3rd Party Security Breaches

In September 2023 it was announced that the Greater Manchester Police had suffered from a data hack exposing details used by the force’s security badges.  Supply of these badges had been outsourced to another body and it was that organisation not the police that had been hacked.  The data lost included the names and photographs of serving police officers.  It might be used to impersonate a police officer or to track down serving officers and influence their decision making.  A loss of similar data by the Police Service of Northern Ireland in August 2023 was not the result of hacker activity but a deliberate if accidental publication from within.

Few organisations work without needing to exchange electronic data with their suppliers and customers.  In the case of Greater Manchester Police the name badge production did not need to be outsourced.  Creation of identity badges requires relatively cheap and portable equipment although the addition of security features will add to the complexity.  For documents such as a passport high standards are required to ensure the document is genuine.  Few people would know the exact make up of a police identity card.  Any digital entry checks such as barcodes or RFID chips are easily cloned.  It is hard to see what good outside of cost or convenience in supply could come from not creating security ID badges in house.   It would be hoped that only data strictly necessary to create the badges was shared with the supplier. Even so this is one clear case of when not to outsource data with suppliers.

In many cases the decisions are not so clear cut.  Information needs to flow and controls put in place to limit that data to a minimum and ensure that suppliers are compliant with data security.  On the other hand the hacker will be looking for the weak link in the data chain.  SecurityScorecard published a report into the extent of data sharing between suppliers and suppliers of suppliers.  The data comes from SecurityScorecard’s vendor detection software.  They claim to have analysed 230,000 organisations with 73,000+ vendors or products and conclude that 98% of organisations had a relationship with at least one third party that has experienced a breach in the 2 years since 2023.

One approach to sharing data is to use a common portal or repository.  Rather than ‘A’ sending information to ‘B’ both ‘A’ and ‘B’ save data into a shared system.  Users will have different permissions and levels of access so each will only be able to see the data that they need.  While maintaining common standards the security is only as good as the system itself.   The MOVEit hack in May 2023 led to over 600 data breaches.  The system was compromised at the host side so any organisation using its services would be unknowingly affected.  Following the supply chain model of companies needing to share data with others would have led to some organisations being susceptible to the MOVEit breach although they make no direct use of the system.

Kindus’ Supply Chain Risk Assessment program will search through your supply chain and identify risks and vulnerabilities associated with data sharing.  This enables the creation of an action plan, identifying what data needs to be stored, mitigating risks and preparing for any possible incidents.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus