TPCRM
December 10, 2024

Looking back at third-party breaches and vendor cybersecurity incidents in 2024

As 2024 draws to a close, we wanted to revisit some of the noteworthy third-party incidents of the year, which meant looking back at basically every incident covered in our newsletter. While at it, we took the opportunity to add up the data exposure numbers reported in the press to get a better idea of the overall landscape.

The result? Records of 1.36 billion people were exposed this year in third-party or vendor breaches. Since this is based on the numbers reported in the press, there are some caveats.

But before we get into that, let's review some of the most relevant incidents of the year.

Noteworthy vendor and third-party incidents in 2024

Change Healthcare

Owned by UnitedHealth, Change Healthcare was hit by a ransomware attack in February 2024. Due to Change Healthcare's position in the healthcare ecosystem in the United States, the incident caused widespread issues due to disruptions in payment flows and data access to all other organizations that relied on their infrastructure.  Several news outlets reported on the struggle of smaller practices due to payment delays.

It took until October for the company to confirm that 100 million people had their data accessed by the attackers. We now know that a ransom was paid — likely an attempt to protect user data from leaking to other criminals. In a strange turn of events, the attackers, known as the ALPHV/BlackCat ransomware group, imploded soon after due to internal disagreements, and the whereabouts of the data became uncertain.

In November, UnitedHealth reported its clearinghouse services were finally restored — a full 9 months after the incident.

Covered in our newsletter in March

Evolve Bank

In June, the LockBit ransomware group made headlines after stating it had obtained data from the Federal Reserve. This was inaccurate, however, as the data belonged to Evolve Bank & Trust, a key partner for several fintech startups.

The bank confirmed that 7,640,112 people – many of whom had their data stored at the bank because of these partnerships – had their data stolen by the attackers.

Covered in our newsletter in July

The Snowflake incidents

AT&T, Santander, Ticketmaster, and others were hit by a series of cyberattacks targeted at their data stored with Snowflake, a cloud storage provider. From what is known, the attacks were made possible by leaked credentials and started in April.

Although the breaches didn't target Snowflake infrastructure, the announcement of a feature that allowed customers to enforce MFA made it clear that this was not an option at the time of the attacks (and was probably a contributing factor).

Incidents like these show that even when vectors of attack don’t necessarily meet the formal definition of “vulnerability,” they can be a common weakness that allows attackers to employ the same attack formulae against multiple customers.

Covered in-depth in our newsletter in July

Cencora or MediSecure

Both Cencora and MediSecure are healthcare companies and could deserve a spot on this list. In May, Cencora disclosed it was notifying individuals about a breach that had taken place in February. 

The HIPAA Journal reported that data from at least 27 companies had been breached in the incident. By August, Cencora had to tell the SEC that more data had been exfiltrated than initially believed. Unofficial counts put the number of affected individuals at 1 million.

In the case of MediSecure, an Australian provider of electronic prescriptions, the number of victims is much larger, at 12.9 million. However, none of the reports on the incident said much about how other companies were affected.

Either of these incidents could be noteworthy from a third-party risk or systemic risk perspective, so it's difficult to pick just one. Both were covered in the same issue of our newsletter.

Covered in our newsletter in June

Microsoft / Midnight Blizzard

In January, Microsoft revealed it had been hacked by a Russian state actor tracked as Midnight Blizzard. The intruders used a password spray attack to gain access to an account for a test tenant app which, due to a blunder on Microsoft's part, could be used to grant OAuth access permissions to 365 mailboxes. As expected, the compromised account had no MFA.

In March, Microsoft stated they had seen evidence of the attackers attempting to use information exfiltrated from Microsoft to gain further access. They also started notifying customers after finding that emails exchanged with Microsoft employees had been obtained by the attackers.

While the initial Midnight Blizzard campaign against Microsoft took place in late 2023, this was an ongoing story in early 2024. The only Microsoft hack we knew of by the end of 2023 was the one in which Chinese hackers accessed U.S. government mailboxes, prompting an investigation from the Cyber Safety Review Board (CSRB).

Covered in our newsletter in FebruaryCSRB report was covered in May

CrowdStrike

On July 19th, a Friday, cybersecurity vendor CrowdStrike pushed a malformed update to its Falcon sensor. The update crashed the kernel-level sensor, taking down 8.5 million Windows systems with it.

The systems became stuck on a reboot loop until the update was manually deleted, since Windows would not disable a critical security service even if it crashed at boot. Without a successful boot, it couldn't download a fixed update.

It arguably became the most well-known incident of the year after thousands of travelers faced delays and cancellations at airports, as airlines were among the most affected. At the time of writing, Delta Airlines and CrowdStrike are suing each other, and Microsoft is working on changing how security software is integrated into Windows.

Covered in our newsletter in August

U.S. Wiretap Hack

The Wall Street Journal reported in October that Chinese hackers known as "Salt Typhoon" infiltrated at least three broadband and communications providers to access systems provisioned to comply with wiretapping orders.

According to the newspaper, the targets of the hacks were Verizon, AT&T, and Lumen Technologies.

Despite near-silence from the companies themselves, the incident was officially confirmed a month later by a joint statement from the FBI and CISA, which reads: "PRC-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity."

The statement doesn't confirm the targets of the hack, but 150 victims are reportedly being notified by the FBI as being the final targets of the hackers — the attack on the telecommunications providers was just a means to get to the people they were aiming for, casting this as a quintessential third-party breach scenario.

Covered in our newsletter in November

Other remarkable incidents

Each of these three incidents is noteworthy for a different reason, but they're also distinctly different from the others we have already covered.

XZ Backdoor — The XZ backdoor was a very impressive (and successful) years-long attempt at backdooring OpenSSH through the XZ utils project in some Linux distributions. Fortunately, the backdoor was discovered (thanks to a server that made more noise than expected) while the package was still mostly restricted to bleeding-edge distributions, which have fewer users.  Covered in April

Exploding Walkie-talkies — Thanks to a physical supply chain compromise, intelligence agents managed to sell sabotaged pagers and walkie-talkies to members of Hezbollah. Covered in October.

Polyfill — After a change in ownership, a CDN for the polyfill.js file suddenly started serving a modified version of the script to redirect visitors of over 100,000 websites to malicious pages. Major internet companies like Cloudflare and Google acted to redirect the script or block ads in affected pages and to warn website administrators about the need to implement a fix by changing the CDN or self-hosting the file. The CDN denied any wrongdoing. Covered in July.

Putting it all together

Once we added all the numbers reported in the press for breaches that involved a vendor or a critical provider, we found that 1.36 billion individuals were affected by third-party and vendor incidents in 2024.

Some caveats regarding this number:

  • It's not possible to know how many of these records are unique. It's almost certain the same data leaked more than once. Some records are also far more sensitive than others, but we’ve counted them all equally.
  • We tried to count only records that related to people. For example, National Public Data alone leaked 2.9 billion records, but these had data on 170 million individuals. We used the lower number, since we want to examine the number of impacted people, not an arbitrary data point about the quantity of records.
  • Some of the numbers come from posts made by the attackers on leak sites or forums where they offer this data for sale, which may make their accuracy suspect.

Unfortunately, most reports on stolen data will have to deal with these limitations. As an industry, we do not have a standard to track different types of data, or to know how many unique individuals were affected by breaches.

In any case, TechCrunch also made a count and reached a similar number. The largest breaches are Ticketmaster (believed to be 560 million), Synnovis (reported as 300 million people), National Public Data (170 million), AT&T (110 million), Change Healthcare (100 million), and Viamedis/Almerys (33 million).

What's next?

Some companies are still reporting breaches related to MOVEit Transfer from May 2023. Similarly, the breach from Financial Business and Consumer Solutions (FBCS was first reported as affecting 2 million individuals, but the latest count is 4.2 million). It takes time to investigate third-party incidents.

Even if we will not know the full picture of 2024 until some point in the future, we must make decisions with the best data we can gather today.

It's clear that vendors, critical infrastructure providers, and large organizations that are deeply linked to their industries present risks that must be mitigated by businesses and, potentially, regulators. Those of us who work to protect businesses from disruptions and security incidents have much to gain by understanding what is at stake and planning a third-party cyber risk management program that is up to the task.

Share
Latest Posts
Going hands-on with third-party collaboration for cybersecurity
Read more
How third-party risk management enhances your approach to systemic risks
Read more
Third-party risk management in finances and banking: a look at current challenges and guidance
Read more