Lessons From Another Third-Party-Vendor-Based Data Breach

How did hackers gain access to 53 million email addresses and 56 million credit cards belonging Home Depot customers? Through one of the retailer’s third-party vendors.

Home Depot recently reported the news, saying he hackers gained entry to the retailer’s system, and deployed malicious software to steal personal information from customers using self-checkout machines and standard registers at the store.

“Criminals used a third-party vendor's user name and password to enter the perimeter of Home Depot's network,” a Nov. 6 Home Depot press release stated.

Home Depot has alerted the customers who potentially had their email addresses compromised. A notification from the company read:

“The Home Depot has discovered that a file containing your email address may have been taken during the payment card breach we announced in September. The file contained email addresses, but it did not contain passwords, payment card information, or other sensitive personal information. We apologize for this incident and for the inconvenience and frustration this may cause you.”

Actively Managing Third-Party Vendors

This isn’t the first time a third-party vendor served as a point of entry for hackers to cause a massive data breach. Remember the Target data breach last year that compromised some 40 million credit cards? One of Target’s third-party vendors was the gateway for the hackers behind that attack. (We wrote about this earlier this year.)

So, what’s the lesson here? In the age of supplier portals and B2B networks, buyers need to be careful on 2 fronts related to their systems being compromised:

  • Ensuring that suppliers are not getting hacked by phishers posing as the buyer. They should make sure to let suppliers know what to look for in terms of communications from them or their B2B service providers.
  • Making sure that suppliers don't have access to systems behind the firewall. Integration should be done through secure web services and use of a controlled extranet/"DMZ" rather than granting them self-service system access that will hopefully provide security through the accessed on-premise applications.

Of course, when IT contractors are being used to manage those critical systems, the IT security and risk management processes should be firmly in place and invoked based on the criticality of the assets being accessed.

There is no way to always prevent these attacks, but with the proliferation of various cloud-based applications and integration services, IT needs to work closely with procurement and all functions that manage third-parties to ensure that bad actors are not getting access to critical corporate information assets.

Discuss this:

Your email address will not be published. Required fields are marked *