As we enter into 2024, let’s reflect on some significant third-party cyber breaches from 2023. Sling has diligently tracked these breaches, revealing consistent findings that display the urgency for third-party risk management. The first prominent breach of the year, T-Mobile, a leading mobile telecommunication company, grappled with two major incidents in January and April, unveiling vulnerabilities in Application Programming Interface (API) security. Second, MOVEit, a file transfer software, exposed a zero-day vulnerability in MOVEit Transfer, impacting over 1,000 organizations globally. Most recently, in October, Okta, an IT service management company, fell victim to a breach that compromised personal information for thousands of Okta employees, stemming from unauthorized access to a third-party network. These incidents emphasize the need for collaborative efforts to enhance defenses in the cybersecurity domain in 2024.
T-Mobile Data Breach:
T-Mobile faced a series of data breaches in 2023, exposing millions of customers and employees to potential risks. The January breach, where a hacker exploited an API vulnerability, affected up to 37 million accounts. The breach originated from malicious activity in November 2022, but T-Mobile contained it within 24 hours. In April, a second breach affected 836 customers, exposing highly sensitive data, such as social security numbers and government ID details. Later in September, 89 gigabytes of T-Mobile employee data, linked to a breach of Connectivity Source, surfaced on hacker forums. Additionally, a system error in September led to the exposure of customer and payment data for fewer than 100 customers, which was quickly fixed by T-Mobile.
The T-Mobile breaches highlight the importance of proactive security measures and the need for continuous monitoring of APIs. In response to the vulnerability, T-Mobile’s swift containment demonstrated the value of quick incident response. However, the recurrence of breaches time and again in just 2023 alone suggests the necessity of a thorough security overhaul. Additionally, as seen in T-Mobile’s case with Connectivity Source, enhancing third-party management could help to mitigate potential risks. Strengthening cybersecurity infrastructure and fostering an environment of security awareness can help organizations preemptively address vulnerabilities and enhance overall resilience if ever facing threats.
MOVEit Data Breach:
The MOVEit Transfer software breach in 2023 stands out as one of the largest and most impactful hacks in 2023, affecting over 1,000 known victim organizations. Progress disclosed a critical zero-day vulnerability in MOVEit Transfer in May, enabling the notorious Clop ransomware gang to exploit the service and steal sensitive data. The fallout included continuous threats to publish stolen data unless ransoms were paid. The breach had global repercussions, with U.S.-based organizations accounting for a large majority of the victims.
The MOVEit breach underlines the critical need for ongoing software vulnerability management and underscores the surging impact on interconnected organizations. The financial sector, healthcare, information technology, and government entities were particularly vulnerable, emphasizing the importance of sector-specific cybersecurity measures. Businesses should prioritize timely patching, threat intelligence sharing, and cybersecurity training to reduce the risk of zero-day vulnerabilities. As organizations grapple with the aftermath, it becomes very important to safeguard against the increasing sophistication of cyber threats.
Okta Data Breach:
In the latest security incident, Okta, a leading identity and authentication management provider, suffered a breach through a third-party vendor, Rightway Healthcare, affecting approximately 5,000 Okta employees. The compromise, discovered in late September but disclosed in October, involved unauthorized access to Rightway’s network, allowing threat actors to steal an eligibility census file containing sensitive personal information. The stolen data included names, Social Security numbers, and health or medical insurance plan numbers for Okta employees and their dependents from 2019 and 2020. Okta learned of the incident on October 12, and an investigation revealed that the hacker initially gained access to a Rightway employee’s cell phone, altering credentials to access and exfiltrate the files.
The Okta breach marks the inherent risks associated with third-party vendors and the need for vendor risk management strategies. Organizations must not only secure their internal systems but also assess the security practices of their third-party partners. Organizations should implement multi-layered security measures, such as regular vendor risk assessments, continuous monitoring, and employee training on cybersecurity best practices.
The events of third-party breaches in 2023 demonstrate the critical necessity for a reorganization of security. Strengthening third-party management is imperative to minimize risks and protect businesses. By securing internal systems and assessing the security practices of third-party partners effectively, businesses can strengthen their defense against potential threats and establish a resilient security framework.