[BreachExchange] How data breaches affect technology vendors

Destry Winant destry at riskbasedsecurity.com
Wed Nov 11 10:51:50 EST 2020


https://securityboulevard.com/2020/11/how-data-breaches-affect-technology-vendors/

Data breaches that involve third parties, vendors, and contractors
have continued to make headlines throughout the past 10 years. We
continue to see headlines, see articles on social media, and we’ve all
become numb to getting the letters in the mail about another data
breach. But, more often than not, you hear about the doctor’s office
that was breached (or retailer, government, or pretty much any type of
enterprise in between), but you don’t always hear about the third
party or vendors’ access that caused the said breach, or any other
form, of a cyberattack.

Let’s give a common example and one that we still talk about, even 7
years later: the Target data breach. But, when we talk about the
Target breach, we call it just that— the Target breach. We don’t
always associate the HVAC vendor whose unprotected network led to the
breach that still haunts us today.

But, that was 7 years ago, and the conversation is beginning to change
its focus not just on the enterprise that was affected during a
third-party data breach, but the technology vendor that was associated
with the cyberattack. A good example of just this scenario is with the
well-known software platform used by many cities named Click2Gov.

What is Click2Gov?

No matter where you live, you most likely have to enter some sort of
payment portal in order to pay your utilities. That’s exactly what
Click2Gov is. According to them, their platform is a payment portal
that empowers citizens through interactive self-service bill-pay
options for utilities, community development, and finance.

A necessary platform, yes, but with news about this software, there
are some clear shortcomings. There have been many cities that use this
platform that say their networks have been breached, and Click2Gov is
under fire from them the cities and those in the cybersecurity field.
And the scariest thing about this whole situation with Click2Gov is
that they haven’t changed since their first breach in 2018.

Who was affected and what happened?

In 2018, at least 10 different US cities that use Click2Gov’s software
on their websites have had to warn citizens of a data breach that
could compromise their payment card information. In 2020, Click2Gov
has another breach that’s attributed to the infamous Magecart-style
attacks, which have taken down other websites like British Airways,
Ticketmaster, and about 2 million more.

In each scenario, the city or town discovers that there is something
wrong with their utility payment system, shuts it down, and the city’s
name takes the fall. However, fingers have been pointed at Click2Gov
for almost 2 years and nothing has seemed to change for them. They
continue to be in the headlines for different breaches throughout the
past couple of years.

So, who can we blame?

Here’s where things get even trickier: pointing fingers can go in
either direction. Do we blame the different city’s that continue to
not check what vendors they’re using and doing their due diligence in
ensuring that their cybersecurity posture matches what they’re doing
internally? Or do we blame the vendor who continues to have issues and
doesn’t seem to take the necessary steps to avoid data breaches,
ransomware, or other attacks? Whichever side you pick, you’re both
right and wrong because they’re both at fault.

It’s important that no matter what “side” you’re on, in terms of being
the enterprise or the vendor, cybersecurity for external access should
always be a top priority because, as you can see, when it isn’t
prioritized, it leads to breaches, ransomware attacks, and bad press
for your company.

What can we do?

You really are only as strong as your weakest link when it comes to
network security. For a technology vendor, the impact of a data breach
attached to your name can be deadly. Not only on your budget in terms
of fees and fines, but your reputation can be ruined with just one
headline. At the end of the day, a data breach can lead to fines,
fees, reputational damages, and unlimited liabilities.

Moving forward, external vendors, contractors, and third parties need
to be aware that there are ways to limit their liability while
balancing being both efficient and aware of potential security risks.
Look for the best remote support platform to fit your needs and
consider what you want or need out of a platform, like:

Improve productivity by streamlining support processes on a singular platform
Have a platform that allows you to regulate access methods
Decrease the time to resolution with email alerts
Scale to meet demands
Reduce liability by being able to prove you weren’t in the system


More information about the BreachExchange mailing list