????? You’re only as secure as your supply chain

Hi there,

Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.

This month:?

• A former Amazon employee used its Ring doorbell camera unit to spy on female customers.?
• U.K. mental health charities handed sensitive data to Facebook for targeting ads.?
• Australia just appointed its first cybersecurity coordinator, and he is... an air commander??

But first: is your supply chain secure? If you’re not sure, time to get MOVEing.?

You’re only as secure as your supply chain?

This month’s essential cybersecurity terminology is “supply chain hack,” thanks to the MOVEit and Barracuda Networks ransomware attacks.?

So far, more than 140 organizations are confirmed victims of the MOVEit supply chain hack. While only 10 of these victims have disclosed the number of people affected, the tally stands at more than 15.5 million individuals.??

These hacks serve as a reminder that an organization’s security depends not only on its internal tools, team, and operational processes but also on those used by its entire supply chain. Organizations need to get a handle on their supply chain risk.?

Australian financial regulator APRA is undertaking a large-scale assessment of the country’s financial sector and has found weaknesses in the way third parties handle data and meet security standards.?

What can organizations do about the issue? Let’s start by examining these breaches.?

MOVEit is a managed file transfer (MFT) software used by hundreds of companies, including government agencies, healthcare organizations, and educational institutions.?

During the long U.S. Memorial Day holiday weekend, the Cl0p ransomware group exploited a zero-day vulnerability in the software to breach servers belonging to “hundreds of companies” and steal data.?

In a change of strategy, the group has avoided immediately encrypting victims’ data, instead simply demanding payment not to release data. Organizations that may have acted quickly to patch their systems are still at risk.?

The list of victims includes Sony, EY, PwC, Siemens Energy, the BBC, Boots, British Airways, Shell, the U.S. Department of Energy, and Louisiana’s Office of Motor Vehicles.?

Insurance giant Genworth Financial saw 2.5-2.7 million customers/agents affected after its third-party service provider PBI Research Services, was hit in the breach. PBI also services the California Public Employees’ Retirement System, which disclosed that nearly 770,000 members had also been affected.?

Meanwhile, hackers suspected of being affiliated with China began exploiting a security flaw in Barracuda Networks Email Security Gateway devices, targeting hundreds of organizations worldwide, particularly in the United States. So insidious was the hack a report by Mandiant told customers to rip out the devices and replace them rather than attempting to patch them.?

These aren’t the first significant supply chain hacks. We had an update on one, the 2020 SolarWinds attack, late last month. This attack saw Russia-backed hacking group Cozy Bear using a compromised update to SolarWinds’ networking and applications monitoring platform Orion to gain access to government and other systems, including U.S. cybersecurity firm FireEye.?

Late June, the U.S. Securities and Exchange Commission informed executives at SolarWinds that it intends to pursue “civil enforcement action” in connection with the breach, alleging the company broke federal securities laws in its public statements and “internal controls” related to the hack. This development should put all suppliers on notice. They need to secure their systems and ensure they can service their customers.?

But what can organizations leveraging external vendors do to ensure their safety??

Off the chain?

The main lesson from these hacks: in the same way you must secure your internal processes, you have a responsibility to understand your vendors and how they manage data. Some key steps to take:?

• Gather a comprehensive list of your vendors and understand how they interact with your data. Focus on vendors most important to your supply chain and on which a cyberattack would significantly impact your business.?
• Also, take this opportunity to review and limit which vendors have access to which systems/information: adopt a least-privilege approach, where vendors can access as little information as they need to provide their service.?
• Assess your vendors’ preparedness for a breach: what are their encryption practices, MFA use, and password policies? Get evidence. Read your vendor contracts and terms and conditions: what promises did they make about how they would treat your data? Talk to your vendors to understand their data security approach, and ensure you get answers that will put your mind at ease.?
• Include suppliers in your incident response plan (you have one of those, right?). Establish lines of communication and processes to follow if either of you experiences a breach. You are all on the same team, so agree to the game plan.?
• Following all this research, if you have any lingering doubts about a given vendor, switch to an alternative whose data practices you are satisfied with.?

Supply chain hacks are becoming more common as threat actors see significant value in attacking many targets with a single exploit. There’s no better time to secure your supply chain, but as the cybersecurity landscape evolves, this may not be the last time you repeat this process.

Enjoying this edition of FILED so far? Read the full version, and sign up to get next month's email in your inbox.