Another week, another data breach. Best Buy joins the chain of recent data breaches linked to the third-party vendor [24]7.ai. The chain of events encourages us to open up the conversation again covering the vulnerability of third-party vendor security.

Over the last week, the data breach development of Sears, Delta and Best Buy has come to light after the third-party customer service company [24]7.ai was breached between September 27 and October 12, 2017. The method of malicious attack was a piece of malware.

The data breach was not disclosed by the third-party vendor under recently in the last month. The customer service vendor suffered the breach last Fall, but seemed reluctant to disclose it’s breach to its customers.

The type of disclosed information varies across the different organizations. Overall, it’s believed that hackers accessed names, addresses, credit card numbers, CVV numbers and credit card expiration dates. Best Buy confirmed that customer payment information was accessed. Delta reports that very important information like passports and various government-related identifiers were exposed.

The number of customers affected varies across the organizations, but Sears reports fewer than 100,000 customers, and Delta and Best Buy report similar numbers in the hundred thousands breached.

All organizations can link the incident back to their affiliation with the third-party vendor [24]7.ai. Third-party awareness is necessary understanding your data’s vulnerability and creating your incident response plan.

Third-party breach access is more common than business think with a Deloitte survey finding as much as 28% of surveyed businesses facing disruption due to third-party breaches.

Mitigation Method: Monitoring

Once you’ve underwent a through analysis of the sensitive data your third-party has access to, it’s necessary to proactively plan for a breach of that data. Just as if that data was within your own servers, proactive prevention like creating awareness training is essential. Further, implementing a user-centric monitoring service will give a proactive approach to data loss prevention. Monitoring creates a profile of normal user behavior, so when that behavior deviates, administration can be alerted in real-time. These types of proactive approaches are important preventional methods for data breach mitigation. Click below to learn more about Teramind.

Insider Threat Detection