3 Third-Party Risk Lessons from the Lapsus$ Hacks

3 Third-Party Risk Lessons from the Lapsus$ Hacks

Proactively mitigate third-party risks with vendor engagement and issue response strategies 

Lapsus$, a criminal hacking group, has breached multiple third-party software services over the past few months. The first identified attack occurred in January 2022 at Okta, followed by a subsequent attack at Globant. These large-scale providers of IT applications serve the likes of Cloudflare, Peloton and Chipotle. In the aftermath of these breaches, customers scramble to understand the consequences for their security and bolster resiliency.  

Lapsus$ leveraged pictures of Okta’s internal systems to access this data. The group openly claimed that they weren’t interested in Okta itself but in using it as a hallway to target bigger fishes – those high-profile, harder-to-breach organizations that used Okta. 366 of Okta’s corporate customers were affected, about 2.5% of their customer base. Lapsus$ stole a spreadsheet of passwords and other sensitive data. To make matters worse, Okta failed to notify these organizations until March 2022, leaving companies unprepared to answer their customers.  

Next, Lapsus$ moved on to Globant, an IT software and development firm. Lapsus$ leaked Globant’s source code, stealing credentials and intellectual property from the firm. Globant claims that client data was not affected – but the ripple effects throughout Globant’s IT ecosystem cannot be understated.   

These breaches and their aftermath show how much of a cybersecurity blind spot an organization’s third parties can be. Not to mention, these events are likely to draw the attention of regulators: The SEC already proposed cybersecurity disclosure rules, which would mandate breach reporting within four business days.  

This blog looks at what organizations can do to prepare for and minimize the impacts of a third-party data breach. We’ll take lessons from the Okta and Globant breaches to provide guidance on protecting your sensitive data before a breach occurs.  

Foster Open Communication with Vendors

How frequently do you communicate with your high-risk vendors?  

Critical third-party service providers are intimate business partners; you must treat your third-party risk as diligently as your first-party risk. In other words, you are entitled to an in-depth look at your vendors’ security postures. You should understand and have evidence of your vendors’:   

  • Cybersecurity policies, procedures and controls  
  • Third-party risk management program (your fourth-party risk)  
  • Breach disclosure policies  

One of the ways Okta mishandled the breach was by failing to notify their customers. This decision left the affected companies unprepared to address the breach with their own customers, who had trusted them with their data. Though reporting mandates are likely to take effect in the coming years, consider working disclosure clauses into your third-party contracts.  

Develop a Breach Response Plan  

How will your organization respond to a breach at one of your critical vendors?  

Largely due to being unaware of the breach, victims of the Okta hack had little time to mount a response. This situation forced those affected to quickly measure the impact on their organization, develop a remediation strategy and communicate with their customer base.  

Proactively consider what steps you’ll need to take with your vendors to reconcile losses after a breach. This process goes beyond risk mitigation – assume that a breach will occur, then envision how your organization can quickly pivot to reduce impacts. Discuss internally and with your vendors:   

  • What data do you trust your third parties with?   
  • Can this data be mapped to the appropriate controls internally and externally?  
  • What consequences are anticipated should the data be breached?  
  • Who needs to be notified should the data be breached?  

Understand Breach Remediation Objectives 

What steps will the vendor take to ensure that a similar breach doesn’t happen again?  

Depending on the severity of the breach, you may or may not terminate the relationship with your third-party vendor. Your team should weigh the pros and cons of continuing to work with the vendor. If they are hard to replace or essential to your organization, you might have no choice but to continue the relationship. In this case, the vendor should clearly outline what controls, policies and procedures they will implement to course correct. You might even present certain stipulations for continuing to work with them.  

If you terminate the relationship, you’ll need to verify that your data is appropriately transitioned from the vendor. The vendor’s access to your data and internal systems should be cut off at the cessation of the relationship. Ensure that your team securely executes the following steps during vendor offboarding: 

  • Remove access to IT infrastructure 
  • Update information in the vendor database 
  • Review compliance requirements and data privacy 

Whether you continue to work with the vendor or not, you’ll still want to understand the long-term consequences of the breach and communicate these to the affected parties. Transparency with both your vendors and customers is key to reducing the impact of a third-party data breach. 

How ProcessUnity Vendor Risk Management Can Help  

Third-party risk visibility and vendor engagement are the keys to minimizing the impact of data breaches.  

With ProcessUnity Vendor Risk Management, organizations stay ahead of risks to protect their high-value assets, sensitive data and business continuity. Automated tools for due diligence and ongoing monitoring enable a proactive approach to risk mitigation – allowing organizations to streamline every stage of the third-party risk lifecycle.  

To request a ProcessUnity Vendor Risk Management demo, visit https://www.processunity.com/request-vendor-risk-management-demo/