Third party, fire and (data) theft

The recent Typeform data breach has thrown into sharp relief the dependence of larger organizations on third-party suppliers.

This dependency creates a reliance on external parties to keep customer data secure. This reliance is a trust that’s sometimes broken, but even so it’s difficult (if not impossible) to break the dependency, according to experts.

Few had heard of Typeform – an online form and survey building service – until last week when it revealed details of a June breach that allowed as-yet unidentified hackers to download data from a backup server.

This breach affected clients of the firm including start-up bank Monzo, hotel chain Travelodge, luxury retailer Fortnum & Mason, and political party the Liberal Democrats, in the UK alone.

The compromised data included names, email addresses, and other pieces of information entered by users via Typeform forms.

Neither financial information nor passwords were exposed by the breach, but it was left up to Typeform’s clients – the companies that used it as a survey form supplier – to notify affected individuals.

Travelodge warned that first name, date of birth, mobile number, and email address of customers had been exposed by the breach.

Monzo reckoned the purloined data was limited to customers’ email addresses for most of its 20,000 affected customers. Some gave their Twitter handle and postcode in the course of completing forms, so this information has also been exposed.

Picking up the pieces

In all cases, the biggest effect of the Typeform breach is in placing consumers at greater risk of phishing or other scam emails.

Under the recently introduced General Data Protection Regulation (GDPR) regulations, organizations are obliged to disclose breaches of their customer data even if they weren't directly to blame.

GDPR carries the threat of much heavier fines in the event of data breaches, along with tighter deadlines for publicly disclosed data spills, which are nearly always accompanied by adverse publicity.

“Controllers have an obligation to report data security breaches to the ICO unless there is unlikely to be a risk to individuals,” an ICO statement on the Typeform breach stated. GDPR applies to “controllers” and “processors”, potential third-party data processing firms or service suppliers.

The issue of bigger companies being obliged to apologize for the spill of customer data entrusted to third-party tech contractors is far from restricted to the Typeform case.

The breach of cloud-based human resources firm PageUp, for example, affected Telstra, National Australia Bank and supermarket chain Coles. Third-party risk doesn’t stop at data breaches.

A malicious alteration to the BrowseAloud JavaScript library back in February resulted in cryptomining JavaScript malware appearing on the websites of UK government agencies and many others, as previously reported.

Alteryx, a California-based data analytics firm, left data sets belonging to Alteryx partner Experian, the consumer credit reporting agency, as well as the US Census Bureau, on a publicly exposed Amazon S3 cloud storage bucket, researchers discovered late last year.

So should enterprises be relying less on third-party technology providers as a strategy?

Brian Honan, infosec consultant and founder of Ireland’s CSIRT, told The Daily Swig that enterprises should be accessing the security and privacy controls of their third-party suppliers.

“Enterprises will always rely on third-party solution providers,” Honan explained. “The key thing enterprises need to remember is they should not blindly trust these third parties.

“Enterprises should assess the security and privacy controls of these third parties, particularly with regards to data protection and GDPR, as ultimately the enterprise is responsible for the data gathered by the third party/parties on their behalf.”

Due diligence procedures should be part of the process of taking on third-party suppliers, Honan added.

“A simple questionnaire as part of their due diligence when engaging with a third-party vendor should cover most areas regarding security,” he explained. “For larger providers enterprises should seek assurances by seeing if those providers adhere to industry standards such as ISO 27001.

“Alternatively the provider should be asked to present independent validation of their security by a trusted security firm such as a security assessments and penetration test reports.”

Proactive security measures

Ultimately, Honan said service providers need to get their own house in order.

“Third party providers should be more proactive with regards to their security,” he stated. “This should include publishing details of how they secure data of their customers, adhering to industry standards, and providing documentation to clients on how to securely integrate their systems.”

Professor Alan Woodward, a computer scientist from the University of Surrey in England, also emphasized the need to audit third-party software or services suppliers.

“I’m not sure it’s practical to avoid using third-party software,” Professor Woodward told The Daily Swig. “It does mean you have to remember you have liability, as you are providing the end solution so you need to do due diligence on that software.

“That can include making sure that the software is regularly audited. It should also mean that you ensure that you are using the third party software only as they intended, i.e. if their threat model l makes assumptions you need to stick to those.”

“Most of all you need to make sure that the third parties stand behind their software with appropriate guarantees: commercial agreements matter and give a good indication of just how confident the authors are in the integrity of their code,” he added.