Atrium Health has revealed a data breach which exposed information belonging to roughly 2.65 million patients. “One record accessed is one too many,” Atrium Health told us in relation to the breach, which was caused by the organization’s billing vendor, a third-party known as AccuDoc Solutions.
Between September 22 and September 29, an unauthorized threat actor was able to gain access to databases containing the records, which included names, home addresses, dates of birth, insurance policy information, service dates, medical record numbers, and account balances. In addition, roughly 700,000 Social Security numbers were exposed. Financial information such as credit card numbers is not thought to be at risk.
Read more about the Atrium Health data breach on ZDNet.
The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners.
According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 percent over last year’s study and a 12 percent increase since 2016.
If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it’s where the money is. Third-party breach scenarios dominate the headlines. The scares are all different — compromised health records, weapons designs, or automakers’ trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.
The ephemeral specter of third-party cyber-risk haunts the C-suite. Leaders complain they can spend untold sums and time ratcheting down their company’s internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies.
Read about how to confront third-party risks on DarkReading.
Is your security approach exposing your organization to risk? The answer is “yes” if your security strategy focuses exclusively on external threats. If the breaches of the last 24 months have taught us anything – it’s that insider threats are a cause for equal if not greater concern.
The problem with traditional implementations is a security-with-blinders focus on files, infrastructure, and data in order to secure systems. They limit access to unauthorized users, but do not take into account the risk involved with negligent or malicious users that have already been given access to the system. This is the real risk of insider threat.
Google announced it is shutting down the Google+ social network after the company’s engineers found an API bug that might have exposed some private profile data for more than 500,000 Google+ users. The company said the bug was located in the Google+ People API.
By default, Google+ users can grant access to their profile data to third-party apps. Google+ users can also allow a third-party app to access the public profile information of a user’s friends. In a blog post, Ben Smith, Google fellow and vice president of engineering, said the bug allowed third-party apps to also gain access to users’ data that was marked private.
Read more about the potential data leak and the end of Google+ on ZDNet.
The retail industry’s cybersecurity preparedness continues to lag behind almost every other sector despite efforts by the major credit card associations to bolster retail security via the Payment Card Industry Data Security Standard (PCI DSS).
Third-party risk management firm SecurityScorecard recently analyzed a total of 1,444 domains in the retail industry with an IP footprint of at least 100 and compared the average SecurityScorecard grade of the retail industry to other vertical markets. The exercise showed the retail industry had the second-lowest application security performance among major sectors.
Read more about the findings of the new report on DarkReading.
It isn’t just seedy websites putting browsers at risk anymore: A new report out today shows how the state of the Web today has been rocked by the increasingly toxic combination of dynamic content and the use of third-party data sources to serve up that active content.
Last year Menlo Security found that 42% of the Alexa Top 100,000 were serving up risky content or were vulnerable to compromise. Researchers from the firm have now followed up on that with their State of the Web First Half 2018 report. In it they examined Web risk based on the top 50 sites for six major countries worldwide
Read more about the findings of the new report on DarkReading.
According to data released earlier this year, the most expensive data breaches start with third parties. Whether it is from poor configuration of online resources managed by a service provider, insecure third-party software, or insecure communication channels with partners, working with third parties can expose organizations to a ton of risks if they don’t pay close enough attention.
This year has offered up some crucial examples of the consequences of lax partner and vendor management.
Read about 6 recent examples of third-party breaches on DarkReading.
We all know that an insider threat is often the biggest challenge an organization needs to be equipped to deal with. Some of the most infamous breaches in recent history have been the result of “trusted” insiders who have turned to the dark side. The other, rather obvious threat is from the unknown attackers who are probing our environment looking for weaknesses and exploiting them for fame, money, or just because.
So, is that it? There are only people inside our networks and bad actors outside? Well, according to Joe Campbell, Principal Security Advisor at One Identity, there’s a middle ground that we need to remember and that is the 3rd party partner.
Read why Joe Campbell believes that 3rd party partners, who are neither trusted insiders nor external threats, may be your biggest challenge yet, on CSO.
When NIST recently updated its Cybersecurity Framework, it added only one new core category: Supply Chain Risk Management (SCRM). Placed within the Framework’s “Identify” function, SCRM encompasses, but typically extends beyond, traditional vendor management approaches. That’s because the supply chain typically extends beyond suppliers to include other external parties, such as integrators and even third-party communications providers.
It is difficult to grasp the full extent of it all, no less manage it, especially with the rise of cloud-based services for which most organizations lack any visibility into, understanding of, or control over the development, integration or deployment of the underlying technology.
Read how organizations can approach supply chain risk management by recalling the four pillars of cyber SCRM: security, integrity, resilience and quality, and by considering NIST’s five-step approach, on Security Magazine.