Third-Party Attack Vectors

The increasing reliance on third-party vendors to provide specialized services has made them a frequent target for cyber attacks. This is compounded by the fact that many companies often engage multiple vendors, creating multiple potential entry points for attackers.

Examples

  • For instance, in 2013, Target suffered a major data breach that exposed payment and personal information of over 100 million customers, caused by hackers accessing Target’s systems through a third-party vendor that provided HVAC services.
  • The SolarWinds hack in December 2020 underlines the importance of third-party risk management. The vulnerability in SolarWinds’ Orion software was exploited to target US government agencies and private companies.
  • Nissan disclosed in 2023 that one of its third-party software vendors, CarGurus, had suffered a data breach that compromised the personal data of around 18,000 customers.
  • In March 2023, an attack occurred on the fast-food chain Chick-fil-A. Hackers obtained log-ins from a third party to access Chick-fil-A One, enabling them to launch an “automated attack” against the company’s website and app, ultimately resulting in the theft of customers’ sensitive information.

These incidents demonstrate the need for companies to carefully evaluate and manage their relationships with third-party vendors to mitigate potential risks and avoid cyber attacks.

Third-Party Attack Vectors

The increasing reliance on third-party vendors to provide specialized services has made them a frequent target for cyber attacks. This is compounded by the fact that many companies often engage multiple vendors, creating multiple potential entry points for attackers.

Examples

  • For instance, in 2013, Target suffered a major data breach that exposed payment and personal information of over 100 million customers, caused by hackers accessing Target’s systems through a third-party vendor that provided HVAC services.
  • The SolarWinds hack in December 2020 underlines the importance of third-party risk management. The vulnerability in SolarWinds’ Orion software was exploited to target US government agencies and private companies.
  • Nissan disclosed in 2023 that one of its third-party software vendors, CarGurus, had suffered a data breach that compromised the personal data of around 18,000 customers.
  • There was recently an attack on the fast-food chain Chick-fil-A, where hackers obtained log-ins from a third party to access Chick-fil-A One, which allowed them to launch an “automated attack” against the company’s website and app, stealing customers’ sensitive information.

These incidents demonstrate the need for companies to carefully evaluate and manage their relationships with third-party vendors to mitigate potential risks and avoid cyber attacks.