4 Unexpected Industries That Can Be Targets of Third-Party Breaches
Financial. Healthcare. Insurance. Government.
Industries like these, well known for dealing with valuable information such as Social Security numbers, medical records and other personal information, are what most would consider likely security breach targets. However, as organizations increasingly depend on technology, data and vendor supply chains to conduct business, there’s no sector that’s immune and no organization that is safe from a cyber breach.
Here are 4 surprising industries that may be targets and why:
While at first glance, a construction company might not seem like an obvious target for a cyber breach, in reality their growing dependency on technology to help with project planning and operating heavy equipment also carries potential risk to the organization.
In addition, construction companies routinely work with many subcontractors to assist with various projects, expanding their external attack surface for potential breaches. In fact, in 2020, Bouygues, Bam Construct and Interserve, all major construction companies, became victims of cyberattacks in a span of just four months.
Furthermore, construction companies work with various institutions, from famous hospitals to secure government buildings, iconic landmarks to sprawling offices. Essentially, a hacker may attempt to gain access to such a facility by hacking into its construction vendor.
Cybercriminals seem to have found a new group to target—educational institutions. Access to financial documents, sensitive data about students, parents and educators spell opportunity for hackers.
Once the pandemic hit and schools needed to adjust to remote learning, they were faced with unprecedented decisions about how to address this new reality. For some schools and universities, it meant investing in ed-tech tools and devices to accommodate their students’ needs. On the flip side, adding tools also comes with added risk, which can actually be detrimental if unaddressed.
Stanford University was one of a long list of higher education institutions to have student and faculty data stolen and published online as a result of a vulnerability affecting its third-party file-transfer application, Accellion.
There has definitely been a surge of attacks on educational organizations since COVID-19 began. In fact, researchers at Check Point found that there was an increased hacker interest in topics related to education, research and back to school, leading up to the 2020-21 school year.
The aviation industry is going through some turbulent times, and not just because of the pandemic. While airlines were focused on improving the safety and comfort of passengers both during and in a post COVID-19 world, highly sophisticated hackers were making plans of their own.
In one such attack, a single vendor attack had huge repercussions for many. Rather than targeting individual airlines, cybercriminals took the more efficient route by attacking SITA, an organization that provides IT services for nearly 90% of the world’s airlines. With a single data breach, the private information of millions of travelers was compromised. In another attack, airplane manufacturer Bombardier suffered a data breach, also as a result of the Accellion vulnerability.
The aviation industry depends on a range of technologies that enable travel and transport operations. If critical software is left unpatched and vulnerable, it presents a real threat to the airline industry, and exposing traveler data is a top concern.
It’s not just fun and games anymore—certainly not when playing your favorite online game means becoming a target for a cyberattack.
The personal data of up to 400 gamers was compromised by an attack on Capcom, the game developer behind Resident Evil, Street Fighter and DarkStalkers. Minecraft, Roblox and Animal Jam also reported breaches, as gaming becomes an increasingly popular target for cyberattacks.
Cybercriminals are attracted to gaming companies because selling leaked insider-credentials is a lucrative business. By accessing gaming developers’ backend, hackers stole more than 500,000 credentials and put them up for sale on criminal marketplaces.
What we’ve learned
The moral of the story is that a third-party breach can really happen to anyone. While companies erroneously thought that vendor breaches only happened to larger corporations, time has taught us that was far from the truth. Sometimes, in fact, the opposite is true. Smaller organizations may not have the means to create robust third-party security programs and cybercriminals take advantage of that.
Similarly, thinking that attackers are targeting only specific industries is also inaccurate. Their job is to engage in malicious activities on networks or systems with the intent on stealing and profiting from sensitive company information and/or personal data. And they are happy to attack any company, any time, in any industry, so long as their efforts yield worthwhile benefits.
How Panorays Helps
If you’re concerned about whether your organization will be the next one affected by a third-party breach — Panorays can help! Our platform quickly and easily automates third-party security risk evaluation and management, handling the whole process from inherent to residual risk, remediation and ongoing monitoring.
Want to learn more about how you can prevent third-party cyber breaches? Contact Panorays today to schedule a demo.