A recent breach at a commercial corporate database is putting the spotlight back on the risks posed by third-party vendors, solution providers said.
Approximately 33.7 million unique email addresses and contact information were exposed as part of a leak of a 52-GB database owned by Dun & Bradstreet, according to a report in ZDNet. The database also contains names, job titles, job functions, work email addresses and phone numbers, as well as general corporate information.
The database brings together information on corporations and their employees, to then be sold in bulk or in part to marketers or other companies for targeted sales campaigns. This leaked database, in particular, includes information on tens of thousands of employees at AT&T, Boeing, Dell, FedEx, IBM and Xerox, the report said. The database also includes extensive records on employees at a variety of government agencies, including more than 100,000 employees at the Department of Defense.
[Related: The 10 Biggest Data Breaches Of 2016]
Dun & Bradstreet denies in the report that any of its own systems were breached or compromised, and it is not immediately clear how the breach occurred. The database has been sold to "thousands" of companies, the report said, which could have been compromised.
The breach is the latest potential example of a rising trend toward third-party breaches, where a supplier or customer is hacked as an avenue to a larger ultimate target. Tom Patterson, chief trust officer and vice president of security at Blue Bell, Pa.-based Unisys, No. 19 on the 2016 CRN Solution Provider 500, said his company's security and cyber intelligence teams are seeing these types of "ecosystem attacks" regularly now.
While initial awareness of third-party risk started with the Target breach in 2013, Patterson said he sees customers increasingly looking to invest in security solutions to solve this problem. One example of that, he said, is he is seeing some customers requiring suppliers to have a certain level of security protections in their purchasing agreements, which he said is a "relatively new concept."
"Providing security across an ecosystem is becoming increasingly more critical," Patterson said.
Patterson said solution providers play a critical role in helping customers secure themselves against ecosystem attacks, adding they can "become the glue that helps solve that ecosystem risk." The challenge for customers, he said, is that third-party breach risk can't be solved with traditional security technologies and require a more advanced security approach.
"Customers understand this risk and are responding, but they are struggling to find the right tools. It's hard to address this problem with yesterday's tools. You don't solve this problem with firewalls and anti-virus. You solve it with micro-segmentation, behavioral biometrics and advanced analytics. These are the new tools that smart companies are using to protect themselves in this highly connected world," Patterson said.
Patterson said solution providers should also be on high alert for phishing attacks stemming from the leak of this database, as the information, while not highly sensitive, could provide fodder for more targeted phishing attacks on company employees.