Third Party, Fourth Party and More – Breaches
As companies continue to expand their use of third party providers, the issue of security also expands.
A cloud database belonging to CU Solutions Group, a service provider to credit unions, was left unsecured. More on that in a minute. That would make them a third party service provider to credit unions. Except ……..
When the researcher who discovered the unsecured database contacted CU Solutions Group, two things happened. First, the database was quickly secured, but second, they said that this was a “possible mismanagement by a third-party vendor”. Not exactly clear, but it sounds like this is a fourth-party breach. At least they mitigated the problem.
But, they are not saying if anyone else accessed that unsecured database before the researcher. After all, if the researcher could find it, so could a hacker.
The defense department says that they think their supply chain is 14 levels deep. That means that a vendor 13 levels removed from you could cause you to get sued.
If that isn’t enough reason for you to pay more attention to vendor cyber risk management, I am not sure what is. The fact that CU Solutions Group is blaming a vendor will not prevent them from getting sued and a defense of “it wasn’t us, it was a vendor we picked and managed who screwed up” is probably not a great defense strategy.
Okay, back to this case.
The leak contained over 3 million records. That includes over 1 million email conversations, internal notes, client names, physical addresses, details about thousands of credit union and unencrypted passwords. Yes, the stored passwords were NOT encrypted. The fact that this is a financial institution and the passwords were not encrypted will likely bring them some unwanted attention from regulators.
Here is a screenshot (redacted) of part of the database.
If users had multi-factor authentication turned on then simply changing your password is probably all you can do to mitigate the damage, but if you did not have MFA on, well, that is a bigger problem because hackers could have logged on as you and now, potentially, you could be sued by third parties to what is a fifth-party breach to you.
If you are not already actively working on reducing this risk, you need to. The link below has some suggestions on what to do and if you need help with this, please contact us.
Credit: Hack Read