< ciso
brief />
Tag Banner

All news with #third party risk tag

86 articles · page 4 of 5

US Cuts Federal Funding for MS-ISAC Cyber Program Impact

🛡️ CISA has ended its cooperative agreement with the Center for Internet Security, terminating federal funding for the MS-ISAC on September 30 and placing the program's future in doubt. The MS-ISAC supports more than 18,000 state, local, territorial and tribal members with services such as advisories, secure information sharing, tabletop exercises and the Albert intrusion detection system. CIS has been temporarily subsidizing operations at over $1m per month but plans to phase out that support and is pushing members toward a paid membership model. CISA says it will move to a "new model" to support SLTT partners with tools, grant access and regional advisors.
read more →

CSA launches SaaS Security Capability Framework (SSCF)

🔒 The Cloud Security Alliance has published the SaaS Security Capability Framework (SSCF), a standardized set of customer-facing security controls designed to reduce long-standing gaps in third-party risk management. SSCF defines minimum technical capabilities across six domains — including identity and access, data lifecycle, logging, and incident management — that vendors should expose under the Shared Responsibility Model. The framework is intended to add transparency and consistency to SaaS security, complementing business-focused standards such as ISO 27001, and aims to evolve into practical implementation guidance, auditing criteria, and a certification scheme.
read more →

Report: Many Indian Suppliers Pose Global Supply Risks

🔍 SecurityScorecard's assessment found that 53% of selected Indian vendors experienced at least one third-party breach in the past year, with outsourced IT operations and managed service providers representing 63% of those incidents. The study evaluated 15 prominent Indian suppliers across 10 industries using security ratings based on patching cadence, DNS health, IP reputation, and endpoint, network and app security, and concluded that 27% of vendors received an F while 25% earned an A. It recommends continuous monitoring of third- and fourth-party ecosystems, prioritizing certificate management and patching, and using cybersecurity ratings to inform procurement and ongoing vendor oversight.
read more →

Stellantis Confirms Third-Party Cybersecurity Breach

🔒 Stellantis has confirmed unauthorized access to a third‑party service provider platform that supports its North American customer service operations. The group said affected customer information was potentially exposed but limited to contact details and did not include stored financial or other sensitive data. Stellantis activated incident response protocols, notified authorities and began informing impacted customers while warning them to expect phishing attempts. Security researchers and outlets linked the incident to claims by ShinyHunters and a recent series of Salesforce-related data breaches.
read more →

CSO Awards: Security Innovation and Transformative Work

🔒 CSO highlights seven award-winning security initiatives that showcase practical innovation across vulnerability management, third-party risk, multicloud security, secure coding, threat detection, and AI-driven hunting. Profiles include BMHCC’s risk-based remediation delivering a 70% risk reduction, FSU’s tighter vendor assessments, Marvell’s unified cloud vulnerability platform, and Mastercard’s developer-focused security conference. The pieces emphasize automation, AI, and cross-team collaboration as key drivers of measurable security impact.
read more →

Surveying the Global Spyware Market: 2024 Investment Shifts

🔍 The Atlantic Council’s second annual report, Mythical Beasts, maps the global spyware market and documents a substantial uptick in US-based investors in 2024, which made the United States the largest investor in this sampled dataset despite ongoing policy actions. The authors also emphasize the opaque, central role of resellers and brokers, whose intermediary activity obscures vendor–buyer ties and complicates oversight. Overall, the report highlights a clear enforcement and transparency gap and urges targeted research and coordinated policy responses.
read more →

LNER Customer Data Exposed in Supplier Security Breach

🔒 LNER has alerted customers after a security breach at a third-party supplier exposed traveller contact details and some historical journey information. The operator says no banking, payment or password data were accessed and that ticketing and timetable systems were not impacted. LNER is urging passengers to be cautious of unsolicited communications and potential phishing attempts. The company has engaged the supplier and cybersecurity experts to investigate and strengthen safeguards.
read more →

Beaches and Breaches: Shifts in Supply Chain and Identity

🌊 Returning from vacation, the author notes headlines shifted away from AI and ransomware toward breaches tied to compromised OAuth tokens and integrations like Salesloft/Drift. The piece emphasizes two converging trends: supply chain risk that now includes datapaths where information is processed, and identity attacks that increasingly target interconnected applications. It highlights Cisco Talos’ CTI-CMM as a practical maturity framework to assess gaps, prioritize investments, and build a roadmap for continuous improvement.
read more →

LNER Supply-Chain Breach Exposes Customer Contact Data

🔒 LNER has disclosed that an unauthorized third party accessed customer contact details and historical journey information via a compromised third-party supplier. No bank, payment card or password information was affected, the operator said, but warned that the data could be used in follow-on attacks. Security professionals advised customers to be cautious of unsolicited communications and recommended organisations strengthen third‑party data controls and identity protections.
read more →

SalesLoft Drift Breaches Expose Fourth-Party OAuth Risk

🔐 The SalesLoft acquisition of Drift exposed a hidden fourth‑party attack surface when legacy OAuth tokens—some dormant for 18 months—were abused to access customer Salesforce instances and a limited number of Google Workspace accounts. Attackers leveraged inherited tokens to enumerate and exfiltrate data, revealing how M&A can transfer persistent permissions outside visibility. The author calls for continuous, behavior‑based monitoring of every OAuth token and API call and recommends practical "OAuth archaeology" to inventory, rotate, or revoke legacy access.
read more →

Majority of Organizations Hit by Third‑Party Incidents

🔒 A recent survey by SecurityScorecard found 71% of organizations experienced at least one material third‑party cybersecurity incident in the past year, with 5% reporting ten or more. Rising third‑party involvement — echoed in the 2025 Verizon Data Breach Investigations Report — and sprawling supplier ecosystems expand attackers’ avenues. Experts warn SaaS platforms, open‑source packages, and CI/CD pipelines are increasingly exploited, often via abused OAuth, stolen credentials, or over‑permissioned integrations.
read more →

Wealthsimple Confirms Supply-Chain Breach Affecting 30,000

🔒 Wealthsimple has confirmed a supply-chain related data breach that exposed information for roughly 30,000 customers after software from a third-party vendor was compromised on August 30. The leaked data reportedly included contact details, government-issued IDs, Social Insurance Numbers, dates of birth, IP addresses and account numbers. Wealthsimple says passwords were not accessed, no client accounts were compromised and no funds were stolen. The firm says it contained the intrusion within hours, notified regulators and is offering affected customers two years of free credit monitoring, dark-web monitoring, identity theft protection and a dedicated support team.
read more →

Czech Agency Warns Against Chinese Tech in Critical Sectors

⚠️ The Czech National Cyber and Information Security Agency (NUKIB) is urging operators of critical infrastructure to avoid using Chinese technology or transferring user data to servers in China, citing a reassessed High risk of significant disruption. NUKIB confirmed malicious activity by Chinese cyber-actors, including an APT31 campaign against the Ministry of Foreign Affairs, and warned that Chinese law can permit state access to data held by domestic providers. The guidance is not an outright legal ban, but entities covered by the Czech Cybersecurity Act must include the threat in their risk analyses and adopt appropriate mitigations.
read more →

Wealthsimple Reports Customer Data Breach Linked to Salesloft

🔒 Wealthsimple disclosed a data breach detected on August 30 after attackers accessed a trusted third-party software package. The company said less than 1% of customers had personal information exposed, including contact details, government IDs, account numbers, IP addresses, Social Insurance Numbers, and dates of birth. Wealthsimple stated no funds or passwords were taken; impacted customers are being offered two years of complimentary credit and identity protection and were advised to enable two-factor authentication and remain alert for phishing.
read more →

Chess.com: Third-Party File Transfer App Breach Disclosed

🔒 Chess.com disclosed a data breach after threat actors gained unauthorized access to a third-party file transfer application used by the platform. The intrusion persisted from June 5 to June 18, 2025, and was discovered on June 19, prompting an investigation and engagement of outside experts. Chess.com says its own infrastructure and member accounts were not affected; just over 4,500 users may have had names and other PII accessed. No financial information appears exposed, and affected members are being offered 1–2 years of free identity theft and credit monitoring.
read more →

How Bribery at a Vendor Led to Coinbase Extortion Incident

🔒 In early May 2025 Coinbase disclosed that attackers had extorted the company after bribing employees at an outsourced support provider in India to acquire customer and internal data. The theft affected roughly 1% of monthly active users — about 70,000 people — and exposed information useful for social engineering, though no private keys or wallet credentials were taken. Coinbase refused a $20 million ransom, posted a matching bounty, pledged customer reimbursement, flagged suspect blockchain addresses, dismissed implicated vendor staff, and ended the vendor relationship.
read more →

Gainesville Regional Utilities Tightens Vendor Risk Controls

🔒 Gainesville Regional Utilities (GRU) launched a Vendor Security Risk Assessment (VSRA) program in August 2023 to vet third-party suppliers that access its smart-grid, metering, and fiber-optic systems. The intake, triage, detailed questionnaire, technical review, and centralized recordkeeping ensure vendors meet rigorous security standards before onboarding. Automation and a vendor scoring system reduced manual work by 50% and accelerated decision-making while improving compliance.
read more →

Supply-chain Dependencies and the Resilience Blind Spot

🔐A DEF CON 33 panel argued that while digital tactics like misinformation and cyberattacks can disrupt systems, they rarely win wars on their own. Panelists emphasised that cyber effects tend to be temporary, whereas kinetic attacks inflict longer-lasting physical damage. Using a Taco Bell supply-chain analogy and real incidents such as Change Healthcare, the discussion urged organisations to map dependencies and build resilience to mitigate third-party risk.
read more →

Black Hat USA 2025: Insurers Limit Vendor Exposure

🛡️ At Black Hat USA 2025 speakers warned that high cyber-insurance premiums can reflect insurers capping exposure to specific third-party vendors rather than a direct finding of poor security in a customer’s environment. Insurers may respond to exceeded vendor thresholds by issuing prohibitively high quotes instead of declining coverage, effectively pricing some customers out. Claims data presented showed 45% of new claims in H1 2025 involved an SSL VPN lacking MFA, and Coalition reported 55% of ransomware begins at perimeter devices.
read more →

AggregateIQ Exposure Reveals Canadian Campaign Assets

🔒 The UpGuard Cyber Risk Team discovered an unsecured AggregateIQ (AIQ) code repository containing site backups, API keys, SSL private keys, and other sensitive assets tied to multiple Canadian campaigns and parties. Exposed files included WordPress backups, donation processor keys (Stripe), NationBuilder tokens, and PEM private keys that could enable impersonation or account takeover. The findings illustrate significant third‑party vendor risk and raise regulatory and public‑interest concerns about how AggregateIQ managed client credentials and campaign tooling.
read more →