Before we broadly discuss who is getting caught in ripple events, how much ripples are costing organizations, how long they take to unfold, and what’s potentially causing them, it’s important to zoom in on a few individual examples first.
While a stable number for multi-party breaches in 2020 is not likely, our analysis has already dug up 37 ripple events that swept up victims across a range of industries and scenarios last year. We’ve encapsulated an assortment of these latest breaches to provide a feel for how varied ripple events can really be.
The triggering events are often different, the business relationships vary, the scope of impact can vary wildly, and the depth of downstream reach is changeable. The one unifying factor is the technical integration or data sharing—direct and indirect- -that spiderwebs across the generating organization and the recipients of downstream loss events.
ACCELLION USA LLC
The mass exploitation of vulnerabilities in the company’s file transfer appliance has allowed criminal gangs to target the sensitive information of thousands of Accellion clients—and subsequently the victims’ customers and clients—including the personally identifiable information (PII) handled by the Washington State Auditor’s Office, New Zealand’s central bank, and the high-profile law firm Jones Day.1
ADVANCED COMPUTER SOFTWARE
This software developer for the legal industry exposed data held by more than 190 law firms when a cloud-based database for legal forms was left publicly accessible on the Internet. The open database in Advanced’s Laserform platform left more than 10,000 legal documents exposed online, including “extensive details of transactions, payment terms, and client agreements,” according to security researchers.2
A cloud computing provider for non-profit organizations, foundations, education firms, and healthcare entities, Blackbaud experienced a double extortion ransomware attack that not only encrypted the systems running its client’s environments but also exfiltrated millions of sensitive records held by 550 different organizations. Rough estimates show that some 10 million individuals had their PII exposed by this ripple event. The downstream organization impacted the most was Inova Health Systems, which had 1 million of its patients exposed. Due to the number of organizations affected and records involved, this ripple event is the biggest healthcare breach on record for 2020.3
This US-based hosting provider left a database containing monitoring and system logs open to the Internet with no password protection. This lapse exposed the credentials of numerous organizations’ Magneto eCommerce and WordPress accounts, along with the PII from 63.7 million records of shoppers and other individuals. 4
One of the most prolific hosting providers on the web, GoDaddy was first informed of its 2020 ripple event via an email from the State of California Department of Justice, which stated that someone had gained unauthorized access to the login information for SSH accounts. An investigation into the matter showed that the attackers had access to the firm’s hosting environment for six months—the kind of access that could have been used to launch a range of chained attacks— compromising the hosting accounts of 28,000 different GoDaddy customers in the process.5
This marketing company developed and supports the investment dashboard and online enrollment portal for SEI Investments Co., which provides platforms and services to dozens of wealth management funds. When Brunner was hit by a Maze ransomware attack that it refused to pay extortion money for, the attackers publicly posted the data they’d exfiltrated during the attack. This exposed SEI and, in turn, the clients of 100 different financial funds doing business with SEI, including PIMCO.6
This cloud hosting provider specializes in providing services to healthcare companies. When it was struck by a ransomware attack, the impacts rippled across numerous third-party relationships. The impacts were felt by many smaller health providers and service companies. A notable example was Crystal Practice Management, a software company that provides solutions to optometrists and vision therapy pros. Its clients were unable to access patient data or the software required to serve their patients for days as a result of the attack.7
The crop of 2020 ripples was punctuated by the big exclamation point that was the SolarWinds breach. A major provider of IT management tools, SolarWinds was compromised via a vulnerability in its Orion suite of tools, which are used by thousands of organizations to manage their IT networks. This flaw allowed the attackers to insert a backdoor in the tool that could then be leveraged to compromise the SolarWinds customer environments. Some 18,000 organizations were potentially exposed to the backdoor, with confirmed compromises including the U.S. Department of Homeland Security, Microsoft, and FireEye. The latter two compromises kicked off further Nth party attacks, and many in the security industry say that it will take years to understand the widespread ripples that this single incident will broadcast across the globe.8
This platform provider for Git analytics had a database breach in which the hackers stole GitHub and GitLab Oauth tokens and used these to compromise the company’s customers and customer’s customers. Associated ripple impacts included a breach of the fintech firm Dave, which compromised 7.5 million banking users, and a breach of the software testing firm Flood.iO, which eventually exposed the hosted cloud credentials of its entire customer base.9