The Magecart group was named one of the most dangerous ‘people’ on the internet in 2018. It wasted little time defending its title in 2019.
Trend Micro researchers discovered that Adverline, a digital advertising network, had been the victim of a Magecart attack in November 2018. The announcement was made in January 2019.
The data breach serves as a powerful reminder that even the most secure companies can fall victim to another business’ mistakes. Magecart is ushering in the era of third-party vendor and supply chain risk and the Adverline data breach is a perfect example of how the group is doing so.
The Adverline breach: What we know
On 16 January 2019 it was revealed that Adverline’s Content Delivery Network (CDN) had been compromised by the Magecart threat group. Trend Micro researchers initially made the discovery and noted that the incident took place two months earlier in 2018.
Initial reports have the incident affecting 277 companies through Magecart’s infamous card-skimming technique, though Trend Micro believes this number could rise to the thousands, according to ZDNet.
The compromise rested on a small piece of JavaScript being inserted into an Adverline ad tag script, RiskIQ reported. The CDN did the rest of the work, delivering the skimmer to the websites of its customers and loading the code once a visitor landed on the page.
Researchers noted that the Adverline cyber-attack followed the same techniques used by Group 5 of Magecart, which was responsible for the Ticketmaster data breach, among others. But analysts believe that a new group, Group 12, was actually responsible for the attack. It was just a stroke of luck that they were able to compromise Adverline’s CDN, as they normally carry out targeted cyber-attacks that focus on a single business.
The investigation is still in the early stages and the company has yet to make a statement on the breach as of this post being published, which means details are few and far between. The incident does serve as an excellent reminder as to why companies can’t become complacent with their third-party vendor or digital supply chain relationships in 2019.
Third-party vendor cyber risk is steadily rising
The Adverline data breach is just one in a long line of security incidents over the past year that have plagued the third-party ecosystem and the companies who procure services from them. Attackers understand these relationships aren’t a priority in organisations’ cyber security strategies and they’re now taking advantage of it.
In fact, PricewaterhouseCoopers found that just over half of all companies have security controls in place to govern the cyber risks of working with third-party vendors, according to its Global State of Information Security Survey 2018. Unsurprisingly, 66 percent of enterprises surveyed have suffered a security incident in their digital supply chain over the last year, a CrowdStrike report found.
Third-party risk isn’t anything new, but in the digital era it has brought on a host of new concerns – primarily data security. Companies are outsourcing everything from chatbots to payment processing to other providers. It’s an economical way of scaling and staying current in the current marketplace, but there’s an inherent danger in doing so.
Large amounts of customer information and intellectual property pass through these services daily. The vendors that are processing that information often prioritise scalability, agility and general functionality over security. Despite the fact that the data may be stored in their databases, the enterprises that enlist the services of third-party vendors are still considered controllers under GDPR and are therefore responsible for its security.
It’s one of the reasons why data breaches are most costly when they involve a third-party vendor. In these instances, the cost an organisation incurs with each stolen record rises $13, from $148 per file to $161, according to Ponemon’s 2018 Cost of a Data Breach study.
Most troubling is the fact that there are certain hacking groups now specialising in exploiting vulnerabilities in third-party vendors’ digital infrastructures. Ticketmaster UK, British Airways and Newegg were all victims of the Magecart attacks. Certain groups, like Group 5, within Magecart specialise in compromising companies at key points in the supply chain to extend their reach to a larger set of businesses.
Relationships with third-party vendors should be treated as importantly – depending on the data being fed to them – as a company’s own digital infrastructure. Spending the time and resources on shoring up that defence now could save a business from having to report a breach to a data protection authority down the line.
How to reduce cyber risk with third-party vendors
Effective incident response services can have a significant impact on the cost of a data breach and save an enterprise roughly $14 per record, according to Ponemon. Being able to quickly intervene and remediate the situation is beneficial to the business’ reputation and allows it to disrupt the hacking attempt as soon as it’s detected, no matter where it sits in the supply chain.
Organisations should also regularly review their internal processes regarding third-party vendor and digital supply chain cyber risk to ensure it aligns with best practices dictated by a cyber security framework like NIST or the CIS Top 20. Doing so won’t completely erase the chance that a data breach occurs, but it will reduce its likelihood and ensure a company is prepared for when one takes place.
Companies should actively manage their third-party vendor relationships and figure out the value of the data they’re processing, as well as what the impact of a data breach would be. Follow up on service level agreements to confirm that providers and partners are doing their part in terms of implementing and supervising security controls.
Enterprises that function as third-party vendors should take similar steps to prove to clients – both current and prospective – that they’re investing in their cyber security infrastructure. Adopting certified security frameworks can turn into a competitive edge as the industry begins to suffer from data breaches.
Take ISO 27001, for example. The certification process involves an external audit that provides a widely recognised and respected security certification. This showcases the commitment a company gives to protecting its data and implementing the latest cyber security best practices and reassures its customers that the company is taking every precautionary measure possible.
In an era where there’s a new vulnerability or exploit seemingly every day, it’s critical that organisations are staying up to date on threat intelligence in their industry. Threat intelligence feeds can shed light on what tactics hackers are favouring at the moment, which could help dictate decision-making as to which third-party vendors a company wants to work with.
Interested in learning about how you can protect your business from cyber risk with third-party vendors? Contact an Integrity360 representative today to learn more.