< ciso
brief />
Tag Banner

All news with #third party risk tag

86 articles

Improving security across Microsoft partner ecosystem

🔒 This post by Raji Dani, Microsoft Deputy CISO, explains how Microsoft secures its partner ecosystem—especially Microsoft Cloud Solution Providers (CSPs)—to reduce risk to downstream customers. It outlines vetting, mandatory security requirements for authorization, granular delegated administrative privileges (GDAP), telemetry and rapid access revocation capabilities. The article emphasizes shared responsibility between Microsoft and partners and a continual roadmap to raise security standards.
read more →

KDDI breach may expose millions of ISP email logins

📧 KDDI Corporation disclosed a breach affecting an email system shared with five Japanese ISPs after discovering unauthorized access on June 17. The company attributes the intrusion to a vulnerability in unnamed third-party software and says it immediately blocked the attacker and implemented defenses. Up to 14.22 million current, former, and inactive customer email addresses and passwords may have been exposed, though some credentials were stored hashed or encrypted. KDDI is notifying regulators and working with affected ISPs while advising customers to reset passwords and enable 2FA where possible.
read more →

CMC analysis of Canvas incident impacts education

🔍 The UK Cyber Monitoring Centre (CMC) has published its review of the Canvas incident affecting Instructure’s Learning Management System, finding ~160 UK higher education institutions impacted and around 9,000 worldwide. The analysis highlights that financial losses arose mainly from response, recovery and risk management rather than prolonged outage. The CMC reinforced best-practice recommendations for the sector, including MFA enforcement, separation of application and data layers, careful third‑party control and clearer vendor communication.
read more →

Nintendo confirms TinyPulse survey data stolen

🛡️ Nintendo of America confirmed that threat actors accessed survey data from the third-party TinyPulse service used for internal employee surveys, but its own systems were not compromised. The company said the information is limited to a small subset of employees and mostly dates back several years. Nintendo is working with the service provider while denying any access to customer or financial data.
read more →

Lessons from 22,000 Breaches for Incident Preparedness

🔍 The 2026 Verizon DBIR analyzed over 22,000 confirmed breaches across 145 countries and concludes that organizations cannot patch fast enough to prevent every incident. Exploitation of vulnerabilities became the leading initial access vector as critical flaws and their remediation windows grew, while ransomware and third-party breaches surged. The report urges realistic, technical tabletop exercises that rehearse containment, communication, and coordination under time pressure.
read more →

SoFi Hong Kong confirms third-party data breach

🔒 SoFi Hong Kong reported a third-party data breach after detecting unauthorized access to a vendor-hosted database on April 30, 2026. The company engaged a third-party cybersecurity firm and is investigating while notifying affected customers. SoFi has not disclosed the vendor identity, the number of impacted customers, or the exact data exposed. Customers were advised to monitor accounts, enable two-factor authentication, and take extra precautions.
read more →

Oxford University reports CareerConnect credential breach

🔒 Oxford University disclosed a data breach after its third-party provider, Group GTI, reported that the CareerConnect platform was compromised on May 28. The attackers accessed users' first and last names, email addresses, and encrypted passwords for accounts not using Single Sign-On; GTI has invalidated those passwords and will require resets. The university said no course materials, uploaded files, appointments, or financial data appear affected, but warned users to watch for phishing attempts.
read more →

15 Tough Cybersecurity Questions Every CISO Must Answer

🔍 Security leaders outline 15 critical questions CISOs should ask to ensure security programs adapt to evolving threats and business needs. These prompts focus on demonstrating ROI, aligning defenses with critical business processes, measuring detection and response speed, and addressing AI-driven risks like nonhuman identities and automated attacks. The guidance also stresses vendor risk, shadow AI, application security for widespread coding, and preparing security for future business growth.
read more →

Executives and CISOs Must Treat Cyber as Statecraft

🔒 Bharat Thakrar of ISACA’s London Chapter told Infosecurity Europe 2026 that cyber, AI and geopolitics are now inseparable and warned against treating security as merely an IT problem. He cited breaches like Sony Pictures (2014), Viasat (2022) and Stryker (2026) to show private firms can be legitimate geopolitical targets. Thakrar proposed the Cyber Geopolitical Preparedness and Response (CGPR) framework—assess exposure, evaluate readiness, plan response and continuous monitoring—and urged geopolitical stress‑tests, revamped HR vetting, tighter access controls and predefined executive authorities.
read more →

AWS Completes S&P Global KY3P Assessment Report

🔒 AWS has completed the S&P Global Know Your Third Party (KY3P) assessment to validate its security posture and help customers reduce supplier due diligence. The KY3P assessment is evidence-based and evaluates operation of controls across privacy, network, access, and physical security domains. Results can be mapped to frameworks such as NIST CSF v2, PCI DSS 4.0, and ISO 27001:2022 to provide customers with standardized risk data and improved visibility into supply chain risks.
read more →

Three-Quarters Admit Shipping Vulnerable Code

🛡️ New studies reveal that 75% of organizations often or sometimes deploy code they know is vulnerable, down from 81% last year but still alarmingly high. Checkmarx warns that AI-augmented attackers are dramatically shortening time-to-exploit, while Verizon’s DBIR links increased initial access to vulnerability exploitation aided by AI. A QBE survey found UK firms are worried about suppliers' AI use, yet few audit third-party AI or maintain formal AI governance.
read more →

Orphaned Applications Fuel Shadow IT and Risk Exposure

🔎 Orphaned applications silently expand shadow IT by persisting beyond team ownership, continuing to authenticate, exchange data, and consume resources without oversight. They commonly appear when departments adopt tools to meet urgent needs and those workflows, accounts, or service identities are never decommissioned. NETSCOUT Smart Data leverages packet-derived observability to reveal hidden dependencies and enrich the ServiceNow CMDB, helping teams reduce operational, security, and compliance blind spots.
read more →

Tip-line Breach and Rockstar Leak Highlight Security Risks

🔐 A tip‑line operator that handled anonymous reports for 35,000 U.S. schools suffered a major breach after an attacker exploited an XSS flaw in a LeverTip chat box and stole a staff session cookie via social engineering. The intruder exfiltrated 91 GB (≈8.3M tip records), some dating back decades, and offered the dataset for sale. Separately, Rockstar Games experienced a third‑party compromise that exposed partial data, including internal financial figures. Both incidents underscore failures in basic web hygiene, third‑party controls, and incident transparency.
read more →

Weekly Recap - Third-Party Compromises and Evasion Trends

🔒 This weekly recap highlights a recurring attack pattern: compromise of trusted third-party tools and update paths to gain internal access and persist. Incidents include a Vercel breach originating from a compromised Context.ai account that led to takeover of a Google Workspace identity, hijacked download pages serving trojanized installers, malicious Chrome extensions, and plugin abuse. The report emphasizes multi-stage, in-memory payloads and attackers leveraging legitimate workflows to evade detection. Organizations should reassess trust boundaries, monitor OAuth tokens and environment variables, and prioritize patching of actively exploited CVEs.
read more →

Bank Pixel Redirects Logged-In Users to Temu Tracker

🔍 A Taboola tracking pixel approved by a bank silently redirected authenticated users to a Temu tracking endpoint without the bank's knowledge, user consent, or any security control flagging a violation. Reflectiz discovered the chain during a February 2026 audit: an initial GET to sync.taboola.com returned a 302 to a temu.com pixel and included Access-Control-Allow-Credentials: true, enabling credentialed cross-origin requests. Conventional tools missed the behavior because they validate the declared script origin rather than runtime redirect destinations. Organizations should inspect browser runtime behavior, tighten CSPs, and consider sandboxing third-party scripts on authenticated pages.
read more →

Why Third-Party Risk Is the Biggest Gap in Client Security

🔒 The next major breaches are likely to originate from trusted vendors, SaaS tools, or subcontractors, expanding the enterprise perimeter beyond owned infrastructure. Cynomi's new guide argues that Third-Party Risk Management (TPRM) must evolve from an annual checkbox into a continuous, governance-grade security function driven by regulatory pressure and financial risk. With regulators like CMMC, NIS2, and DORA raising expectations, and research showing third parties factor in roughly 30% of breaches and average remediation costs near $4.91M, MSPs and MSSPs can monetize structured, tech-enabled TPRM as a repeatable, high-margin service.
read more →

External Forces Reshaping Cybersecurity Risk Today

🔒Over the past four years organizations have been increasingly challenged by threats that originate in third-party networks, with more than 35% of breaches tied to compromised vendors or partners. International conflict, generative AI and growing supply-chain exposure are accelerating risk and extending impact to Operational Technology (OT) and IoT environments. Leaders should elevate OT risk to the board, adopt immutable 3-2-1-1 backup strategies, and establish an AI Risk Council to enforce governance and pentesting before broad AI adoption.
read more →

Cybersecurity and Privacy Legal Risks to Watch in 2026

🔒 Escalating threats and expanding regulation have materially increased corporate exposure to cybersecurity and privacy disputes, with 2025 showing a marked rise in class actions and litigation risk. The piece identifies key drivers for 2026: sophisticated state-sponsored actors using AI, intensified federal initiatives and enforcement, proactive state regulator actions, growing third‑party/vendor risk, and inventive litigation tactics such as qui tam and False Claims Act claims. It urges organizations to revisit fundamentals — data inventories, governance, third‑party oversight, incident response and public statements — to reduce legal and operational exposure.
read more →

MSP Guide: Scaling Cybersecurity with AI Risk Management

🛡️ This contributed piece from The Hacker News (Mar 06, 2026) outlines how MSPs and MSSPs can adopt AI-powered risk management to scale cybersecurity services. It argues a risk-first model shifts providers from one-off, technical fixes to continuous, business-focused protection that drives recurring revenue. The article highlights six common barriers—manual assessments, missing remediation roadmaps, compliance complexity, lack of business context, talent shortages, and unmanaged third-party risk—and recommends sourcing platforms that deliver automated assessments, dynamic risk registers, and actionable remediation plans to accelerate onboarding, improve compliance mapping, and create upsell opportunities.
read more →

Third-Party Breaches Expand Blast Radius Across Supply

🛡️ Black Kite's seventh annual Third-Party Breach Report shows supplier breaches have a far larger downstream impact than commonly recognized. In 2025 analysis of verified public disclosures and external telemetry, 136 confirmed incidents averaged 5.28 publicly named downstream victims per vendor, totaling 719 corporate victims and 433 million affected individuals, with vendors also reporting an additional 26,000 unnamed corporate victims. The study highlights concentration among software services, prolonged detection and notification delays, and pervasive exposure to critical vulnerabilities and leaked credentials, concluding that traditional third-party risk management is not keeping pace.
read more →