Data Breach Risks Are More Complicated than Many Know

Risk teams are no strangers to the nuanced threat of data breaches and system compromises. Yet an emerging peril is making breach risk management even more complicated. The rise of the third-party breach, sometimes called a supply-chain attack, is adding to the list of risks faced by public sector organizations.

Third-Party Breaches on the Rise

An analysis of U.S. data breaches in TransUnion’s 2023 Omnichannel Fraud Report showed a 145% increase in third-party breaches between 2020 and 2022. The severity of the breaches, in terms of the potential identity and fraud risks measured by TransUnion’s Breach Risk Score algorithm, also rose by 23%.

Cybercriminals favor third-party breaches mainly because of the scale they provide. Penetrating the cyber defenses of a large enterprise can take months of research and multiple attempts. Targeting smaller service providers — which often have less robust cybersecurity resources — can give attackers access to the data and systems of dozens of the organizations that vendor services. With less effort and higher volume of targets, bad actors realize significant financial gain.

Disproportionate Impact on the Public Sector

While third-party breaches can happen to organizations in any sector, last year’s MOVEit breach is an example that drastically impacted public institutions.

While colleges and universities have taken the greatest hit, a significant number of government agencies and public health programs were also affected. Sensitive personal data was stolen from several high-profile users of the platform, including the US departments of Energy and Agriculture; New York City School District; registries of motor vehicles in Oregon and Louisiana; Colorado’s state health agency; and more than 850 colleges and universities.

Criminal access to private personal data, such as student records and driver’s license information, exposed millions of constituents to the risks of identity theft, social engineering scams and financial schemes.

Numerous Post-Breach Risks Impact Public Organizations

As risk management teams plan for potential third-party breaches, they should establish controls and mitigation strategies that not only help reduce the risk of such attacks, but also help the organization recover in the wake of an incident.

Some of the considerations to weigh when planning those strategies include:

• Ongoing disruption of services or benefits for constituents. By their nature, third-party breach forensics takes longer, often delaying restoration of critical systems and processes.
• Undue stress and hardship among employees. Whether fielding calls from upset constituents or losing access to technology, breaches can make even menial tasks a headache.
• Exposure of internal and employee data. Cybercriminals frequently seek personal data of employees to help them pull off sophisticated social engineering schemes that can provide access to the employer’s systems.
• Loss of trust that can occur among constituents, the public and funding sources.
• Long-tail exposure of sensitive data. Once stolen data is brokered on the dark web, it can cause problems for victims for years.
• Compliance with state notification rules. Regulations are wildly varied depending on the state, the size of the breach and even the sector — and they frequently change.

After rampant attacks in 2023, cybercriminals are eyeing opportunities to replicate their success in 2024, so the threat of supply chain attacks is only expected to increase. Make sure your team has taken the proactive steps to minimize the risk of being caught in a supply-chain attack — and that your organization has a response plan in place to enable a fast, effective reaction if an incident does occur.

*The views and opinions expressed in the Public Risk Management Association (PRIMA) blogs are those of each respective author. The views and opinions do not necessarily reflect the official policy or position of PRIMA.*