Cyren Security Blog

Exposure of car manufacturers’ data underscores risks posed by suppliers

by Duncan Mills

The ability of a single vendor to cause significant damage to multiple businesses in the wider supply chain became evident once again this week with the news that a small robotics company had exposed 157 gigabytes of highly sensitive data belonging to over 100 customers, including massive multinationals, like GM, Ford, Chrysler, and Toyota.

The exposed data included everything from customer assembly line schematics and robotic configurations to employee ID and VPN access information. In addition, the robotics vendor also exposed its own corporate and employee data, such as bank account details, contracts, and scans of passports and driver’s licenses.

This most recent fiasco underscores the vulnerabilities of today’s interconnected business world, with many small- to mid-sized businesses finding themselves at the heart of a breach affecting their customers, partners, and suppliers, some of whom may actually be larger, more high-profile companies. The cause of these breaches most often seems to be the smaller businesses failing to recognize the danger posed by insufficient or outdated security.

Famous hacks keep pointing to smaller suppliers

This isn’t the first time the supply-chain-hack scenario, with a small- and mid-size firm at the center of the uproar, has made headlines. In fact, supply chain breaches increasingly constitute the majority of global high-profile attacks.

In 2013, the US retailer Target announced a large-scale breach involving the hack and compromise of 40 million credit and debit cards, and email and mailing addresses for 70 to 110 million people. In this instance, it was an HVAC vendor in Target’s supply chain—not Target itself—that was the source for the hack, which began with a single employee opening an email attachment containing malware that captured the HVAC vendor’s system passwords, allowing the hackers to gain access into Target’s systems.

The massive 2014 hack into Home Depot (resulting in 56 million stolen credit and debit card details and 53 stolen email addresses), was attributed to a third-party vendor, as were the recent hacks into Amazon Web Services and Wendy’s, as well as the so-called “Panama Papers” breach.

And only last year, a ransomware attack focused on the shipping company A.P. Moller-Maersk had devastating effects as it spiraled outward to logistics and transportation companies, bringing activities to a halt in almost 80 ports and terminals around the globe. This attack cost the company an estimated $300 million.

In this most recent supply chain security failure, the robotics firm was notified of the problem by security researchers, enabling the company to fix the issue within a few days. And, while there is no obvious evidence that hackers had gained access to the data during the exposure period, no one can be completely certain that criminals hadn’t been aware of the weakness and exploiting it quietly for some time.

Irrespective of whether or not the data from this robotics company had been leveraged by cybercriminals, this most recent example does raise the larger issue of supply chain security—and the extent to which companies (particularly the small- to mid-sized firms) are taking the issue seriously.

Can you afford to do business with unprotected vendors?

A 2017 study by the Ponemon Institute, found that 56% of large breaches were the result of an initial breach into a third-party/supply-chain vendor or supplier. And, the 2018 Verizon Data Breach Investigations Report showed that smaller businesses are more likely to be the target of cybercrime 58% of the time.

Supply chain vendors are often granted access to their customer’s corporate data and even network login credentials. With phishing and other types of cyberattacks at an all-time high (phishing was the most successful type of attack on all businesses in 2017, according to the annual Cyren-Osterman Research survey), other companies in the supply chain—particularly larger companies with their reputation at stake and considerable sums of money to lose—are beginning to question whether it makes sense for them to do business with a small- to mid-sized firm that may not have implemented sufficient security measures to protect sensitive data.

These concerns related to the security (or lack thereof) of a supply chain vendor are not without merit. For better or worse, research bears out the fact that, as far as cybercriminals are concerned, small- to mid-sized supply chain vendors are currently walking around with massive targets on their backs. And, IT decision makers are aware of this fact. In a July 2018 survey of 1,300 IT decision makers at mid-size to large firms, by the company Crowdstrike, nearly 80 percent of respondents stated that they believe supply-chain attacks have the potential to become one of the biggest cyber threats over the next three years. More notably, 87 percent said that security was a critical factor when making purchasing decisions surrounding new suppliers.

Extensive interconnectedness creates collective risk

It is the very nature of the supply chain itself that makes email and web threats particularly dangerous. Businesses operating within a supply chain are typically decentralized, interconnected, and geographically dispersed. Complex groups of large and small stakeholders, including subcontractors, materials and services suppliers, and financial entities often comprise a supply chain that extends around the world. And it is this interaction and interconnectedness between large and small companies that contributes to the overall devastating effects of a supply chain attack. For example, in the 2017 Maersk attack, it wasn’t only ports and container vessels that were affected. Trucks destined for inland facilities were held up for hours and even days at various ports waiting for the systems to come back online so they could process and receive or deliver their shipments, the effect of which spiraled and delayed product distribution for extended periods of time.

Too many businesses “undersecured”

When the news broke that retailing giant Target had been breached via their small HVAC supplier, many an IT professional shook their head in astonishment to learn that the only security solution standing between Target and the HVAC vendor was a “free” online security tool used by the HVAC vendor to protect the company and their customers.

The fact is that many small- to medium-sized businesses think they can “fly under the radar” when it comes to making even a modest investment in robust cybersecurity. The reality is that companies that rely more on “positive thinking” than real security are at extreme risk. Endpoint and appliance-based security and online “free” security tools are typically not updated in real time, so new and evolving threats are slipping through before protection is in place. And, here’s the thing. Real-time is key. Threats are evolving constantly. And, once a threat has been launched, you only have seconds to block it. If your security tools, or email client, or browser aren’t updated constantly—in real-time—then the protection simply isn’t there.

Unprotected mobile workforce complicates matters further

The complexity of a mobile workforce further adds to supply chain attack risk. With an increasingly mobile workforce, employees are no longer confined to a work environment protected by perimeter security devices. Bring-your-own-device (BYOD) policies mean that numerous different devices, each with a different operating system are accessing company resources—and potentially downloading harmful phishing, malware, and ransomware that, in turn, gets passed to others on the same corporate network. Today, mobile devices need to be protected regardless of location, device type, operating platform, or device ownership.

The business impacts of a breach

Looking at the total cost of some of these recent large breaches—for Target $200 million, for Maersk $300 million—the impact of a breach on either a large or small business isn’t hard to ascertain. With so many businesses heavily reliant on project and production schedules, any type of interruption is going to have a detrimental effect on profits. And, the subsequent reputation loss that follows will likely only further exacerbate an already stretched financial situation.

Businesses need to acknowledge risks and be prepared

Security is only as good as the weakest link. And supply chains are only growing bigger and more complex. No firm wants to be at the center of a major data breach with national or global implications. Ultimately, any business that operates within a supply chain—which is to say, all businesses, since no business today operates in a complete vacuum—needs to view cyberattacks as a critical business risk, not unlike compliance or financial risk. As such, cybersecurity measures (real cybersecurity—not the free online downloads…), needs to be a key component of a business risk plan. Among the first-step activities that small- to medium-sized businesses need to take include regular and frequent patching of systems, browsers, and plugins for updates or identified exploits; deploying cloud-based web and email gateway protection; protecting against evasive threats with advanced sandboxing; and the use of a password management tool and multi-factor authentication.

Go back