Third-party vendors are critical to and business or industry – but they confirm to significant amount of cyber risk. Qanatas airline confirmed of cyber attack where nearly  six million customers data may have been compromised. The airliner issued statement that said credit card details, financial information, and passport details were not part of the breach.

Qantas said in a statement: “We are continuing to investigate the proportion of the data that has been stolen, though we expect it will be significant. An initial review has confirmed the data includes some customers’ names, email addresses, phone numbers, birth dates and frequent flyer numbers.”

The alarming aspect of a third-party data breach is the sheer scale of impact. Hackers have the potential to attack thousands of organizations in one fell swoop.

KPMG, study showed how 73% of organizations have experienced at least one significant disruption from a third-party cyber incident within the last three years. 

Qantas Group chief executive Vanessa Hudson said the company was working closely with the National Cyber Security Coordinator and the Australian Cyber Security Centre.

We sincerely apologies to our customers and we recognize the uncertainty this will cause. Our customers trust us with their personal information, and we take that responsibility seriously,” she said.

In the breach that affected Qantas airliner which is one of the oldest, did not point to any hackers group. This data breach is one of Australia’s biggest breach in years which caused major setback and reputation damage to an airliner.

Last week, FBI said Scattered Spider group  was targeting airlines and that Hawaiian Airlines (HAII.UL) and Canada’s WestJet had already reported breaches. Read more on our blogs:

Key pointer of the Qantas Breach

The Cyber hacker broke into a database containing the personal information of millions of customer.

The breach was executed by hackers who targeted a call center and gained access to a third-party customer service platform containing six million names, email addresses, phone numbers, birth dates and frequent flyer numbers.

Third party risk management is complex but neglecting can be fatal for organizations whose data volume is huge such as airliners.

The airline is emailing affected customers and has set up a dedicated support line at 1800 971 541 (or +61 2 8028 0534 from overseas).

If we observe in recent past 2020, the solar Winds attack that happened where Solar winds confirmed that its network had been penetrated by a malicious actor and a complex malware program inserted into software updates of its technology platform – SolarWinds OrionⓇ.

Such is the magnitude of the attack that the malware program comprised a multistage process, scanning downstream customer networks to detect security tools it could avoid or disable, and stealthily connecting to the attacker’s command and control servers. The malware persisted for months before initial detection.

The solar winds attack cost to the company amounted to significant loss with Incident response and forensic services cost companies 11% of their annual revenue (an average of $12 million). 

How to make sure your vendor don’t create unnecessary risk that pose challenge for organization at large

First ensure your third party vendor’s meet the required robust security posture

Vendor risk assessment must be done holistically by streamlining due diligence

Upon discovery of any vulnerabilities, it is important that customizing and updating security requirements of the newly discovered threats and patch.

As a part of better threat mitigation strategy it is important that to automate vendors onboarding this will provide agility.

Managing Third party risk with Intru360

A research with KPMG found that found 61% of businesses underestimate third party risk management and often also struggle to have a healthy operation model and scale it same time.

KPMG research further found that Third-party/nth-party risk management that covers all third-party relationships over the entire life cycle; subjects vendors that support critical activities or are heavily relied upon to more comprehensive and rigorous oversight; and considers transition, contingency, recovery, and duplicity alternatives.

With most of the technology investments fail to provide visibility into third-party risk, we at Intercept help you to expand the scope and cover third parties related risk areas by identifying.

Intru360 gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

In vendor security and management here are some of the features we offer to make sure cyber health of each and every supplier is checked and alerts are placed to get notification.

Prebuilt playbooks and automated response capabilities.

Over 400 third-party and cloud integrations.

More than 1,100 preconfigured correlation rules.

Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.

Sources: https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know

https://kpmg.com/us/en/articles/2022/ten-key-regulatory-challenges-2023-risk-governance.html

https://www.sbs.com.au/news/article/qantas-data-breach-everything-we-know-so-far-about-stolen-customer-details/49iggxre0