I don’t know how to say this any more clearly, but vendors represent a huge risk to every organization.
Lion Air, the Indonesian parent of Malindo Air and other subsidiaries that were breached, confirmed the breach last week.
Why did they confirm it? Perhaps they were being good corporate citizens. An alternative explanation is that the Russian security firm Kaspersky (that the United States banned from federal systems, probably for good reason) outed them and warned customers in Malaysia and Thailand.
The breach compromised 46 million people’s data.
Lion Air cheerfully said that no credit cards – which are easily replaced – were compromised.
What was compromised is passport information (which is difficult and expensive to replace), birth dates (which I have been told are very hard to replace), names, home addresses (I guess you could move) and other personal information. But no credit cards, so relax.
Oh, yeah, the data was left in an unprotected Amazon S3 bucket – NOT AMAZON’S FAULT!
This is just one of many vendor induced breaches. In June Upguard reported a terabyte of backup data belonging to Ford, Netflix and TD Bank was found unprotected on several Amazon S3 buckets.
Companies need to to create and implement a comprehensive vendor cyber risk management program. This differs from the traditional vendor risk management program which worries about whether a company has insurance and is licensed and in addition considers how the data that is entrusted to them is being protected – either by the vendor, your company or both. Many cloud providers, including Amazon, have what they call a “shared security model”, meaning that both parties are responsible. In Amazon’s case, they provide the tools and the documentation, but you must use that information. And frequently test. And test again.
Costs, fines and lawsuits as a result of this breach will no doubt cost Lion Air many millions of dollars.
One more consideration if you are wondering if you need a vendor cyber risk management program.
Colorado law (for those of you based here or with customers here) requires you to ensure that vendors are protecting your data before you share data with them, so by not having a vendor cyber risk management program you are actually committing a crime.
Source: ZDNet’s Dark Reading.