Third Party Security Failure Caused 1 TB Data Breach at Saudi Aramco; Hackers Play Puzzle Games With Oil Giant
Tuesday, July 27, 2021
Though Saudi Aramco says that its normal operations were not negatively affected by the data breach, a third party security vulnerability is something they have little control over beyond terminating their arrangement with the vendor and finding a new one.
According to Ilia Kolochenko, Founder/CEO and Chief Architect of ImmuniWeb, this highlights the need for comprehensive programs that can manage the third party security risk created by dealing with potentially hundreds to thousands of contractors: “Aramco’s statement saying that the data comes from a third-party contractor highlights the importance and urgency to implement a holistic Third-Party Risk Management (TPRM) program to prevent supply chain attacks. Furthermore, a growing number of legislation including the UK and EU GDPR, state and federal laws in the US and emerging privacy laws in Brazil or South Africa now make companies liable for their breached suppliers. Given that some of the compromised data allegedly comes from 1993, it is not impossible that the data comes from several breached suppliers as well as from Aramco networks directly. Oftentimes, suppliers have privileged and virtually uncontrolled access to corporate resources on-premises and in the cloud, both of which are low-hanging fruit for shrewd cybercriminals. Many modern cyber gangs focus solely on hacking technology vendors to pivot to their customers in a simple, inexpensive and effortless manner.” Read Full Article
CPO Magazine: Data Leak Reveals Pegasus Spyware Found In Use Unlawfully in 20 Countries, With Capability to Break Current iPhone Security
SC Media: The threat of Pegasus-style spyware could creep toward the business community