Cybersecurity and Third-Party Risk. Gregory C. Rasner
Washoe County School District (2018): District teachers' emails, usernames, and passwords were exposed by an instructional tool provided by Edmodo.
MedCall Healthcare Advisers (2018): Over 150 businesses were affected by this third‐party breach, with 7 GB of medical information data being exfiltrated.
GoDaddy (2018): Sensitive records for over 30,000 servers were released by a misconfigured Amazon S3 bucket.
Air Canada (2018): An undisclosed mobile application provider caused the loss of customer data.
Fiserv (2018): This financial third‐party website provider was the reason that hundreds of banks had the records for their customers exposed.
Ticketmaster (2018): Inbeta, a provider of Ticketmaster's website application, caused a leak of customer data.
Universal Music Group (2018): Cloud‐storage provider Agilisium caused the loss of internal File Transfer Protocol (FTP) credentials, Amazon Web Services (AWS) secret keys and passwords, along with internal root passwords for structured query language (SQL) databases.
Chili's Grill & Bar (2018): Chili's POS system was breached, causing the loss of an undisclosed number of credit card data records.
Best Buy, Sears, Kmart, and Delta (2018): An online chat provider used by these firms lost over a million customer records in total.
Applebee's (2018): 160 restaurants and their customer data were released by the chain's POS system.
Western Union (2018): Private data about transactions was released by an undisclosed vendor who performed offsite cloud storage.
Ascension (2019): A misconfigured server at a third party exposed millions of bank loan and mortgage documents.
Amadeus (2019): The online booking systems for over 140 airlines worldwide had a critical flaw that allowed hackers to get access to the flight reservation systems.
Adverline (2019): A third party to online European sellers had malicious code injected, exfiltrating credit card information.
Click2Gov (2019): An online payment tool used by many U.S. and Canadian municipalities was compromised, releasing information on citizens in St. John in Canada and Hanover County in Virginia.
BankersLife (2019): Breached third party allowed the information about Humana's customers to leak.
BenefitMall (2019): A third‐party administrator for Highmark BCBS, Aetna, Humana, and United Health caused a leak of customer data.
Quest Diagnostics (2019): From August 2018 to March 2019, a hacker gained access to Quest's data at a billing collections vendor called American Medical Collection Agency (AMCA). A total of 11.9 million records were exposed.
Suprema (2019): A firm offering biometric security software exposed 27.8 million unencrypted records for over 6,000 firms, including U.K. Metro Police, Power World Gyms, and Global Village.
LensCrafters, Target, EyeMed (2020): Luxottica, a breached online appointment application provider, caused the loss of thousands of protected health information (PHI) records.
Insurance companies in Texas and Colorado (2020): Insurance carriers were impacted by a breach at Vertafore, which provides software to insurance companies.
First Federal Community Bank, Bank of Swainsboro, First Bank & Trust, Rio Bank (2020): ABS, a bank software provider, released the PII for the banks' customers.
Hotels.com and Expedia (2020): Channel manager vendor, Prestige Software, was breached, exposing names, credit card information, and reservation details.
Australian Stock Exchange (2020): An undisclosed amount of protected data was exfiltrated from the media‐monitoring vendor Insentia.
Google (2020): A law firm known as Fragomen, Del Rey, Bernsen & Loewy disclosed information that Google used for the I‐9 process (i.e., proof of ability to work in the United States).
City of Odessa (2020): Click2Gov, a frequently breached vendor, leaked details on how Odessa residents paid their utility bills.
Tribune Media and Times Media Group (2020): Marketing company, View Media, was breached, releasing information about 38 million U.S. residents.
Buffalo, NY, area hospitals; FeedMore; and Phipps Conservatory (2020): Blackbaud, a data management vendor, released the names, medical services numbers, dates of patient services, and a list of donors.
Rochester YMCA (2020): An undisclosed software vendor was breached for the names, addresses, and gift history of donors.
SEI Investments (2020): MJ Brunner, a third‐party software provider to SEI Investments, was breached, affecting customers at dozens of investment banks.
Bank of America (2020): Caused by an unnamed third‐party merchant, Paycheck Protection Plan (PPP) application business details, including Social Security numbers (SSNs), emails, addresses, and more, were released.
Citrix (2020): An undisclosed vendor disclosed Citrix's customer data, which was exposed on the Dark Web.
Marriott (2020): A Russian franchise operator was the reason for the second breach at this hotel chain in just two years. This time over 5 million records were compromised.
T‐Mobile (2020): An email vendor's breach was the reason that thousands of customer names, addresses, phone numbers, emails, rate plans, and more were exposed. This is the second public breach for T‐Mobile, with the last one occurring in 2015.
Radio.com (2020): Its cloud‐hosting provider misconfigured their instance, which resulted in its customers' PII being made public.
Chubb (2020): A third‐party service provider released internal sensitive data about Chubb.
General Electric (2020): Canon, which was used by GE for business processes, was breached, resulting in information on past and current GE employees and sensitive data being released.
Amazon, eBay, Shopify, Stripe, PayPal (2020): A third‐party application breach was the reason for the release of over 8 million records on sales information, customer names, emails, mailing addresses, and credit card information including the last four digits of account numbers.
SpaceX, Tesla, Boeing, Lockheed Martin (2020): Viser, a parts manufacturer, released partial schematics for a missile antenna and other restricted internal data.
Carson City (2020): Click2Gov caused the release of residents' names, addresses, email, debit/credit cards, card security codes (CVV), and bank account and routing numbers.
Idaho Central Credit Union (2020): A mortgage portal provider was hacked, releasing customer banking information.
Nedbank (2020): Nearly 2 million customer PII records were released by Computer Facilities (Pty) Ltd., a marketing and promotional firm.
Mitsubishi (2020): A large amount of internal restricted data was exfiltrated via an undisclosed vendor in China.
P&N Bank (2020): A third‐party customer relationship manager (CRM) hosting company caused the loss of nearly 100,000 customer records.
Ubiquiti Inc (2021): A maker of Internet of Things devices, it lost an undisclosed amount of customer names, email addresses, passwords, addresses and phone numbers due to a third‐party cloud provider.
Bonobos (2021): This men's clothing retailer had the data for over 7 million customers (addresses, phones numbers, account info, partial credit card information) stolen from its cloud data provider.
US Cellular (2021): The fourth largest wireless carrier in the U.S. exposed the private data of almost 5 million customers