In October 2023, the RansomedVC cybercriminal group allegedly gained access to the District of Columbia Board of Elections voter database via DataNet Systems, a third-party supplier. RansomedVC claimed it obtained 600,000 lines of voter registration information, and the DC Board of Elections confirmed that DataNet Systems stored a copy of the voter registration database, including partial Social Security numbers, driver’s license numbers, dates of birth and other personally identifiable information.
Earlier the same month, identity and access management vendor Okta’s customer support case management system, run by a third party, suffered a breach via social engineering attack. The attackers viewed HTTP Archive (HAR) files used to replicate user issues. HAR files contain sensitive information, including cookies and session tokens, that can be used to impersonate a valid user. The attackers then used the session cookies in an attempt to log in and create new administrative users.
In 2022, password manager application LastPass experienced two interrelated data breaches. First, attackers compromised a developer account to access “portions of source code” and proprietary LastPass technical information. Four months later, the attackers used the knowledge gained from their first attack to socially engineer another employee to obtain valid credentials and encryption keys. These were used to exfiltrate backup copies of the customer database and customer password vaults stored by a third party.
What’s the common theme in these attacks? In each case, the attackers took advantage of the security weaknesses of a third-party partner. Attacking third parties isn’t a new tactic. One of the most infamous third-party breaches occurred in 2013 when attackers went after Target’s third-party vendor for refrigeration. The attackers phished an employee and installed malware on the employee’s computer. Using that malware, the attackers found credentials to access Target’s internal systems, including the point-of-sale (POS) system. The attackers were able to hack the POS system to exfiltrate the credit and debit card information of 70 million to 110 million customers.
While it isn’t yet known how RansomedVC compromised DataNet Systems, it’s probable that the DC Board of Elections breach played out exactly like these other breaches: Attackers compromised identities to access poorly protected sensitive data.
Organizations have overconfidence in cybersecurity implementation
We’ve long known that attackers target employees with phishing, smishing, vishing and other social engineering attacks because people are easily manipulated and conned. Once attackers have compromised an identity, they either get direct access to the data or a foothold into the environment from which they can move laterally to obtain additional credentials and eventually gain access to the data.
Yet, according to TechTarget’s Enterprise Strategy Group research on passwordless authentication, despite knowing how well multifactor authentication (MFA) defends against social engineering attacks, 38% of organizations still don’t make MFA mandatory for their entire workforce. It appears to me that many CISOs and security teams are overconfident in password security, relying on outdated heuristics, such as password complexity and rotation, while deprioritizing newer initiatives, such as phishing-resistant MFA and passwordless authentication.
Similarly, many organizations are overconfident in their data security capabilities. ESG research on cloud data security found 93% of organizations are mostly or completely confident in their ability to discover all their public cloud resident data. Yet 19% of organizations lost unknown shadow data. Likewise, 92% said they are mostly or completely confident in their ability to classify that data. However, 33% lost data due to misclassification.
How to protect against third-party data breaches
Organizational overconfidence extends from authentication to data security to overall cybersecurity — both for the organization and its partners. Many organizations believe because they’ve made the effort to put in place the best defenses, their partners have made the same level of effort. They also believe because they treat data as sensitive and worthy of the highest levels of protection that their partners have the same understanding and apply the same rigor to their data.
Partners are just that — partners. And they have partners of their own. Organizations need to partner with their partners when it comes to cybersecurity.
Cybersecurity is not a static endeavor. Attackers don’t rest on their laurels; they’re always developing new techniques and testing an organization’s and its partners’ defenses to identify weaknesses. Just as organizations continuously assess and improve their cybersecurity strategy and capabilities, they too must work with partners to continuously assess and improve their cybersecurity strategy and capabilities.
The key lesson is that if organizations make the effort to store data, it has continued value to them. If it has value to them, it has value to an attacker. It is incumbent on organizations to know where that data is stored at all times and to ensure the appropriate levels of protection are applied to that data. This is true regardless of which organization owns or controls the storage.
Focus first on identity security (authentication and authorization) and data security (discovery and classification) as these are prime attack targets.
Key cybersecurity actions to take include the following:
- Deploy strong authentication, including phishing-resistant MFA or passwordless.
- Apply the principle of least privilege access, ensuring every account has only the access necessary to do the job, no more.
- Continuously scan the IT environment to identify all data and how it’s stored.
- Continuously classify the data.
- Encrypt all sensitive data at rest and in motion.
- Develop an understanding of the types of data used and the risks to the organization if that data gets stolen.
Finally, organizations must ensure that their partners’ cybersecurity strategy and implementation are just as good or better.
Senior Analyst Jack Poller covers identity and data security at TechTarget’s Enterprise Strategy Group.