28 August 2008—If you’re the owner of a retail-store chain or a financial-services company, it is your responsibility to keep your customer’s credit card number or social security number safe. But how can you control what goes on outside your company’s doors? Your credit card machine’s vendor could overlook a software vulnerability. Or an employee at the call center handling your customer-service calls could turn sour on his employer.
Data breaches involving trusted third parties—business partners, vendors, suppliers, and contractors—are alarmingly on the rise, according to a recent investigation by the security team at Verizon Business. While studying about 500 incidents worldwide between 2004 and 2007, the RISK Team found that cases involving partner organizations, willing or unwitting, went up fivefold, reaching 44 percent in 2007. Hackers and other outsiders, meanwhile, were directly responsible for close to 80 percent of the breaches. (There was some overlap among the cases.)
The market for stolen data has exploded in recent years, says Bryan Sartin, director of the investigative response team at Verizon Business. In early August, the U.S. Federal Bureau of Investigation cracked down on one of the largest identity-theft cases involving an organized international ring of criminals. This ”information black market” is fueling the increase in partner breaches, Sartin says.
For example, he says, criminals can find out the make and model of the cash registers used by a restaurant chain. With this information they can hunt down the company that supports the software system for that cash register model. They could then try to hack into the software system or bribe disgruntled employees at that support company’s call centers.
The Verizon investigators found that in about 57 percent of partner breach cases, the partner organization was an unwitting accomplice. In these cases, an outsider exploited the partner’s connections or information assets. In 21 percent of the cases, the team could not identify specific culprits. A disturbing 16 percent of the cases led back to the deliberate malice of the victim company’s own IT administrators. The other 6 percent were traced to employees who worked remotely or from an off-site facility owned by the victim company.
The upward trend in partner-based breaches is worrisome for more than one reason. The victim company usually finds out about the compromise late because a trusted party logging into its computer system does not set off alarms. Also, partner-side breaches can cause more damage than a random hacker because partners have higher levels of access to the victim organization’s systems and servers, which puts large amounts of data at risk. The Verizon report shows that most partner incidents compromised 187 500 records, compared with 30 000 for external breaches.