As organizations increasingly rely on external vendors, the unseen risks lurking in third-party relationships have become a prime target for cybercriminals. Recent breaches at major firms like Marks & Spencer and Qantas reveal just how devastating these risks can be.
Third-party risk refers to the potential threats and vulnerabilities that arise from engaging with external entities, such as vendors, suppliers, contractors, or service providers within their supply chain who may not have the same security standards. These third parties often have access to an organization’s sensitive data, systems, or infrastructure, making them potential targets for cybercriminals.
Third-party risk often arises from operational mistakes, developer mistakes, or security vulnerabilities. These issues can significantly increase the potential for financial loss, operational disruption, data breaches, reputational damage, cyber-attacks, and legal consequences. As businesses become more interconnected, managing these risks is more important than ever.
Recent Cyber Attacks on Third-Party Entities and Impacts
Recently, multiple global companies including Marks & Spencer, Qantas, Chanel and Pandora have suffered data breaches caused by social engineering attacks targeting their corresponding third-party service providers.
M&S Suffers “Double Extortion”
In the case of M&S, the breach led to a ransomware attack. Attackers impersonated an M&S employee using detailed personal information and tricked a third-party help desk into resetting the employee’s password. With the stolen credentials, the attackers accessed M&S’s internal systems and deployed the DragonForce ransomware.
As a result, M&S shut down all systems to prevent the attack from spreading. However, by that time, many VMware ESXi servers had already been encrypted, and about 150GB of data had been stolen. The attackers used a double-extortion tactic, encrypting files and threatening to leak the stolen data unless a ransom was paid. It is reported that M&S share price has plunged 7% and a $300 million loss in profit has been estimated after the cyberattack. Online services are expected to not be fully functional until August.
Qantas, Australia’s Largest Airline, Suffers Customer Data Breach
On 1st July, Qantas, Australia’s largest airline, suffered customer data breach originated from a social engineering attack on its third-party customer service platform. While Qantas detected suspicious activity from its third-party platform early, attackers managed to steal some customer data. Qantas already confirmed that the data breach impacted 5.7 million of its customers where 4 million breached records are limited to name, email address, and Qantas Frequent Flyer details. The rest are combination of some data of address, date of birth, phone number, gender, and meal preferences. This breach was also marked as Australia’s most high-profile cyber-attack since 2022.
Chanel’s Data Breach Incident
The breach involving Chanel was first detected on 25th July, after cybercriminals gained access to a database hosted by the third-party service provider. The incident affected only customers in the United States, specifically those who had contacted Chanel’s client care center before. Affected clients were notified that their names, email addresses, mailing addresses, and phone numbers had been compromised.
Pandora Suffers Similar Attack
On 5th August, Pandora notified the affected customers that an unauthorized party had accessed their names, birthdates, and email addresses through a third-party service. Pandora reassured customers that no passwords, government IDs, or financial information were involved in the incident. Still, many customers shared their concerns about data privacy and their disappointment at the lack of security.
All the mentioned incidents were caused by hackers employing carefully planned social engineering techniques to successfully infiltrate third-party providers’ systems and subsequently steal large amounts of sensitive data. The events have once again brought third-party service providers’ security risk into the spotlight, as although the problems did not originate from the companies themselves, such incidents can easily lead to a loss of public trust in the brand. This highlights that in order to become a trusted corporate brand, a company must not only have strong cybersecurity defenses of its own, but also effectively manage third-party risks to comprehensively protect customer trust and brand reputation.
Preventing Third-Party Cyber Risk
These incidents highlight the importance of managing third-party risk. Given the scale and potential threat of the incidents, HKCERT recommends that users and organisations take the following measures:
- Training Help Desk Personnel for Effective Identity Verification
Ensure that help desk personnel receive comprehensive training to accurately verify the identity of employees before making any changes to or providing security information, including during initial enrollment. This training is particularly important for handing privileged accounts and should cover methods such as On-Camera or In-Person verification, ID Verification or Challenge/Response questions.
- Beware of Phishing Attack
Always verify email senders and avoid clicking any suspicious links. Be cautious of urgent or unusual requests and report suspicious messages to your IT or security team immediately. For more details, please visit https://www.hkcert.org/publications/all-out-anti-phishing
- Enable multi-factor authentication to enhance account security
Implement multi-factor authentication requiring users to enter verification codes or additional authorization to log in and educate users not to share the verification code with others. This prevents account theft if the users accidentally disclose their password.
- Appropriate Incident Response
Develop and maintain incident response plans. Work with third parties who have access to your systems to establish clear, pre-agreed protocols for responding to cyber incidents, including communication and reporting procedures. Following the Qantas incident, the damage caused by the breach was minimized due to the rapid response of its security team. Organizations should deploy comprehensive monitoring, such as Endpoint Detection and Response (EDR) and SOAR/SIEM platforms, to quickly identify and address suspicious activity.
- Conduct thorough risk assessments and vendor evaluations
Carry out comprehensive cybersecurity assessments on vendors both before onboarding and on an ongoing basis. This should include technical audits, policy reviews, and compliance checks against relevant regulations.
- Limit and manage third-party access
Apply the principle of least privilege by granting vendors only the minimum access necessary. Use solutions such as privileged access management, MFA and time-bound permission to secure sensitive data and systems.
- Be cautious when using freeware and open-source projects
While freeware and open-source tools can be cost-effective, they may introduce vulnerabilities if not properly vetted. Only use trusted software from reputable sources and conduct security reviews before deployment.
- Regular security update
Keep all systems, applications, and devices updated with the latest security patches. Regular updates help close vulnerabilities before attackers can exploit them.
- Raise social engineering awareness
Social engineering remains a common attack vector. Provide frequent training to employees on recognizing and resisting phishing attempts, suspicious phone calls, and other manipulation tactics. This can significantly reduce the likelihood of human error leading to a breach.
Reference Links:
[1] https://www.bleepingcomputer.com/news/security/mands-confirms-social-engineering-led-to-massive-ransomware-attack/
[2] https://www.bleepingcomputer.com/news/security/qantas-discloses-cyberattack-amid-scattered-spider-aviation-breaches/
[3] https://cloud.google.com/blog/topics/threat-intelligence/unc3944-proactive-hardening-recommendations
[4] https://moneyweek.com/personal-finance/marks-and-spencer-online-order-problems
[5] https://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/
[6] https://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/
