Hackers look to suppliers for access to corporate systems and data

Out-Law News | 01 Dec 2021 | 11:27 am | 2 min. read

The need to obtain contractual commitments from suppliers on reporting cybersecurity incidents has been highlighted by new analysis carried out by international professional services firm Pinsent Masons.

An annual review of incidents worked on by the cyber team at Pinsent Masons (20-page / 4.89MB PDF) has identified a marked increase in the number of cyber incidents in which an intrusion into corporate systems had originated with a cybersecurity breach at a supplier, compared to the previous year.

Julia Varley, a member of the cyber team at Pinsent Masons, said that requiring suppliers to notify cybersecurity incidents they experience is important because of the incident and data breach reporting obligations businesses face, such as in heavily regulated industries like financial services and energy, but also under more general legislation such as the General Data Protection Regulation (GDPR) which sets out strict timeframes for reporting breaches to regulators.

“We have seen a number of ransomware incidents affecting clients’ data processors,” Varley said. “We advised several clients whose data was impacted in the ransomware attack on Blackbaud, a technology provider that operates and supports the online donation technology platforms and databases for a large number of organisations worldwide. As part of the attack a backup file containing data relating to Blackbaud's clients was exfiltrated by the attacker. We advised several clients on the impact on their obligations as data controllers and consequent reporting obligations under the GDPR as well as other regulatory regimes.”

“In supply chain based cyber incidents, data controllers are heavily reliant upon the data processor or managed service provider to provide information and support during the course of a cyber event. However, many controllers will also – at an early stage – want to consider the potential legal recourse against such a third party, particularly in circumstances where there is clear evidence of a vulnerability the third party should have protected against,” she said.

Varley said that Pinsent Masons had also been engaged in work in relation to the SolarWinds and Kaseya cyber attacks, which targeted software supplied to a large number of organisations.

Varley said: “In the SolarWinds incident, attackers inserted malware into software updates. When customers downloaded these updates, they inadvertently downloaded malware onto their systems, which created a backdoor for the attackers to access the customers’ systems and deploy further malware. Similarly, the Kaseya attack involved the leveraging of a vulnerability in Kaseya’s virtual system administrator software which was used by a number of managed service providers to administer their customers’ network. Through this vulnerability, attackers were able to access and encrypt the provider’s end customer systems,” she said.

According to Pinsent Masons, most cyber incidents are identified internally by the organisation. However, over the last year there has been a jump in the proportion of incidents reported to an organisation by suppliers or other third parties. This happened in 39% of the cases Pinsent Masons’ cyber team worked on in the last year, up from 22% in the previous 12 months.

Pinsent Masons’ cyber team’s annual report for 2021 also identified the heightened cyber risk for businesses that has arisen from the growth in home working.

Varley said: “The Covid-19 pandemic which resulted in enforced home working around the globe provided greater opportunity for attackers as an increasing number of functions were moved online at very short notice, resulting in overloaded IT teams, stretched security monitoring protocols / software and slower incident detection. We have seen a number of serious incidents arising because of a lack of security being applied by organisations when employees are working outside of the normal office environment. Vulnerabilities in VPNs or remote desktop protocols appear to have been more readily exploited when employees are working remotely.”

Growth in compensation claims raised by or on behalf of data subjects, and a rise in the use of malware attacks, and in particular ransomware, was also identified by Pinsent Masons’ cyber team over the past 12 months. The report also identified the use of increasingly sophisticated phishing emails by cyber criminals.

“Some phishing emails are very realistic and authentic,” Varley said. “We have seen attackers use more sophisticated methods of phishing campaigns, through the sending of phishing emails from genuine accounts of organisations in a client’s supply chain. These can be very difficult to identify the threat. However, we continue to see intrusions arising out of phishing emails, which should be much easier to spot, particularly by individuals who have received phishing awareness training.”

“The key to guarding against these types of attack remains largely down to educating employees through methods such as conducting simulated phishing campaigns to raise awareness. In addition, we recommend the use of multi-factor authentication across systems, maintaining robust back-ups, and adopting principles of least-privilege and network segregation to protect against an attacker moving laterally through the IT estate,” she said.