Today’s columnist, Shira Shamban of Solvo, lays out four best practices for mitigating third-party attacks in the wake of the latest breach of Teqtivity, one of Uber’s third parties. (Photo by Justin Sullivan/Getty Images)
Editors’s Note: This Perspectives column was updated to reflect that the incident centered around a breach of Teqtivity, a provider of asset management and tracking services, and one of Uber’s third parties.
The recent third-party breach of Uber data where an attack on its vendor Teqtivity exposed sensitive employee and customer data to the BreachForums hacking forum, was the latest in a string of security incidents Uber’s had to face in the last few years.
While they are unfortunate events, there are lessons we can learn from the breach that can help organizations avoid the repercussions of a serious third-party cyberattack. The Teqtivity incident shows that even the largest organizations with advanced security teams have weak links that cybercriminals are ready to exploit, especially the ever-growing impact of third-party risks. The industry needs to stay hyper-vigilant about the access that third-parties have to organizations and their data. Given the expanse of the corporate supply chain, third-parties have become an extension of enterprise attack surfaces and security teams must prepare accordingly or face the same potential fate as Uber. By proactively implementing these four best practices, businesses will have a leg up in shielding themselves from an attack.
As long as we are building software using APIs, we will encounter third-party risks. APIs are an integral part of building applications in the cloud so we will always rely upon them in some way until there’s another fundamental shift in IT architecture. According to 2022 IBM research, almost half of all data breaches happened in the cloud.
The lesson here: we must build applications with a zero-trust strategy at their core so guardrails are in place to protect from third-party risk. Without a zero-trust strategy, organizations are left vulnerable to third-party risks through the way applications are built with connectivity in mind, misconfigurations at the beginning stages of an application build, or an exploitive attack that targets a third-party. The latest security incident involving Uber’s third-party data recasts the spotlight on minimizing exposed attack surfaces and vulnerable third-party touchpoints.
Jan. 1, 2023, marked the first day of enforcement of the California Privacy Rights Act (CPRA), an extension of the existing California Consumer Privacy Act (CCPA). With many employees located in California, Uber might land in the hot seat if found in violation of the new statute. In fact, the law specifies that all data owners residing in California are entitled to the rights of the CPRA, regardless of where company headquarters are located. Under these regulations, organizations must prove how they are connected to third-parties and the kind of data they are letting them store. Controlling data within large organizations is already tricky. For organizations in the cloud, it’s even trickier. IT and security teams looking to maintain compliance need to figure out who has access to what data, including which cloud components have access to data. These teams must ensure they implement a least-privileged model, only granting privileges to the users and devices that absolutely need them.
The Teqtivity breach underscores the massive cybercriminal element that propels many breach events today. The Uber data compromised through the third-party was published on the BreachForums cybercriminal forum, which currently has over 238,000 members. Notorious cybercriminal forums such as this one enable threat actors to quickly spread sensitive data to thousands and millions of people online. Organizations need to consider the downstream ramifications that come with data breaches beyond what the industry considers the total cost of a breach. We have seen how quickly a large forum such as RaidForums relaunched as BreachForums when it was shut down last year. The aggressive nature of cybercriminals means that once they steal data, it’s very hard to track and stop the reach of its exposure.
In this case, although it was Teqtivity’s systems that were breached, Uber still bears the responsibility of the potential damage. This further amplifies the importance of a zero-trust approach to Identity and Access Management (IAM). It’s ultimately the company whose data was compromised that holds the consequences. Entities should not have access unless they absolutely need it, including partners and third parties.
Companies must implement an identity-centric security model more widely. In today’s cloud-first era, it’s necessary to have strong IAM practices throughout the IT supply chain which starts with creating a unique identity not only for each individual employee or stakeholder but also for the specific cloud components, such as containers, serverless functions, and data resources. Maintaining a least-privileged state – at scale – is a lesson that many recent breaches have taught us.
The latest incident involving Uber’s third-party data reinforces the idea that every organization can assume they are at risk at any given moment. As more and more businesses shift to the cloud, attacks show no sign of slowing down. Increasingly proactive defense, the adoption of zero-trust strategies, and coordinated security efforts among all IT supply chain stakeholders must become part of the cloud-centric enterprise’s playbook or you run the risk of serious business disruption.
Shira Shamban, co-founder and CEO, Solvo
Jessica Davis
This week’s healthcare data breach roundup includes an update on the Tallahassee Memorial Health outage, as well as a data theft and ransomware attack incident attributed to BlackCat.
SC Staff
Business Insider reports that several Russian websites providing a livestream of Russian President Vladimir Putin’s annual speech were disrupted by a distributed denial-of-service attack.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.
Leave a Reply