Gemini, Uber data breaches show third-party risk can’t be ignored 

Third-party risk is one of the most overlooked threats in enterprise security. Research shows that over the past 12 months, 54% of organizations have suffered data breaches through third parties. This week alone, both Uber and cryptocurrency exchange Gemini have been added to that list.

Most recently, Gemini suffered a data breach after hackers breached a third-party vendor’s systems and gained access to 5.7 million emails and partially obfuscated phone numbers.  

In a blog post reflecting on the breach, Gemini acknowledged that while no account information or systems were impacted as a result, some customers may have been targeted by phishing campaigns following the breach. 

While the information exposed in the Gemini breach is limited to emails and partial phone numbers, the hack highlights that targeting third-party vendors is a reliable way for threat actors to gather information to use in social engineering scams and other attacks. 

Why third parties are an easy target for data breaches

In the case of the Uber breach, hackers first gained access to Teqtivity’s internal systems and an AWS server, before exfiltrating and leaking the account information and Personally Identifiable Information (PII) of roughly 77,000 Uber employees.

Although the Uber and Gemini breaches are separate incidents, the two organizations have been left to pick up the pieces and run damage control after a third-party vendor’s security protections failed. 

“In the grand scheme of things, lost email addresses aren’t the worst data element to be used; however, it is a stark reminder that enterprises are still going to take heat for breaches that (allegedly) occur with their third-party vendors,” said Netenrich principal threat hunter John Bambenek. 

When considering these incidents amid the wider trend of third-party breaches, it appears that threat actors are well aware that third-party vendors are a relatively simple entry point to downstream organizations’ systems. 

After all, an organization not only has to trust their IT vendors’ security measures and hand over control of their data, they also have to be confident that the vendors will report cybersecurity incidents when they occur. 

Unfortunately, many organizations are working alongside third-party vendors they don’t fully trust, with only 39% of enterprises confident that a third party would notify them if a data breach originated in their company. 

The risks of leaked emails: Social engineering 

Although email addresses aren’t as damaging when released as passwords or intellectual property, they do provide cybercriminals with enough information to start targeting users with social engineering scams and phishing emails. 

“While this specific instance [the Gemini breach] involves a cryptocurrency exchange, the takeaway is that of a much more general problem [with] threat actors gaining target information (emails, phone numbers) and some context on that information (they all use a specific service) to make it relevant,” said Mike Parkin, senior technical engineer at cyber risk remediation provider Vulcan Cyber. 

“Random emails are fine if you are shotgunning Nigerian Prince scams, but to deliver more focused cast-net attacks that target a specific organization or user community, having that context is threat-actor gold,” Parkin said.

In the future, fraudsters will be able to use these email addresses to draw up highly-targeted phishing campaigns and crypto scams to try to trick users into logging into fake exchange sites or handing over other sensitive information. 

The answer: Third-party risk mitigation 

One way organizations can begin to mitigate third-party risk is to review vendor relationships and assess the impact they have on the organization’s security posture. 

“Organizations need to understand where they could be exposed to vendor-related risk and put in place consistent policies for re-evaluating those relationships,” said Bryan Murphy, senior director of consulting services and incident response at CyberArk. 

At a fundamental level, enterprises need to start considering third-party vendors as an extension of their business, and take ownership so that necessary protections are in place to secure data assets. 

For Bambenek, the most practical way CISOs can do this is to embed security at the contract level.

“CISOs need to make sure at least their contracts are papered to impose reasonable security requirements and they used third-party risk monitoring tools to assess compliance. The more sensitive the data, the stronger the requirements and monitoring need to be,” said Bambenek. 

While these measures won’t eliminate the risks of working with a third party entirely, they will afford organizations additional protections and highlight that they’ve done their due diligence in protecting customer data.