You’re only as secure as your supply chain
A guide to improving supply chain security, plus the latest news and views at the intersection of data privacy, security, and governance.
Subscribe to FILED Newsletter
Welcome to FILED Newsletter, your round-up of the latest news and views at the intersection of data privacy, data security, and governance.
This month:
- A former Amazon employee used its Ring doorbell camera unit to spy on female customers.
- U.K. mental health charities handed sensitive data to Facebook for targeting ads.
- Australia just appointed its first cybersecurity coordinator, and he is... an air commander?
But first: is your supply chain secure? If you’re not sure, time to get MOVEing.
If you only read one thing:
You’re only as secure as your supply chain
This month’s essential cybersecurity terminology is “supply chain hack,” thanks to the MOVEit and Barracuda Networks ransomware attacks.
So far, more than 140 organizations are confirmed victims of the MOVEit supply chain hack. While only 10 of these victims have disclosed the number of people affected, the tally stands at more than 15.5 million individuals.
These hacks serve as a reminder that an organization’s security depends not only on its internal tools, team, and operational processes but also on those used by its entire supply chain. Organizations need to get a handle on their supply chain risk.
Australian financial regulator APRA is undertaking a large-scale assessment of the country’s financial sector and has found weaknesses in the way third parties handle data and meet security standards.
What can organizations do about the issue? Let’s start by examining these breaches.
MOVEit is a managed file transfer (MFT) software used by hundreds of companies, including government agencies, healthcare organizations, and educational institutions.
During the long U.S. Memorial Day holiday weekend, the Cl0p ransomware group exploited a zero-day vulnerability in the software to breach servers belonging to “hundreds of companies” and steal data.
In a change of strategy, the group has avoided immediately encrypting victims’ data, instead simply demanding payment not to release data. Organizations that may have acted quickly to patch their systems are still at risk.
The list of victims includes Sony, EY, PwC, Siemens Energy, the BBC, Boots, British Airways, Shell, the U.S. Department of Energy, and Louisiana’s Office of Motor Vehicles.
Insurance giant Genworth Financial saw 2.5-2.7 million customers/agents affected after its third-party service provider PBI Research Services was hit in the breach. PBI also services the California Public Employees’ Retirement System, which disclosed that nearly 770,000 members had also been affected.
Meanwhile, hackers suspected of being affiliated with China began exploiting a security flaw in Barracuda Networks Email Security Gateway devices, targeting hundreds of organizations worldwide, particularly in the United States. So insidious was the hack a report by Mandiant told customers to rip out the devices and replace them rather than attempting to patch them.
These aren’t the first significant supply chain hacks. We had an update on one, the 2020 SolarWinds attack, late last month. This attack saw Russia-backed hacking group Cozy Bear using a compromised update to SolarWinds’ networking and applications monitoring platform Orion to gain access to government and other systems, including U.S. cybersecurity firm FireEye.
Late June, the U.S. Securities and Exchange Commission informed executives at SolarWinds that it intends to pursue “civil enforcement action” in connection with the breach, alleging the company broke federal securities laws in its public statements and “internal controls” related to the hack. This development should put all suppliers on notice. They need to secure their systems and ensure they can service their customers.
But what can organizations leveraging external vendors do to ensure their safety?
Off the chain
The main lesson from these hacks: in the same way you must secure your internal processes, you have a responsibility to understand your vendors and how they manage data. Some key steps to take:
- Gather a comprehensive list of your vendors and understand how they interact with your data. Focus on vendors most important to your supply chain and on which a cyberattack would significantly impact your business.
- Also, take this opportunity to review and limit which vendors have access to which systems/information: adopt a least-privilege approach, where vendors can access as little information as they need to provide their service.
- Assess your vendors’ preparedness for a breach: what are their encryption practices, MFA use, and password policies? Get evidence. Read your vendor contracts and terms and conditions: what promises did they make about how they would treat your data? Talk to your vendors to understand their data security approach, and ensure you get answers that will put your mind at ease.
- Include suppliers in your incident response plan (you have one of those, right?). Establish lines of communication and processes to follow if either of you experiences a breach. You are all on the same team, so agree to the game plan.
- Following all this research, if you have any lingering doubts about a given vendor, switch to an alternative whose data practices you are satisfied with.
Supply chain hacks are becoming more common as threat actors see significant value in attacking many targets with a single exploit. There’s no better time to secure your supply chain, but as the cybersecurity landscape evolves, this may not be the last time you repeat this process.
Privacy & governance
Maybe existing data privacy laws already regulate data-related aspects of A.I.?
According to the Federal Trade Commission, a former employee of Amazon’s Ring doorbell camera unit spied on female customers for months in 2017 with cameras placed in bedrooms and bathrooms. The FTC made the statement as part of a U.S. $5.8 million settlement with Amazon over privacy violations.
Google says any “right to be forgotten” provision potentially introduced as part of a revision to Australia’s Privacy Act should target websites, not search engines. Here’s an idea, why not both?
Searches for “Netflix terms and conditions” increased by 1,524 percent after the streaming platform debuted the new season of the dystopian drama Black Mirror. The first episode of the award-winning show’s sixth season offered a dystopian view of what happens when you accept terms and conditions without reading them.
JP Morgan was fined U.S. $4 million for accidentally deleting records it was legally required to retain for business purposes. Repeat it with me: records management matters.
Security
Australia appointed its first cybersecurity coordinator: Royal Australian Air Force (RAAF) ’s Air Commander Australia Darren Goldie.
Latitude Financial faces a $1 million lawsuit concerning its March data breach, which we covered here in May.
Medibank needs to set aside A.U. $250 million in extra capital due to its weak information security, according to the Australian Prudential and Regulation Authority (APRA).
UPS disclosed a data breach for Canadian customers, saying personal information might have been abused in phishing attacks. The disclosure was slipped into a general warning about the dangers of phishing.
📣The latest from RecordPoint
Read: We often misdiagnose data privacy issues as data security problems by focusing on data breaches. But poor data management is arguably a bigger culprit. Records and information managers are well-positioned to fill a significant gap for organizations in this era, as they operate as custodians of company data, with a natural affinity with compliance and concepts like retention. Read ourr guide to data privacy, produced with a records management lens.
Listen: Last month, we launched our podcast, FILED, featuring myself and RecordPoint’s V.P. of product, Kris Brown, in discussion with experts in data privacy, data security, and information governance. Listen to the first three episodes and subscribe in your podcast platform of choice to ensure you get episode four when it drops this week.
