720-891-1663

3rd Party? 4th Party? 5th Party Breach – Oh My!

Just a few years ago all we worried about was hackers breaking into our servers in the computer room in the office. We expanded that footprint to include servers located in a data center space that we rented (also called a colo). Those were still servers that we owned. And patched – hopefully.

Then we moved to the cloud. In many cases, those servers (now virtual) at Amazon and Microsoft, were still our responsibility to protect.

But then we moved to outsourcing. Whether the computers were bought with our capital or someone else’s, if we had to maintain them, it was a problem.

But now we were dependent on someone else’s security practices. Many someones because we didn’t just outsource one process, we outsourced many of them. To different companies. With different practices.

But then it got even worse. Because the people we outsourced to also outsourced. And so did they.

Third party risk is the risk we take on when we get someone else to run our systems.

Fourth party risk is when they outsource some of their tech stack to someone else.

And so on and so forth.

Which brings us to today.

MOVEit is a high end file transfer software package from Progress software.

The Russian ransomware gang ClOp is claiming credit for exploiting a bug in the software and exposing data of hundreds of thousands of people.

They are threatening to start publishing it next week if people don’t pay the ransom.

The details:

British Airways, BBC, UK pharmacy chain Boots are among the companies whose data has been stolen.

But it wasn’t them that got hacked.

Instead it was third party payroll services provider Zellis that was compromised. Zellis claims to be the UK’s largest payroll and human services provider with customers like Jaguar, Dyson and Credit Suisse, among many others.

So to the employee, their employer is a third party. The outsourced HR provider is a fourth party and potentially MOVEit is a fifth party if they are hosting the software. It gets murky really quickly.

The company did not answer questions about the bug or the attack, but it became very public last week.

SECURITY RESEARCHERS SAID THAT HACKERS HAD BEEN EXPLOITING THE BUG ON A LARGE SCALE FOR AT LEAST A MONTH. This is why we are sure the breach footprint will continue to expand.

Progress Software has patched the bug and also would not comment. Likely there will be a lot of lawsuits, so not commenting is understandable.

The BBC posted a good article on what you should be watching out for, what you should not do and what is okay to do.

The reason hackers go after these outside providers is because by compromising this one bug they hacked hundreds if not thousands of companies. All at once. Some are likely to pay the ransom. Probably many someones.

And Zellis is only one of the companies that got compromised.

Non-UK companies compromised include Irish Aer Lingus, the government of Nova Scotia in Canada and the University of Rochester (NY).

Others will join them.

June 14th is the current “magic date” – the deadline for companies to pay the ransom. We will likely find out the details next week. According to sources, the compromise was relatively easy to execute. Maybe a hundred lines of script.

This breach is global already and will get larger before it is done. Watch out if any of the providers that your company uses notifies you that they have been sucked up into this hack.

Credit: The Register, BBC, TEchHQ and Dark Reading

Facebooktwitterredditlinkedinmailby feather

Leave a Reply

Your email address will not be published. Required fields are marked *