Issue #27 | November, 2024
‘Save the Date’
As we get used to new things, they slowly merge into the landscape. What was once shocking could now be background noise: with familiarity comes complacence.
Needless to say, this isn’t always a good thing. As humans, we can be forgetful. When we forget, we overlook the lessons that were already learned, allowing old mistakes to emerge once more.?
Third-party breaches may be more common than ever, but we shouldn’t allow them to become background noise.
We held our second Tenchi Conference 2024 - Shaping the Future of Third-Party Cyber Risk Reduction on November 6, in S?o Paulo. It was a day for us to share what we have learned and learn from others, together with our customers. But, perhaps most importantly, it was a day to be fully engaged with Third-Party Cyber Risk Management.?
Sometimes, having the time to reflect and focus our minds on just one thing can be the key to understanding it with the care that it deserves — and to avoid having to re-learn lessons that should already be known.
As for this issue of Alice in Supply Chains, you’ll find the same sections as usual – the latest security incidents, guidance, and government regulations involving third-party risk management. That said, we’ll start with a compilation of technology stories involving service providers – we haven’t done one of those sections in a while.
Enjoy!
News: ‘.io’ domain could be shut down, Microsoft loses customers’ security logs, WordPress controversy
We have a few general news stories related to third-party infrastructure to share this month. The first one is that the “.io” domain could go extinct as a result of the British Indian Ocean Territory being handed over to Mauritius:
The decision to transfer the islands to their new owner will result in the loss of one of the tech and gaming industry’s preferred top-level domains: .io.
Whether it’s Github.io, gaming site itch.io, or even Google I/O (which arguably kicked off the trend in 2008), .io has been a constant presence in the tech lexicon. Its popularity is sometimes explained by how it represents the abbreviation for “input/output,” or the data received and processed by any system. What’s not often acknowledged is that it’s more than a quippy domain. It’s a country code top-level domain (ccTLD) related to a nation—meaning it involves politics far beyond the digital world.
Quite a few companies built their brands around “.io” domains, despite doing little to no business in the territory it represents. We’ll have to see how ICANN will deal with this situation — maybe it’s still possible they’ll keep it alive as a generic top-level domain (gTLD). One way or another, this is a risk that these brands will now have to manage, either by betting on the survival of “.io” or by starting a transition.
Moving on, we have two stories involving Microsoft cloud services. The first is about a bug in a monitoring agent that caused gaps in security logs and telemetry data. Microsoft apparently did not publish the official advisory outside of their customers’ dashboards, but the reporting by TechCrunch suggested that logs were missing from September 2 to September 19. A version of the advisory that was made public, however, states that some logs could be intermittent or missing for all of September. This is yet another black mark in Microsoft’s cloud endeavors.
Then, we have Microsoft accusing Google of conducting a “shadow campaign” in Europe. The company stated in a blog post that Google is funding an “astroturfing lobbying organization” to “discredit Microsoft with competition authorities, and policymakers and mislead the public.” It seems that Google accuses Microsoft of attempting to lock in customers through licensing, while Microsoft sees Google seeking regulatory privileges. Google responded to ITPro, saying it has been “very public about our concerns with Microsoft’s cloud licensing.” Regardless of who is right in this dispute, it’s important to remember that de facto monopolies are a problem, and moving away from Microsoft does not guarantee you’re safe.
Meanwhile, WordPress hosting providers Automattic (of WordPress.com) and WP Engine are locked in a dispute. This has been going on for a while — as TechCrunch’s reporting explains in over 2,000 words. While the issue boils down to Automattic claiming that WP Engine is misusing WordPress trademarks, the way the dispute is being handled has created some unrest in the WordPress community and even inside Automattic. The company offered a severance package, and 159 employees took it and left.?
Perhaps the most controversial action was the takeover of WP Engine’s “Advanced Custom Fields” plug-in, preventing both developers and users from updating the plug-in through WordPress.org (WordPress administrators will know how important it is to keep plugins updated). Some estimates suggest that around 40% of the web uses WordPress, so it will be a problem for many if Automattic decides to change its enforcement of trademarks or if the project is shaken by these events.?
Finally, X/Twitter has updated its terms of service to allow content to be used for AI training (no opt-out is available). But, before we move to the next section on regulations, we have an interesting article from the Philippines about how companies from abroad are pressuring local businesses to report cybersecurity incidents.
CISA rolls out international strategic plan to bolster cyber cooperation
There’s a lot to cover in this section, but let’s begin with news from the Cybersecurity and Infrastructure Security Agency (CISA): the release of its “first ever international strategic plan.” From the announcement:
The Cybersecurity and Infrastructure Security Agency (CISA) released its 2025–2026 International Strategic Plan, the agency’s first, which supports the agency’s first comprehensive strategic plan and aligns with the National Security Memorandum on Critical Infrastructure Security and Resilience. The International Strategic Plan focuses on how CISA will proactively engage international partners to strengthen the security and resilience of our nation’s critical infrastructure.
“In following this plan, CISA will improve coordination with our partners and strengthen international relationships to reduce risk to the globally interconnected and interdependent cyber and physical infrastructure that Americans rely on every day,” said CISA Director Jen Easterly.
Additional reporting is available at Cybersecurity Dive.
The National Institute of Standards and Technology (NIST) released a draft of the “Cybersecurity Supply Chain Risk Management Due Diligence Assessment Quick-Start Guide” for public comment. Their framework involves assessing a vendor based on five criteria: “Foreign Ownership, Control, or Influence,” “Provenance,” “Supply Chain Tier,” Stability,” and “Foundational Cyber Practices” (PDF).
The US Federal Energy Regulatory Commission (FERC) asked the North American Electric Reliability Corporation (NERC) to “create a better supply chain security standard for power plants,” according to a report from Dark Reading. This new standard would see power plants required to “identify supply chain risks to electrical grid-related cybersecurity systems at regular intervals,” and to “ assess and validate the information vendors submit during procurement” — in other words, they would be forced to maintain a third-party cyber risk management (TPCRM) program.
The Office of the Comptroller of the Currency added third-party risk to its bank supervision operating plan for fiscal year 2025, instructing examiners to “determine when third-party and other subcontracted relationships, particularly those with financial technology companies that provide consumers and businesses access to banking products and services, represent significant operational, compliance, strategic, financial, reputation or other risks.”
Anne Neuberger, the U.S. deputy national security adviser for cyber and emerging technologies, wrote an opinion piece for the Financial Times to say that insurance companies must stop funding ransomware payments. While no regulation is in the books yet, there have been several calls from these payments to stop – from insurance companies and regulators alike (here if you missed it) – as they enable the criminals and incentivize more ransomware attacks. Additional reporting is available from The Register.
Moving out of the federal sphere, we have a couple of new regulations from the state of New York. The Department of Financial Services addressed cybersecurity risks from artificial intelligence – including third-party service provider and vendor management — while the Department of Health (DOH) published a new cybersecurity regulation (10 NYCRR 405.46) for general hospitals, requiring due diligence and warranties from service providers.
In Europe, the EU announced new product liability rules in line with the digital age (PDF). Digital platforms and software now fall under the definition of “product,” giving consumers certain protections that were not available before. One of the things mentioned is the possibility of a customer being reimbursed by a “sectoral compensation scheme” if no person can be held liable for a problem with a product (if the company has ceased to exist, for example). The directive must be adopted by each country with a national law, which can take up to two years.
More around the world:
Australia: The Cyber Security Bill 2024 was introduced to the parliament. An overview is available from Lander & Rogers (the highlights are mandatory reporting for security incidents and security standards for smart devices). The bill is part of the 2023-2030 Australian Cyber Security Strategy, which we mentioned previously (here’s a link to the PDF, if you missed it).
India: The next country to restrict Chinese CCTV cameras could be India, according to reports from local outlets. This follows similar restrictions adopted by other countries (the UK recently announced it removed 50% of all Chinese cameras).
Singapore: The “Cybersecurity Labeling Scheme for Medical Devices” is a new voluntary program to rate the cybersecurity features of medical devices. While interesting, it appears that the label is valid for three years — which may be too much, given that a product may become insecure overnight. It’s a good indication of a manufacturer’s commitment to security, but a continuous process would be preferable.
China: The Chinese government announced a new data security regulation. According to their brief statement (in English), the new rules include requirements “for entities such as third-party service and product providers.”
FINES AND SETTLEMENTS
This subsection will be a quick look at the fines and settlements involving cybersecurity in October.
DATA CENTER FRAUD CHARGES
The Department of Justice indicted Deepak Jain for “major fraud” and “making false statements to the SEC.” According to the DoJ, Jain was the CEO of an IT company and created an entity that provided certification regarding the reliability, availability, and security of data centers. He used this entity to “certify” the data center company he managed and then struck a contract with the SEC based on those claims. The SEC then had several issues with the service, prompting an investigation. (DoJ)
U.S. wiretap systems targeted by Chinese hackers, UK post office and MoneyGram split after hack
The Wall Street Journal broke the news that U.S. wiretap systems were targeted by Chinese hackers:
A cyberattack tied to the Chinese government penetrated the networks of a swath of U.S. broadband providers, potentially accessing information from systems the federal government uses for court-authorized network wiretapping requests.
For months or longer, the hackers might have held access to network infrastructure used to cooperate with lawful U.S. requests for communications, according to people familiar with the matter.
The article and its follow-up are paywalled, but the podcast is not. Freely accessible coverage is also available from CBS News and Reuters. Wikipedia has a page dedicated to Salt Typhoon, the threat actor believed to be behind the hacks. It is unclear what data has been stolen.
AT&T, Verizon, and Lumen Technologies were allegedly hit by the hack, but they have not made any statements on the incident (AT&T and Lumen declined to comment, according to media outlets, while Verizon did not reply at all). China has denied any involvement.
By coincidence – as the incidents do not appear to be related – quite a few other leaks involving telecom operators were disclosed in October. 404 Media has a paywalled article about hackers offering push-to-talk (PTT) data from Verizon, while other attackers hit TopNet, a large provider in Tunisia – which left an open directory listing with their database – and Free, France’s second-largest ISP.
A breach at Financial Business and Consumer Solutions (FBCS), a debt collection agency, is now affecting Comcast. Over 230,000 SSNs of Comcast customers were obtained by ransomware operators. The breach is believed to have affected 4.2 million people across all FBCS customers.
领英推荐
Payment and money transfer company MoneyGram disclosed a breach where hackers stole customer data. The incident caused a split between MoneyGram and the UK’s Post Office, which provides MoneyGram services. It appears this is temporary until the incident is resolved and services are re-established, but the details are not yet clear. At the time of writing, the MoneyGram page on the Post Office website simply states that the service is not currently unavailable. Additional coverage of the fallout is available here.
Landmark, an administrator for insurance firms, also disclosed a breach and said 800,000 people are affected. Liberty Bankers Insurance Group and Landmark are being sued over this incident.
“Rogue” employees at a vendor stole points from Qantas frequent flyers. The company said the points were returned, but the police investigation is ongoing.?
Some security companies also had trouble with partners. Home and small business security provider ADT reported a data breach made possible by credentials stolen from a business partner. In Israel, hackers breached the email service of Comsecure, a partner of security company Eset, to send phishing messages with a link to a malicious archive. Eset’s systems were not compromised.
Boston Children’s Health Physicians notified patients of a data breach after being informed of an incident at an unnamed IT vendor.?
Arkansas Blue Cross & Blue Shield also had to disclose a breach after Healthmine, which managed their Reward portal, suffered a cyberattack.
Brighthouse Life Insurance also disclosed a data breach stemming from an IT provider — Education Benefit Consultants (Aviben). This incident is not new, but it was reported in connection with different companies that also employed Aviben services.?
BREACHES AT CRITICAL INFRASTRUCTURE AND IT PROVIDERS
To end this section, something a bit different: Levi’s missed a revenue target, and blamed a cyberattack on a customer (not a vendor) for it. Every partner – which can be customers or other players in the supply chain – may also benefit from your TPCRM program, if they are key to your business.
Guidance: collaboration is key for addressing cyber supply chain risk, and more ideas to prevent third-party data breaches
Chuan Wei Hoo, CISO at StarHub, writes about the importance of collaboration for increasing cyber resilience and addressing supply chain risk:
To build a resilient digital ecosystem, the focus should shift to proactive collaboration, where larger organizations with robust security capabilities take the lead in helping smaller counterparts and third parties enhance their defenses. This new model emphasizes inclusivity, where smaller players?aren’t left out but actively supported through shared best practices, security controls, and early engagement before incidents occur.
Forbes gave us “Four Essential Tips To Prevent A Third-Party Data Breach” from Surfshark CEO Vytautas Kaziukonis, while the American Hospital Association shared “Four Keys to Manage Third-Party Cybersecurity Risk.”?
Gartner published “a complete guide” for third-party risk management, though some of the content is restricted to members.?
Plansponsor, a website dedicated to the retirement industry, says that “Plan Security Relies on Vetting 3rd-Party Providers.” It looks at recent incidents that affected vendors in their sphere and into the steps that can be taken to improve resilience, such as determining what can be delegated by the recordkeeper and under what circumstances, including their security policies.
“The three types of cyberattacks affecting global supply chains” at the Supply Chain Management Review describes three categories of incidents: the “fake” supply chain, cyberattacks targeting supplier-managed resources, and cyberattacks through supplier access to customer systems.
“Managing third-party risks under EU data protection, cybersecurity laws” at IAPP provides a high-level overview of the different EU regulations and how each of them – GDPR, NIS2, DORA, and the EU AI Act – apply to third parties.?
Bringing this section to a close, we have the New Stack Makers podcast asking: “Are We Thinking About Supply Chain Security All Wrong?” As the episode mostly talks about open-source software security and similar software supply chain issues, its perspective will be more valuable for companies that provide software or SaaS platforms.
68% of healthcare workers experienced a supply chain attack
We have a few surveys and reports to cover in this section. Starting with the 2024 Ponemon Healthcare Cybersecurity Report:
The report, which surveyed 648 information technology and security practitioners in United States healthcare organizations, found that supply chain attacks are most likely to affect patient care. More than two-thirds (68%) of respondents said their organizations had an attack against their supply chains, of which 82% said it disrupted patient care, an increase from 77% in 2023.
The report also claims that 92% of healthcare organizations experienced a cyberattack in the past 12 months.
The Deloitte-NASCIO Cybersecurity Study surveyed representatives from the 50 U.S. states and the District of Columbia and found they are very concerned with third-party breaches. 76% of respondents believe third-party breaches pose a “very high” or “somewhat high” risk to their state, up from 44% in 2022. AI and foreign espionage came in second and third place, respectively.
In its Future Risks Report 2024, insurer AXA noted that more experts list cybersecurity as a top risk this year. The company believes this is probably due to geopolitical instability and “increasing dependency on large providers.”
Coalition, also an insurance provider, published its 2024 Cyber Claims Report Mid-Year Update, noting third-party risk as a “main driver” for increased cyber risk.
The 2024 State of Cybersecurity Survey by ISACA was released on October 1. It’s focused on work conditions (such as staffing, budget, and leadership) and has a lot of interesting data for cybersecurity professionals and managers. For us here, it’s noteworthy that third-party attacks were listed among the most common attack types, at 10% (all the values are rather low, perhaps because many don’t want to answer this part of the survey – the most common attack type was social engineering, at 19%).
Follow-ups: Delta and CrowdStrike sue each other, National Public Data files for bankruptcy
In this last section, we have some updates to stories we covered previously.?
Delta Airlines moved forward with a lawsuit against CrowdStrike, but the security provider immediately sued the airline back:
CrowdStrike said it sued to make clear that CrowdStrike did not cause the harm that Delta claims, and that Delta repeatedly refused assistance from both CrowdStrike and Microsoft. […]
Delta’s lawsuit filed on Friday in Fulton County Superior Court called the faulty software update from CrowdStrike “catastrophic” and said the company “forced untested and faulty updates to its customers, causing more than 8.5 million Microsoft Windows-based computers around the world to crash.”
Delta filed their lawsuit on October 25, a Friday. CrowdStrike’s countersuit was filed on Monday, October 28. Delta is seeking $500 million in damages, while CrowdStrike alleges it has minimal liability and blames Delta’s own response and technology for the damages. Additional coverage is available from Aviation A2Z.
After eight months, Change Healthcare confirmed the number of individuals affected by the cyberattack from February: 100 million. As the HIPAA Journal notes, this would be the largest healthcare data breach in the US by official numbers, topping the 78.8 million records leaked by Anthem in 2015.
Ticketmaster is facing a class action lawsuit over its Snowflake data breach. The lawyers seek $5 million in damages.
Some developers are struggling with the new rules in Google’s Play Store for Android applications. We mentioned some of the changes in August last year. iA, the makers of “iA Writer,” announced that their Android app is now “frozen,” as they cannot update it, while Panic, makers of the Transmit FTP/S3 client, said the software is set to lose its Google Drive access.?
Lastly, National Public Data, a data broker company that offered background checks and lost data on nearly 3 billion individuals to hackers, filed for bankruptcy. The company claims to have at most $75,000 in assets. Additional coverage is available from PC Magazine.
We have two more bonus links for you below. This was a long issue, but we hope to see you again next month!?
An investigation by Le Monde has shown that members of the Security Group for the Presidency of the Republic (GSPR) have been openly displaying their location on the popular software during their workout sessions. Since they travel with President Emmanuel Macron, this makes it fairly easy to work out his location. A dozen of his bodyguards were leaking key information this way.
Travel with us to the not-so-distant past to look at how some of the biggest security incidents of 2024 went down, their impact, and, in some cases, how they could have been stopped.