Late last week, the Associated Press reported that nearly 30,000 Department of Defense workers may have had Personally Identifying Information (PII) exposed due to a data breach from a third-party vendor. The information was reportedly associated with travel records.
The breach was discovered on Oct. 4th, but there seems to be uncertainty regarding how long hackers had access to the information.
To be clear, this breach is not due to a direct lapse in security on the part of the DoD. The vendor in question (who has not been revealed) was breached.
How does an organization like the DoD deal with this type of risk? The main way is through a third-party risk management program. We discuss some of the basic tenants in two articles (see our third-party risk series: part I and part II).
The U.S. Department of Defense is known for having mature processes for vendor risk. Tasks, including certifying, tracking and understanding the risk of each vendor, are typically performed quite well. It makes sense that they would and did rapidly identify the vendor involved in this breach.
The gap appears to be in rapid identification that a breach had occurred. The breach was discovered and reported on Oct. 4th, but it is unknown how long the attackers had access, if they ex-filtrated other data, or if the information has been sold in the malicious hacker community.
Answering these questions is why third-party risk management needs to be augmented with its own specific threat intelligence to be complete. While having mature processes for vendor risk management are necessary and help understand the vulnerabilities associated with a vendor — it’s actually only part of the picture. Understanding questions like what type of attackers focus on that vendor, if information has been ex-filtrated and sold in the past, and hacker discussion concerning that vendor’s brand and software is key in understanding how threat actors view that vendor and determining the full third-party risk picture.