UK police cyberattack stark reminder of vendor vulnerability

Cyber criminals use back-door suppliers cyberattack to spread alarm through Britain's biggest police force

News that the UK’s largest regional police force, the Metropolitan Police, has been the subject of a supply chain cyber attack is yet another reminder to organisations that third-party vendors remain a huge area of cyber vulnerability.

Know as ‘The Met’, the force employees 35,000 police and civilian staff, and remains on high alert following a security breach involving the IT system of one of its suppliers.

The vendor in question has access to names, ranks, photos, vetting levels and pay numbers for officers and staff, but not personal information such as addresses, phone numbers and financial details, a Met spokesperson said.

The spokesperson was unable to say when the breach occurred or how many personnel could be affected.

Rick Prior, Vice Chair of the Metropolitan Police Federation, which represents staff, said: “Officers are out on the streets of London undertaking some of the most difficult and dangerous roles imaginable to catch criminals and keep the public safe.

“To have their personal details potentially leaked into the public domain will cause incredible concern and anger. This is a staggering security breach that should never have happened."

Staggering, but all too common.

Back door cyber attacks all too common

Another notable recent back-door incident was the MOVEit cyberattack, which saw a ransomware gang hack into multiple company networks and steal data. The vulnerability was first flagged by MOVEit on May 31. The company deployed a patch to fix the vulnerability on the same day.

MOVEit is a managed file transfer software service that encrypts files and uses secure File Transfer Protocols to transfer data. It also provides automation services, analytics and failover options.

Organisations to have suffered data breaches as a result of the hack include accounting firm PwC, professional services company Aon, the BBC, British Airways, Aer Lingus, Boots, Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Conizant and AbbVie.MOVEit was used by most of these companies to transfer payroll information, which means data taken by the Russian hackers has the potential to impact millions of people.

Supply chains provide a huge surface area for cyber criminals to target, because they often comprise thousands of vendors, many of which might be vulnerable to cyber attacks. 

As with The Met and MOVEIT, hackers often target such vendors as a means of gaining access into a larger company – the so-called back-door attack.

Suppliers often entry point for malware & ransomeware

Supply vendors are often the entry point for malware, ransomware or denial of service attacks, which then work their way upstream or downstream to the larger organisation itself.

In the event that a supplier or third party is subject to a cyberattack that means they are unable to deliver key products or services, this can become a big problem very quickly and may impact business continuity. 

Internally, the biggest cyber threats come from suppliers or other third parties who have access to an organisation's IT networks. 

Externally, the biggest threat is from third-party organisations who perform a critical business process or deliver a key product to the first party. 

Share

Featured Articles

The Global P&SC Awards: One Month Until Submissions Close

Just one more month until submissions close for The Global Procurement & Supply Chain Awards in 2024

Top 100 Women 2024: Susan Johnson, AT&T – No. 6

Supply Chain Digital’s Top 100 Women in Supply Chain honours AT&T’s Susan Johnson at Number 6 for 2024

WATCH: Ivalua and PwC Navigate the Future of Procurement

In this on-demand webinar, leaders from PwC and Ivalua examine key findings from the consulting giant’s Global Digital Procurement Survey 2024

Top 100 Women 2024: Karen Jordan, PepsiCo – No. 5

Digital Supply Chain

P&SC LIVE New York: Patricia Mendoza Rodriguez – VP

Procurement

One More Month to Go: Procurement & Supply Chain LIVE Dubai

Digital Supply Chain