It’s happened again…
Following reports that the Target security breach was carried out by way of a breach at a third party (HVAC) supplier, now comes news that the Home Depot breach – that compromised more than 56 million consumer credit and debit cards – was accomplished by criminals using a third-party vendor’s user name and password to enter the perimeter of the Company’s network. This marks the second such vendor-accessed high-profile high-volume cybersecurity breach in the last twelve months, with a resulting unlawful disclosure of a combined two hundred million customers’ personal and confidential information.
In both cases, compromised or stolen data from the vendor was used to penetrate the outward facing retailer’s cybersecurity defenses – once in, criminals were able to hack, navigate, expose and capture personal information.
“The attacker is just going after access vectors that for whatever reason remain weak,” said TK Keanini, CTO at Lancope, in an email. “[ ] Supply chain is ripe and attractive because 1) it often has more access than it really should to the firm; and 2) the firm grinds down these suppliers’ margins so low that suppliers then cut costs by cutting security spending: It is going to get a lot worse before it gets better.”
Unfortunately, these breaches are certainly not the last we’ll see that are vendor-originated. They do, however, fully illustrate the need for organizations to carefully and thoroughly vet their suppliers, including and perhaps especially those who provide products and services seemingly unrelated to technology or networking. Procurement, legal and IT should all be part of the vendor selection and on-boarding process to help best protect the organization, its assets, its reputation and its customers.