The year 2020 saw many more businesses embracing remote networking solutions to power their work from home. Cybercriminals, recognizing the opportunity, sought out unauthorized access. In January, Ubiquiti emailed its customers informing them of a data breach at its third party cloud provider host.
Regrettably, third party cloud provider breaches are not uncommon. As digital transformation changes the way we do business, companies are more likely to integrate their technology and networks with third party cloud providers. These third parties require privileged access to the business network. Then, in a breach, their access credentials can provide a path into their partner’s data and IP.
Third-party data breaches can bring major damage to enterprises and devastate small businesses. A Ponemon Institute study revealed,“53% of organizations have experienced one or more data breaches caused by a third party, costing an average of $7.5 million to remediate.”
Third-parties include companies offering data management, web hosting, e-mail services as well as law firms, subsidiaries, vendors, service providers, and subcontractors. Several well-known brands suffered third-party breaches in 2020 including:
- General Electric experiencing a data-leak through unauthorized access to an employee email account at third-party service provider Canon Business Process Services
- T-Mobile informing a million customers of a targeted attack on its email provider
- Amazon, Ebay, Shopify, Stripe and Paypal all impacted by a security vulnerability at a third-party app used by small European Union retailers to calculate value-added taxes
What Happened at Ubiquiti
Ubiquiti announced a data breach that could affect its cloud integration. Ubiquiti Cloud service, when enabled, allows a user to remotely connect and manage Ubiquiti controllers worldwide. The networking equipment and IoT device vendors UI.com site is used to manage devices from a remote location and as a help and support portal. “We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider,” Ubiquiti said in a January 11 email. Users then contacted the company to determine whether the email was legitimate or a phishing attempt. Ubiquiti in user forums confirmed the legitimacy of the communication.
The company stated it hadn’t found any evidence user data was accessed, yet it conceded it couldn’t say with certainty “that user data has not been exposed.” The potential at-risk data includes: names, emails, phone numbers, addresses, and passwords. Ubiquiti described the passwords as “one-way encrypted…(in technical terms, the passwords are hashed and salted).”
Ubiquiti encouraged its users to:
- Change their passwords
- Enable two-factor authentication
- Reset passwords on sites where the user employed the same access credentials
The company has not said how many Ubiquiti users are impacted or how the breach occurred.
Reducing Your Third Party Cloud Provider Risk
Research indicates companies are uncertain whether their third party vendors:
- Would inform them of a breach
- Are adequately addressing the ever-changing landscape of third-party risk
- Provide sufficient information for the company to determine level of risk
- Develop a list of high-impact vendors
- Identify assets exposed to vendors and vendor assets that store your data
- Manage the relationship with your vendors
- Refine the vendor list for ongoing monitoring
- Develop initial “threat scenarios”
- Perform ongoing risk mitigation
A better practice is to avoid working with a third-party vendors you don’t need, or at least minimize your exposure. In the newest iteration of our AccessEnforcer, the evolution of Gatekeeper protects against the kind of breach Ubiquiti suffered. With AccessEnforcer 5.0.2 customers can enjoy secure remote access to Internet of Things devices, like wireless controllers, with multi-factor authentication, without relying on a third-party service. Access Enforcer 5.0.2 is available now in beta by request.
Find out more about the ways in which Gatekeeper and our other new AccessEnforcer feature, GeoFence, help reduce your business’s third party cloud provider risks. Zero Trust Security is within reach of the small business too.