British Petroleum (BP) released an update in July about a data breach that occurred in May of 2023 that impacted individuals who had applied for retail positions within the company. Initially, BP believed the breach was confined to approximately 10,000 applicants who had applied within the previous 18 months. However, the company now confirms that the breach extends to retail store applicants dating back to 2007. The compromised information comprises applicants’ names, email and residential addresses, birthdates, countries of residence, phone numbers, and employment details.
The incident was a result of a breach on an online recruitment provider BP used called PageUp. PageUp is an Australian company with 2.6 million users in 190 countries. The recruitment provider first discovered the breach on May 23 and said that the attackers may also have accessed employees’ usernames and passwords. The company is conducting an extensive forensic investigation concerning the attack and is working with the Australian Cyber Security Centre, the Australian Federal Police and multiple independent cybersecurity expert firms. PageUp has assured its customers that no employment contracts, applicant resumes, or bank account information were involved in the breach. Meanwhile, BP has contacted the additional 50,000 applicants about the breach. The oil company said that there is no evidence that the data of its past applicants was exfiltrated.
Shell Oil Victimized by Ransomware
Shell Oil, along with several other major firms including Proctor & Gamble, Hitachi, and Virgin, fell victim to an exploitation within the MOVEit file transfer system utilized by some of their employees. The Russian ransomware collective known as CIOp claimed responsibility for this breach and over 200 others related to the same flaw. In June, the group ominously listed a dozen international companies on their website, threatening to publicize the purloined data.
Shell acknowledged the security breach via a statement on their website and representatives have clarified that the company does not intend to capitulate to any ransom demands. Shell affirmed that the exposed data consisted of personal information regarding some of their employees, though the specifics of the compromised data remain unconfirmed.
Progress Software’s MOVEit, a widely utilized file transfer software application, has been implemented over 3,000 times across diverse organizations globally. In late May, Progress pinpointed a zero-day vulnerability within MOVEit, granting unauthorized users the ability to access information contained within the software. This recently uncovered vulnerability exemplifies a quintessential zero-day exploit, with malicious actors capitalizing on the flaw before MOVEit users could apply the issued patch.
This breach is not Shell’s first encounter with third-party vulnerability exploitation. In 2020, the corporation experienced a data breach impacting both corporate and personal data, perpetrated through an exploit in another file transfer service.
Protecting the sensitive data in your network means not only ensuring that your own IT infrastructure is secure, but all third-party resources linked to your network are as well. It only takes one chink in the armor
to expose your entire organization. Threat actors can infiltrate your systems through an outside partner or service provider that has access to your network. These can include remote access tools, file transfer applications, software exploits or man-in-the-middle (MITM) attacks. While your internal IT teams or MSP can’t be directly responsible for the security of your vendor’s networks, you can take action to ensure that your vendors are doing their due diligence to protect themselves. Choosing a vendor or service provider is no longer just about price, quality, and service. It is about security too. Some of the measures you can take include the following:
- Properly vet your vendors before establishing any agreements or partnerships. Don’t be timid about asking them about their security profile or even request proof of their cybersecurity program. This can include copies of recent security audits or penetration tests.
- Request recurring third-party risk assessments to understand the risks associated with your vendors and service providers. These assessments should evaluate the third-party’s data security practices, compliance standards and incident response capabilities.
- Regularly monitor and control the access of all third-party vendors. While granting them full access and privilege to your network will make things convenient for them, it will also make it convenient for threat actors as well. The principle of least privilege (PoLP) should be enforced for employees, customers, and outside vendors alike.
- Implement a zero-trust security model to ensure that all data is encrypted, and access requests from any user are properly authorized and authenticated. A zero-trust mentality means that you don’t assume that your vendor’s equipment, personnel, and resources are secure.
Third party risk management is an accelerating trend today and one that HALOCK Security Labs can assist with, as our security teams can assess the security risks of not only your own organization, but your risk exposure to all your interconnected providers, and partners as well.
Contact us to learn how we can help you create a third-party risk management strategy to ensure that the security profile and protocols of your vendors align with yours.