statement said approximately 40 million credit and debit card accounts may have been impacted, with customers all over the U.S. affected. The breach also affected contact information for more than 60 million Target customers.
In 2015, after a long investigation, Target agreed to pay an $18.5 million multistate settlement, the largest ever for a data breach. The fee was agreed in order to compensate MasterCard credit card issuers for the costs of canceling and creating new accounts, as well as sending out new cards to affected customers.
Target also had to provide free credit monitoring services for consumers affected by the breach, and agreed to pay up to $10,000 to consumers with evidence they suffered losses from the data breach. However, few of the victims were able to prove this sort of damage.
It is reported that Target had a 46% drop in profits in the fourth quarter of 2013, compared with the year before.
The agreement certainly set new industry standards for companies that process payment cards and store confidential information about their customers.
As for the third-party component…
The states’ investigation determined that cyberattackers gained access to Target’s system through credentials stolen from a third-party vendor in November 2013. Using the stolen credentials, the attackers gained access to a customer service database, installed malware on point-of-sale devices (mainly cash registers), and captured full names, phone numbers, email addresses, payment card numbers, credit card verification codes, and other sensitive data, according to USA Today.
Cybersecurity writer Brian Krebs wrote that the victimized vendor was a refrigeration, heating and air conditioning subcontractor.
This massive security incident affected a huge number of people, and has cost the company a great deal of money and reputational damage. A few months after the breach, Target’s executive vice president of technology services and chief information officer, Beth Jacob, resigned her position. Later, the company announced that it was parting ways with Gregg Steinhafel, its chairman, president and CEO.
Home Depot (2014)
In 2014, a new variant of the same point-of-sale malware affected nationwide home improvement store chain Home Depot.
This breach still ranks among the biggest data breaches ever. Years after the attack, Home Depot estimated the cost at about $196.5 million and it’s likely to continue growing.
According to Brian Krebs, an analysis revealed at least some of Home Depot’s store registers or self-checkout lanes had been infected with a new variant of “BlackPOS” (a.k.a. “Kaptoxa”), a malware strain designed to siphon data from cards when they are swiped at infected point-of-sale systems running Microsoft Windows.
Again, the breach was due to stolen credentials from a third-party supplier, and it affected 56 million credit and debit cards in Canada and the US. Cybercriminals used the vendor’s username and password to enter the perimeter of Home Depot’s network, then exploited a vulnerability in Microsoft Windows that was patched only after the breach occurred, and finally installed the malware, as told by The Wall Street Journal at the time.
Capital One (2019)
Capital One will pay an $80 million civil penalty for its role in a 2019 security breach that exposed the personal data of more than 100 million customers, The Wall Street Journal reported.
The breach happened in March and April of 2019, but Capital One apparently found out in mid-July.
It was due to an outside individual – a former Amazon Web Services software engineer who was allegedly able to exploit a “configuration vulnerability” to extract the Capital One customers’ information and post it to message boards on the internet.
The Office of the Comptroller of the Currency (OCC), a top banking regulator that fined Capital One, said the company failed “to establish effective risk assessment processes“ before transferring information-technology operations to the public cloud and “to correct the deficiencies in a timely manner.”
Morgan Stanley (2020)
This wasn’t exactly a data breach but a $60 million fine in October, 2020, for issues including “lack of risk assessment and due diligence around using third-party vendors or monitor vendor performance”.
Morgan Stanley agreed to pay the fine imposed by the Office of the Comptroller of the Currency for improperly disposing of personal data. A consent order stated that in 2016, the Bank failed to exercise proper oversight of the decommissioning of two Wealth Management business data centers located in the U.S. Among other things, the Bank failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.
“The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.
American Medical Collection Agency (AMCA)
Billing services vendor AMCA suffered a breach from August 1, 2018 to March 30, 2019 —when it was discovered. It affected 20 million patients of its customers Quest Diagnostics, LabCorp, and BioReference, exposing personal, financial, and health data.
As a result, AMCA spent $3.8 million to mail over 7 million individual notices to individual breach victims. Another $400,000 was spent on IT professionals and consultants hired to assist with the breach response, according to Health IT Security.
The CEO of Retrieval-Masters Creditors Bureau, the parent company of AMCA, wrote that the company has incurred “enormous expenses that were beyond the ability of the debtor to bear.” It has filed for Chapter 11 protection and is seeking to liquidate their assets for $10 million.
If there’s any silver lining…
It’s that other companies might have seen the horrible mess and the costs incurred after these sorts of incidentes, and will be taking measures to ensure that they are not the next corporation to make the headlines for the wrong reasons.
Third-parties are key to any organizations’ business — providing crucial services like billing, outsourced software development or data storage. This global, connected business landscape needs us to work together with our partners, so the ultimate goal is not to avoid developing third-party relationships, but to engage with vendors who show a robust security posture.
We’re gonna state the obvious: you need a streamlined third-party risk management (TPRM) program to monitor and mitigate the risk that arises from third-party and subcontractor relationships on a continuous basis.
In a nutshell, TPRM involves collecting critical third-party information, assessing their security posture, tracking what systems or data they have access to, understanding what internal policies apply to them, and more.
The good news? ThirdPartyTrust is a TPRM workflow management, document repository and process automation platform that allows to reduce redundancies and inefficiencies in third-party risk assessments.
What do all these breaches have in common? They could have been avoided, or at least have a smaller impact, if those third-party relationships would have been better monitored.
Apart from implementing and scaling a TPRM program, we suggest that members of an organization at all levels take steps to reduce the chances of an attack being successful. This could include:
- Establishing a compliance committee
- Developing, implementing and maintaining a comprehensive information security program
- Employing an executive or officer responsible for executing the program
- Conducting continuous security assessments
- Implementing security software on the company’s network
- Taking steps to control network access, including password rotation policies and multi-factor authentication
To learn more about how ThirdPartyTrust can help you streamline your TPRM program, request your free trial now:
