3rd Party Security Breaches

In September 2023 it was announced that the Greater Manchester Police had suffered from a data hack exposing details used by the force’s security badges.  Supply of these badges had been outsourced to another body and it was that organisation not the police that had been hacked.  The data lost included the names and photographs of serving police officers.  It might be used to impersonate a police officer or to track down serving officers and influence their decision making.  A loss of similar data by the Police Service of Northern Ireland in August 2023 was not the result of hacker activity but a deliberate if accidental publication from within.

Few organisations work without needing to exchange electronic data with their suppliers and customers.  In the case of Greater Manchester Police the name badge production did not need to be outsourced.  Creation of identity badges requires relatively cheap and portable equipment although the addition of security features will add to the complexity.  For documents such as a passport high standards are required to ensure the document is genuine.  Few people would know the exact make up of a police identity card.  Any digital entry checks such as barcodes or RFID chips are easily cloned.  It is hard to see what good outside of cost or convenience in supply could come from not creating security ID badges in house.   It would be hoped that only data strictly necessary to create the badges was shared with the supplier. Even so this is one clear case of when not to outsource data with suppliers.

In many cases the decisions are not so clear cut.  Information needs to flow and controls put in place to limit that data to a minimum and ensure that suppliers are compliant with data security.  On the other hand the hacker will be looking for the weak link in the data chain.  SecurityScorecard published a report into the extent of data sharing between suppliers and suppliers of suppliers.  The data comes from SecurityScorecard’s vendor detection software.  They claim to have analysed 230,000 organisations with 73,000+ vendors or products and conclude that 98% of organisations had a relationship with at least one third party that has experienced a breach in the 2 years since 2023.

One approach to sharing data is to use a common portal or repository.  Rather than ‘A’ sending information to ‘B’ both ‘A’ and ‘B’ save data into a shared system.  Users will have different permissions and levels of access so each will only be able to see the data that they need.  While maintaining common standards the security is only as good as the system itself.   The MOVEit hack in May 2023 led to over 600 data breaches.  The system was compromised at the host side so any organisation using its services would be unknowingly affected.  Following the supply chain model of companies needing to share data with others would have led to some organisations being susceptible to the MOVEit breach although they make no direct use of the system.

Kindus’ Supply Chain Risk Assessment program will search through your supply chain and identify risks and vulnerabilities associated with data sharing.  This enables the creation of an action plan, identifying what data needs to be stored, mitigating risks and preparing for any possible incidents.

More from Security

06/01/2025

Scam Promotions on Facebook

Web adverts promoting questionable offers and schemes are old hat.  Facebook is no exception but unlike wholly dubious hosts or otherwise reliable sites depending …

Read post

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories