Cloud Hosting

Hackers have increasingly focused on third-party vendors as avenues to data held by associated businesses. On August 25, 2022, DoorDash announced that it had experienced a data breach which impacted the personal information of certain customers and drivers. After detecting unusual activity originating from one of its third-party vendors, an investigation by DoorDash revealed that the vendor was the target of a phishing campaign. This comes just a few years after DoorDash customer data was breached in a similar hack in 2019, which was also linked to a third-party vendor. Unfortunately, DoorDash is not alone in experiencing the security risks linked to many third-party vendors.

Several companies have been exposed to data breaches by their third-party vendors in recent years. These hacks have resulted in lawsuits from consumers as well as government investigations. Failing to secure consumer data and monitor the cybersecurity practices of third-party vendors may open businesses up to state and federal enforcement actions.

Third-party vendors have significant access to the systems and data used by the companies that they work with. Many enterprises also contract with more than one third-party vendor, increasing the number of ways that information could be leaked. Hackers have learned to exploit this access by targeting the third-party vendors, who may have less stringent cybersecurity measures than associated businesses. Third-party vendors may be more vulnerable to phishing attacks, like the one used to breach DoorDash, in which hackers use compromised emails to gain access to sensitive data. They have also been the targets of increased ransomware efforts and attacks against outdated hosting services that leave information open for unauthorized use.

Many companies may not discuss data security policies with their third-party vendors, which means they could inadvertently be trusting their customers information with others who are not prepared to prevent breaches. While companies are focused on the security of their own networks, they should be aware that the vulnerabilities of their third-party vendors may pose an even greater risk to their customer data. Failing to assess and guard against these risks leaves businesses vulnerable to lawsuits from their consumers as well as government enforcement actions.

To minimize some of these risks, companies should prioritize cyber and data security when working with third-party vendors. Companies should ensure that any third-party vendor they contract with has a cybersecurity plan that includes regular testing of their protocols, documented efforts to fix any vulnerabilities, and communicating best practices with employees. Before agreeing to work with a vendor, businesses should ask how the vendor identifies data incidents and what their plan is to address any incident that may arise. Companies should also be sure to monitor what internal data each vendor has access to and consider whether the third-party vendors security policies are sufficient compared to their own policies. Access controls should be implemented to monitor third-party data usage and alert to any unauthorized access that might originate with a third-party vendor.

Contract language should also be drafted with data security in mind. To ensure fast and effective responses to cyber threats, third-party vendors should be obligated to report data breach incidents that they discover within a designated timeframe. Specific security requirements may also be established within a vendor contract. In the event that a data breach does occur, companies should consider adding an indemnity clause that would hold third-party vendors liable for any breach caused within their organization.

Bottom Line

Businesses should be aware of the cybersecurity risks associated with third-party vendors. When working with third-party vendors, companies should consider and assess the vendors security protocols. Both businesses and third-party vendors alike should invest in cyber insurance, and businesses should include strong indemnification language in their contracts with third-party vendors.

See the article here:
DoorDash Hacker Incident Illustrates Third-Party Vendor Risks and Potential Vulnerabilities - JD Supra