All news with #third party risk tag

🔒 In August 2025 Volvo Group North America disclosed a breach that originated in its third‑party HR provider, Miljödata, and a slow timeline of detection and notification has raised questions about forensic readiness. Reported exposed records included Social Security numbers and sensitive employee identifiers, and Volvo offered 18 months of identity‑protection services. The author provides five practical recommendations to preserve evidentiary integrity: embed forensics from day zero, align IR and forensic priorities, automate collection and triage, contractually manage vendor response, and coordinate legal messaging to reduce litigation and regulatory risk.

🔍 As organizations outsource more critical systems and security functions to managed service providers, the complexity and frequency of third-party incidents are rising — 47% of organizations reported a third-party breach in the 12 months to mid-2025. Security leaders must balance rigorous, standards-based assurance (for example ISO 27001 or SOC 2) with relationship-driven vetting that fosters transparency and shared responsibility. Experts from media company Advance, the University of Queensland and vendor advisors argue that questionnaires alone are insufficient: meaningful dialogue, selective disclosure (summaries of pen tests rather than full reports), contractual clarity, and AI-aware controls are all needed to assess and manage evolving risks.

🛡️ At Dreamforce, Salesforce emphasized shared responsibility for securing customer environments and introduced new AI agents for security and privacy. The conference largely avoided discussion of recent OAuth-based supply-chain breaches that exposed data from hundreds of companies and led to extensive litigation. Analysts warn the incidents — driven by compromised tokens from third-party apps like Salesloft Drift and spoofed tools such as malicious Data Loader instances — underscore systemic risks as AI integrations demand broader data access. Recommended mitigations include IP whitelisting, DPoP or mTLS, and tighter vendor governance.

🔒 MANGO has notified customers that an external marketing service suffered unauthorized access, resulting in exposure of certain personal contact information. The retailer said the compromised fields included first name, country, postal code, email address, and telephone number, while last names, payment card details, IDs and account credentials were not affected. MANGO confirmed its corporate systems remain secure, authorities have been informed, and a dedicated email and hotline are available for concerned customers.

🔒 Spanish fashion retailer MANGO has alerted customers to a data breach that originated at an external marketing service, not within the company's own systems. The exposed fields include first names, countries, postal codes, email addresses and phone numbers. The company is notifying affected individuals and appears to be reviewing the vendor relationship and communications. Some recipients report receiving the notice in Spanish despite not being customers.

🛡️ Discord says it will not pay extortionists who claim to have stolen data from a third‑party customer support service and disputes claims that 2.1 million ID photos were exposed. Attackers allege they obtained 1.6 TB of data from the company's Zendesk instance, impacting 5.5 million users and including partial payment and MFA‑related information. Discord says roughly 70,000 ID photos may have been exposed and characterizes the larger figures as part of an extortion attempt.

🔍 A U.S. District Court complaint alleges that Norfolk, Virginia’s 176 Flock Safety automated license-plate readers tracked plaintiffs repeatedly as they drove — one retired veteran was logged 526 times and another resident 849 times between mid-February and early July. The September lawsuit contends that this pervasive, warrantless tracking raises serious Fourth Amendment and privacy issues. The ACLU and a 2024 ruling by Judge Jamilah LeCruise, which excluded warrantless plate-reader data in a robbery prosecution, underscore growing legal scrutiny.

🔒 Discord has disclosed a data breach after a third-party customer support provider was compromised, allowing a ransomware actor to access limited customer information. Potentially exposed data includes names, Discord usernames, contact details, last four digits of payment cards, IP addresses, messages with support agents and a small number of government ID images submitted for age appeals. Discord says no passwords, full card numbers or CVVs were accessed and is contacting affected users and authorities.

🔒Discord has confirmed that attackers accessed data belonging to users who contacted its customer support after a breach at a third-party provider, reportedly Zendesk. Exposed information includes names, Discord usernames, emails, IP addresses, messages with support agents, limited billing details (payment type and last four card digits), and a small number of government ID images. Discord says full card numbers, CCV codes and account passwords were not accessed, and is contacting affected users while warning of potential phishing attempts.

🔒 Hackers accessed a third-party customer service system used by Discord on September 20, stealing partial payment details and personally identifying information for a limited number of users who contacted support or Trust and Safety. The attackers appear financially motivated and demanded a ransom. Discord revoked the provider's access, engaged a computer forensics firm, launched an internal investigation, and notified law enforcement. Exposed data included real names, usernames, emails, IP addresses, support messages and attachments, photos of government IDs for a small subset, and partial billing details such as payment type and the last four card digits.

🔒 Renault and Dacia UK have informed customers that personal information was exposed following a cyberattack on an unnamed third‑party provider. The compromised data includes full name, gender, phone number, email and postal address, as well as Vehicle Identification Numbers (VINs) and vehicle registration numbers; banking data was not affected. Renault says the supplier isolated the incident and removed the threat, and the Information Commissioner’s Office (ICO) has been notified. Recipients are urged to remain vigilant against unsolicited calls and emails and to avoid sharing passwords.

🛡️ CISA has ended its cooperative agreement with the Center for Internet Security, terminating federal funding for the MS-ISAC on September 30 and placing the program's future in doubt. The MS-ISAC supports more than 18,000 state, local, territorial and tribal members with services such as advisories, secure information sharing, tabletop exercises and the Albert intrusion detection system. CIS has been temporarily subsidizing operations at over $1m per month but plans to phase out that support and is pushing members toward a paid membership model. CISA says it will move to a "new model" to support SLTT partners with tools, grant access and regional advisors.

🔒 The Cloud Security Alliance has published the SaaS Security Capability Framework (SSCF), a standardized set of customer-facing security controls designed to reduce long-standing gaps in third-party risk management. SSCF defines minimum technical capabilities across six domains — including identity and access, data lifecycle, logging, and incident management — that vendors should expose under the Shared Responsibility Model. The framework is intended to add transparency and consistency to SaaS security, complementing business-focused standards such as ISO 27001, and aims to evolve into practical implementation guidance, auditing criteria, and a certification scheme.

🔍 SecurityScorecard's assessment found that 53% of selected Indian vendors experienced at least one third-party breach in the past year, with outsourced IT operations and managed service providers representing 63% of those incidents. The study evaluated 15 prominent Indian suppliers across 10 industries using security ratings based on patching cadence, DNS health, IP reputation, and endpoint, network and app security, and concluded that 27% of vendors received an F while 25% earned an A. It recommends continuous monitoring of third- and fourth-party ecosystems, prioritizing certificate management and patching, and using cybersecurity ratings to inform procurement and ongoing vendor oversight.

🔒 Stellantis has confirmed unauthorized access to a third‑party service provider platform that supports its North American customer service operations. The group said affected customer information was potentially exposed but limited to contact details and did not include stored financial or other sensitive data. Stellantis activated incident response protocols, notified authorities and began informing impacted customers while warning them to expect phishing attempts. Security researchers and outlets linked the incident to claims by ShinyHunters and a recent series of Salesforce-related data breaches.

🔒 CSO highlights seven award-winning security initiatives that showcase practical innovation across vulnerability management, third-party risk, multicloud security, secure coding, threat detection, and AI-driven hunting. Profiles include BMHCC’s risk-based remediation delivering a 70% risk reduction, FSU’s tighter vendor assessments, Marvell’s unified cloud vulnerability platform, and Mastercard’s developer-focused security conference. The pieces emphasize automation, AI, and cross-team collaboration as key drivers of measurable security impact.

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.

🔒 LNER has alerted customers after a security breach at a third-party supplier exposed traveller contact details and some historical journey information. The operator says no banking, payment or password data were accessed and that ticketing and timetable systems were not impacted. LNER is urging passengers to be cautious of unsolicited communications and potential phishing attempts. The company has engaged the supplier and cybersecurity experts to investigate and strengthen safeguards.

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.

🔒 LNER has disclosed that an unauthorized third party accessed customer contact details and historical journey information via a compromised third-party supplier. No bank, payment card or password information was affected, the operator said, but warned that the data could be used in follow-on attacks. Security professionals advised customers to be cautious of unsolicited communications and recommended organisations strengthen third‑party data controls and identity protections.