720-891-1663

Return to list of client alerts

MOVEit Breach Shows Risk Due to Vendors

Every week the size and scale of the MOVEit breach expands. This week, the number is somewhere above 2,200 firms and 62 million users affected. While Progress Software, who makes MOVEit, will likely be the target of a lot of lawsuits, more importantly, many of those 2,200 plus and growing businesses will also be targeted by affected users and their lawyers.

Assume you use software provided by a vendor — after all, you do.

Worse, assume you ARE that vendor.

What is the “blast radius” of a breach?

Just today we heard about Arietis Health, a “revenue cycle management” vendor . Fundamentally, that means that they help healthcare businesses understand their money.

In this case, it appears to be a fourth or maybe even fifth party vendor.

Florida based Arietis provides billing services to Texas based NorthStar Anesthesia who provides pain management, anesthesia services and related healthcare to medical practices in 20 states. They use MOVEit to move patient billing data around.

Arietis says they were notified by Progress of the bug on May 31st, but the hackers had already attacked on May 27th. They determined on July 26th (two months later) that they had been exploited. They notified NorthStar on August 3rd and began notifying medical providers on September 29th. That took four months to get to the end of the supply chain and from their to the patients whose information was stolen.

If this is not a warning to beef up your vendor cyber risk management program (VCRM), I don’t know what would be.

It also questions your general risk management practices.

If this data was encrypted with robust encryption prior to transmission, we would not be having this conversation today. Of course, that is not convenient. Ask those 62 million victims if they care whether your data practices are convenient for you.

Reports say that the average medium sized business shares data with 1,000 vendors. A small business might share data with a couple hundred.

Is your Vendor Cyber Risk Management Program robust enough?

Do you handle fourth party risk?

What about fifth party?

The defense department is concerned about tenth party risk!

If you are not sure if your program is adequate to the task, please contact us.

Credit: Data Breach Today