News is surfacing that Best Buy is the latest company to say that some customers’ payment information may have been exposed in a data breach of a third-party vendor that runs the retailer’s online chat services. This comes just days after Delta and Sears Holdings have also revealed that customer data may have been compromised in a cyberattack on the contractor, 7.ai.
Commenting on this, Sammy Migues, principal scientist at Synopsys, said “Similar to the 2014 Home Depot and Target incidents, this cyber attack on one part of a software supply chain had direct consequences for others down the line. Even if the attackers were solely targeting 7.ai, the attack had direct consequences for their downstream clients. Incidents where the initial entry point is with a 3rd-party supplier rather than the ultimate victim are becoming all too common.
“Vendor management programmes that include assessments of software security maturity and governance components are specifically designed for these scenarios: to identify and address potential weak links in a cyber supply chain. A good vendor management program would have highlighted that as a possibility and got people working on robust platforms and software.
“Risk assessments by acquirers must highlight software and vendors upon which they are critically dependent, and that should drive some serious conversations about whether the vendor’s security posture can be allowed to affect the acquirer’s bottom line. Of course, if an acquirer has no software security initiative, they’ll probably not think to ask whether the vendor has one.”