Please investigate third party vendors with any computer or network access
Over the last five years there have been many, many corporate data breaches. These have been published and republished numerous times. The targets as of late have been hospitals, law firms, and the businesses with mass amounts of customer data. The hospital and doctor’s office targeted data includes the electronic health and medical records (EHR/EMR), including the patient’s name, address, medical information, insurance information, and other germane, relevant data. The attorney officers have their files continuing evidence data, intellectual property, lawsuit strategy, their client’s private data, and other relevant information.
One target not specifically or significantly targeted has been third party recruiters. This appears to be a natural progression as these firms likewise hold and manage the person’s personally identifiable information (PII).
Incident
Whitbread is a multinational hotel and coffee shop business headquartered in the UK. The organization employee and application data was compromised and a portion of this, the number is unknown, was accessed by unauthorized parties. This breach occurred in June 2018. In this instance, the targeted data was for current and prospective employees. This included but was not limited to the employee and applicant’s name, email address, telephone number, gender, date of birth, and employment. This list is moderately inclusive of everything an attacker would need to “borrow” the person’s identity and perform a rather in-depth phishing campaign, which would probably be at least moderately more successful than the generic version. After Whitbread was notified of the issue, the organization sent an email to the potentially affected parties.
The attack vector with this compromise was Whitbread’s third-party vendor PageUp. PageUp’s role in this issue was the business provided an online recruitment platform. Unfortunately, the details regarding the specific method, and outdated configuration and other data the industry could have learned from or used as a lesson have not been provided.
Due to the issue, Whitbread is not using the service and platform at this time.
GDPR
The GDPR was passed into law a few years ago, and the organizations managing, processing, holding, etc. the EU’s citizen’s information and data have been on notice and given the opportunity to prepare to comply with this law, as it came into full force and effect a few months ago. In short, the compromise affected up to 50K employees and applicants in the UK working under Costa Coffee and Premier Inn. If the issue were to be adequately addressed, the fines in theory could be rather impressive.
Lessons to be Learned/To Still be Learned
The numerous compromises have various causes, based on loose network controls, lack of proper cybersecurity controls, and other various issues. In this case, the issue revolves around the third party vetting process. The situation indicates a thorough vetting did not occur for the third-party vendor. In the past for other organizations, this has created a rather significant issue and led to massive national breaches repeatedly.
Although we have not learned from history, there are still actions to follow in an effort to resolve the issue. At times the third-party vendor may balk at the scrutiny of a review. The organization may always remind the third party there are many other vendors present who would be willing to do the work. This may also be an introspection for the business to review their own cybersecurity processes and stance. Looking forward, the organization could include a clause in the contract mandating an annual vetting process.
Resources
Jowitt, T. (2018, July 3). Costa coffee owner whitbread suffers data breach. Retrieved from https://www.silicon.co.uk/security/cyberwar/whitbread-data-breach-234585
Muncaster, P. (2018, July 3). Whitbread sounds breach alarm after page up incident. Retrieved from https://www.infosecurity-magazine.com/news/whitbread-breach-pageup-incident/
Targett, E. (2018, July 2). Costa coffee applicant details hacked-owner whitbread-”very sorry”. Retrieved from https://www.cbronline.com/news/whitbread-job-applicant-data-stolen
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.