What do the breaches of Carnival, J. Crew and T-Mobile have in common? All three hacks were related to third party breaches and the hackers went after data.
The separate incidents show how Companies in different sectors are being targeted to steal and monetize data. These hacks aren’t complex. In fact, it’s the lowest hanging fruits that can have the biggest impacts. While teams are asked to patch vulnerabilities in a linear approach – critical first, then high, medium and lastly low, we find that it’s the simplest exploits that cause the most damage.
In a statement from Carnivals, “In late May 2019, we identified suspicious activity on our network. Upon identifying this potential security issue, we engaged cybersecurity forensic experts and initiated an investigation to determine what happened, what data was affected, and who was impacted.”
“It now appears that between April 11 and July 23, 2019, an unsanctioned third party gained unauthorized access to some employee email accounts that contained personal information regarding our guests.” In a nutshell, the following data was stolen – name, address, Social Security number, government identification number, such as passport number or driver’s license number and health-related information. In addition, it is believed that credit card numbers and financial account information might have been exposed.
In its disclosure letter to customers, J. Crew stated that customers’ email addresses and passwords were obtained by an unauthorized third party and that signification additional personal information could have been accessed in the April 2019 incident.
In a statement from T-Mobile, “Our Cybersecurity team recently identified and shut down a malicious attack against our email vendor that led to unauthorized access to certain T-Mobile employee email accounts, some of which contained account information for T-Mobile customers and employees.” T-Mobiles exposed data included customer names and addresses, phone numbers, account numbers, rate plans and features, and billing information.
NucleausVue offers the capability to test third party vendors for resilience to code vulnerabilities. With the vulnerabilities on the rise, as well as the number of people who seek to exploit those vulnerabilities, Procurement now has the platform to require every sourcing RF(x) and license agreement to require the supplier to provide continual scanning and remediation of potential software vulnerabilities.
With Nucleaus as your SAST partner, it is simple to mitigate the organizations risk. Simply sign up for our procurement service and your vendors can either email us their code or connect their repositories to your Nucleaus console. See real-time code vulnerabilities and understand your security posture.