Why managing cyber risks along the supply chain is critical for large organisations- Recent breaches
On 3 June 2019, Quest Diagnostics and LabCorp, both American companies and are in the business of offering access to the public to do diagnostic testing services for cancer, cardiovascular disease, infectious disease, neurological disorders and employment and court ordered drug testing, being listed on the Stock Exchange announced to the Securities Exchange Commission (SEC) that a breach at a 3rd party collections vendor compromised approximately 12 million and 8 million of their customers details respectively.
The 3rd party collections vendor, American Medical Collection Agency (AMCA) is a debt collection agency that offers services to healthcare organisations in collecting payment from patients. Hackers gained access to AMCA's online payment systems that stored customers' first and last names, credit card and bank account numbers, birth dates, addresses, phone numbers, dates of service, health care provider information, and the amount customers owed.
According to the announcement by Quest Diagnostics to the SEC, AMCA notified Quest about the breach and said the breach started in August 1, 2018, and continued throughout until March 30, 2019 - a period of 8 months where the breach operates and were undetected.
We have, in several previous postings (Link 1) (Link 2), highlighted the risks posed by those in the supply chain to the large organisations in the management of the cyber risks at their own organisations. In the above breach, hackers were in the system of the 3rd party vendor 'stealing' data for 8 months before it was detected and the clients - Quest Diagnostics & LabCorp, were not even aware that their systems were compromised as a result of the breach at the 3rd party vendor.
Breaches like this are happening with such frequent and alarming frequency that we are not surprised a day will come when governments and regulators across the world starts introducing legislation and regulations imposing more stringent requirements that includes punitive damages on organisations that `exposed' details of their customers whether intentionally or unintentionally.