Hackers have increasingly focused on third-party vendors as avenues to data held by associated businesses. On August 25, 2022, DoorDash announced that it had experienced a data breach which impacted the personal information of certain customers and drivers. After detecting unusual activity originating from one of its third-party vendors, an investigation by DoorDash revealed that the vendor was the target of a phishing campaign. This comes just a few years after DoorDash customer data was breached in a similar hack in 2019, which was also linked to a third-party vendor. Unfortunately, DoorDash is not alone in experiencing the security risks linked to many third-party vendors.
Several companies have been exposed to data breaches by their third-party vendors in recent years. These hacks have resulted in lawsuits from consumers as well as government investigations. Failing to secure consumer data and monitor the cybersecurity practices of third-party vendors may open businesses up to state and federal enforcement actions.
- In 2013, Target admitted to being the victim of a data breach that resulted in the exposure of names, addresses, contact details, and payment information for millions of customers. The breach was the result of a phishing email that corrupted one of Target’s vendors. As a result of the breach, Target became the subject of investigations in nearly every state in the country, which it then paid approximately $18.5 million to settle in 2017.
- In 2014, hackers were able to install malware on Home Depot’s internal system by gaining access through a third-party vendor. This allowed the unauthorized users to collect payment information from customers using Home Depot’s self-checkout machines. Following investigations by 45 states’ Attorneys General, including the District of Columbia, Home Depot settled with the states for $17.5 million. In total, Home Depot estimates that this breach has cost the company $179 million including payments to customers, credit card companies, banks, and government entities.
- In 2019, 100 million Capital One customers had their sensitive data accessed by a hacker who exploited weaknesses in Amazon Web Services’ cloud server, which Capital One used to store customer information. The Office of the Comptroller of the Currency (OCC), a bureau within the U.S. Department of the Treasury, fined Capital One $80 million in connection with this breach. OCC found that Capital One failed in its responsibility to create risk assessment processes before utilizing a third-party cloud server. Capital One paid a further $190 million to settle a class-action lawsuit brought by impacted customers.
- In 2020, the Federal Trade Commission (“FTC”) brought a complaint against Ascension Data & Analytics LLC (“Ascension”) alleging that they had violated the Gramm-Leach-Bliley Act by failing to oversee the cybersecurity practices of their third-party vendor, OpticsML. As part of its work for Ascension, OpticsML conducted text-recognition on documents that contained mortgage holders’ sensitive information. OpticsML stored these documents on a cloud-based system without any protection, which was then accessed by unauthorized users dozens of times. In December 2021, Ascension and the FTC reached a settlement. The settlement requires Ascension to implement and maintain a data security program and submit to biannual review by an independent entity but did not impose financial penalties. One FTC Commissioner voted against the settlement, finding that it did not go far enough and that charges should have been laid against Ascension as well as its parent company.
Targeting Third-Party Vendors
Third-party vendors have significant access to the systems and data used by the companies that they work with. Many enterprises also contract with more than one third-party vendor, increasing the number of ways that information could be leaked. Hackers have learned to exploit this access by targeting the third-party vendors, who may have less stringent cybersecurity measures than associated businesses. Third-party vendors may be more vulnerable to phishing attacks, like the one used to breach DoorDash, in which hackers use compromised emails to gain access to sensitive data. They have also been the targets of increased ransomware efforts and attacks against outdated hosting services that leave information open for unauthorized use.
Many companies may not discuss data security policies with their third-party vendors, which means they could inadvertently be trusting their customers’ information with others who are not prepared to prevent breaches. While companies are focused on the security of their own networks, they should be aware that the vulnerabilities of their third-party vendors may pose an even greater risk to their customer data. Failing to assess and guard against these risks leaves businesses vulnerable to lawsuits from their consumers as well as government enforcement actions.
To minimize some of these risks, companies should prioritize cyber and data security when working with third-party vendors. Companies should ensure that any third-party vendor they contract with has a cybersecurity plan that includes regular testing of their protocols, documented efforts to fix any vulnerabilities, and communicating best practices with employees. Before agreeing to work with a vendor, businesses should ask how the vendor identifies data incidents and what their plan is to address any incident that may arise. Companies should also be sure to monitor what internal data each vendor has access to and consider whether the third-party vendor’s security policies are sufficient compared to their own policies. Access controls should be implemented to monitor third-party data usage and alert to any unauthorized access that might originate with a third-party vendor.
Contract language should also be drafted with data security in mind. To ensure fast and effective responses to cyber threats, third-party vendors should be obligated to report data breach incidents that they discover within a designated timeframe. Specific security requirements may also be established within a vendor contract. In the event that a data breach does occur, companies should consider adding an indemnity clause that would hold third-party vendors liable for any breach caused within their organization.
Businesses should be aware of the cybersecurity risks associated with third-party vendors. When working with third-party vendors, companies should consider and assess the vendors’ security protocols. Both businesses and third-party vendors alike should invest in cyber insurance, and businesses should include strong indemnification language in their contracts with third-party vendors.
For more information and guidance to deal with cybersecurity issues and related matters, please contact Privacy & Cybersecurity Practice Chair Harris S. Freier, Esq. via email here or call 973.535.2079.
Tags: Genova Burns LLC • Data Breach • Privacy & Cybersecurity • Federal Trade Commission • DoorDash • Hacker • Third Party Vendor • FTC • Class Action • Data Security • Cybersecurity