When Ticketmaster U.K. disclosed it had suffered a data breach, the company also revealed the cause of the cybersecurity incident: a third-party vendor.
As the latest breach to hit a major, global conglomerate, the attack on Ticketmaster highlights the growing threat of cyber-weaknesses down a company’s supply chain.
Ticketmaster revealed this week that Inbenta Technologies, which provides Ticketmaster a customer support software solution, had malicious software in its product. That software, discovered on June 23, enabled an “unknown third-party” to access some of Ticketmaster’s customer personal or payment information, the company said.
The incident is a reminder to businesses that safeguarding their own, internal enterprise systems may not be enough to stave off a cyberattack.
Earlier this month analysis from Citrix and OnePoll found that large U.K. enterprises are overlooking their supplier relationships when developing cybersecurity strategies. In a survey of 50 IT security decision makers, the report found that only about a third have cyber insurance that covers their supply chain providers. A fifth said they don’t communicate with vendors at all when cybersecurity recovery processes are being tested.
“Recent cyberattacks demonstrate that the supply chain can be the weakest link for a significant number of organizations,” said Citrix chief security architect Chris Mayers in a statement. “It is therefore vital that businesses conduct the necessary due diligence when integrating a new provider into their supply chain.”
A 2017 survey by Protivity found that nearly half (47 percent) of companies surveyed said they are somewhat or not at all likely to de-risk third party relationships (or, they don’t know if they will do so). But researchers also found that the practice of de-risking, which involves either exiting a third-party relationship or altering it, is on the rise.
But the report also warned of an “engagement gap” among corporate boards.
“Boards remain more engaged with the organization’s internal cybersecurity risks than cybersecurity risks to the organization’s vendors,” the report concluded. “And organizations with less engaged boards report significantly lower levels of third-party risk management practice maturity.”