What is a third-party attack? Also known as a supply chain attack is when someone infiltrates your system(s) through an outside partner with access to your systems and data.
This has dramatically changed the attack surface of the typical enterprise in the past few years, with more suppliers and service providers having access to sensitive data than ever before.
Early signs of this sort of attack were back in 2013 when Target's gateway server was breached through a third-party vendor's credentials which resulted in the exposure of 40 million credit/debit card holders information.
The problem deepens when you consider that the risks don't end when the supplier relationship is terminated. This was the case with Dave when one of their third-party vendors, a former business partner, had their GitHub and GitLab OAuth tokens compromised which Dave was still using despite no longer having a relationship with the third-party. The vulnerability exploited was a blind SQL injection vulnerability which would have been identified if regular penetration tests were conducted.
In true hacker fashion, some money was made at auction for their efforts, but in the end, the compromised databases were leaked for free in forums.
When dealing with third-parties who have access to sensitive company and customer data always remember to :
- Maintain and implement policies and procedures to manage service providers;
- Establish a process when engaging service providers which includes proper due diligence before engagement;
- Maintain a list of approved service providers including a description of the service provided;
- Maintain a program to monitor your third parties cybersecurity and PCI DSS compliance (If you have a cardholder data environment and if they have the ability to affect the security of cardholder data)
Overdraft protection and cash advance service Dave suffered a data breach that appeared to involve the practices of a former third-party vendor, resulting in its database containing 7.5 million user records being sold at auction and then released later for free on hacker forums.