UK police cyberattack stark reminder of vendor vulnerability

News that the UK’s largest regional police force, the Metropolitan Police, has been the subject of a supply chain cyber attack is yet another reminder to organisations that third-party vendors remain a huge area of cyber vulnerability.

Know as ‘The Met’, the force employees 35,000 police and civilian staff, and remains on high alert following a security breach involving the IT system of one of its suppliers.

The vendor in question has access to names, ranks, photos, vetting levels and pay numbers for officers and staff, but not personal information such as addresses, phone numbers and financial details, a Met spokesperson said.

The spokesperson was unable to say when the breach occurred or how many personnel could be affected.

Rick Prior, Vice Chair of the Metropolitan Police Federation, which represents staff, said: “Officers are out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe.

“To have their personal details potentially leaked into the public domain will cause incredible concern and anger. This is a staggering security breach that should never have happened."

Staggering, but all too common.

Back door cyber attacks all too common

Another notable recent back-door incident was the MOVEit cyberattack, which saw a ransomware gang hack into multiple company networks and steal data. The vulnerability was first flagged by MOVEit on May 31. The company deployed a patch to fix the vulnerability on the same day.

MOVEit is a managed file transfer software service that encrypts files and uses secure File Transfer Protocols to transfer data. It also provides automation services, analytics and failover options.

Organisations to have suffered data breaches as a result of the hack include accounting firm PwC, professional services company Aon, the BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Conizant and AbbVie.MOVEit was used by most of these companies to transfer payroll information, which means data taken by the Russian hackers has the potential to impact millions of people.

Supply chains provide a huge surface area for cyber criminals to target, because they often comprise thousands of vendors, many of which might be vulnerable to cyber attacks. 

As with The Met and MOVEIT, hackers often target such vendors as a means of gaining access into a larger company – the so-called back-door attack.

Suppliers often entry point for malware & ransomeware

Supply vendors are often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the larger organisation itself.

In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. 

Internally, the biggest cyber threats come from suppliers or other third parties who have access to an organisation's IT networks. 

Externally, the biggest threat is from third-party organisations who perform a critical business process or deliver a key product to the first party.