Con Watch: The New Danger of Supply Chain Attacks

Cybercriminals are exploiting vulnerabilities in third-party software used by major companies to steal customer information.


Weekly Newsletter

The best of The Saturday Evening Post in your inbox!


Steve Weisman is a lawyer, college professor, author, and one of the country’s leading experts in cybersecurity, identity theft, and scams. See Steve’s other Con Watch articles.

In August, the accounting firm Ernst & Young disclosed that it had suffered a data breach affecting 30,210 customers of Bank of America for whom Ernst & Young had been doing accounting. The personal information stolen was quite extensive and included names, addresses, credit card numbers, account information, and Social Security numbers which, in the wrong hands, can readily lead to identity theft.

The data breach at Ernst & Young, however, was not a result of their computers being hacked directly by cybercriminals, but rather was done by exploiting a vulnerability found in MOVEit software used by Ernst & Young as well as 620 other organizations including American Airlines, TD Ameritrade, and Johns Hopkins University. Other users of the software can be assumed to also have suffered data breaches affecting an estimated 40 million people. This brings back memories of the 2020 SolarWinds supply chain security breach. SolarWinds provides system management software to 30,000 companies and government agencies. Hackers exploited a vulnerability in its software that, in turn, led to data breaches at thousands of governmental and private entities.

More recently the electric and gas utility company Eversource disclosed that 1.8 million of its customers were affected by a data breach in which their names, addresses, contact information, and more were compromised. Even worse, 11,000 of its customers involved in Eversource’s solar incentive program also had their Social Security numbers compromised.

Supply chain attacks target third party suppliers or vendors who provide software to companies and government agencies that are the real targets of the hackers. By exploiting vulnerabilities in the third-party software, hackers are able to insert malware that manages to avoid the security defenses of the targeted companies.

Last year, there were more than 1,800 reported data breaches (and probably many more that were not reported) affecting 422 million people. The question is not if you will become a victim of a data breach. The question is when.

We are only as safe as the security of the companies, government agencies, and websites that we interact with. Even if you are extremely diligent in protecting your personal information, you can be in danger of identity theft and scams if your data falls into the hands of hackers.

Here is what can you do to protect yourself from these data breaches.

  1. Limit the amount of personal information that you provide to companies and websites whenever possible. For example, your doctor’s office doesn’t need your Social Security number for their records.
  2. Make sure that you have a unique password for each of your online accounts so that if one of your passwords is compromised, all of your accounts will not be in danger. If you suspect your password has been compromised, you should immediately change it.
  3. Make up nonsensical answers to security questions. Determined hackers can often guess the answers to common security questions used to verify accounts. For instance, your mother’s maiden name can be “firetruck.” It’s silly enough for you to remember, and no hacker will ever be able to guess it.
  4. Set up dual factor authentication for each of your accounts where it is available.
  5. Contact your cell phone service provider to set up a PIN that must be used whenever your SIM card is switched, such as legitimately when you get a new phone. This protects you from SIM swapping.
  6. Never provide personal information or click on a link in any communication unless you have independently confirmed that the communication is legitimate.
  7. Put a credit freeze on your credit reports at all of the major credit reporting agencies.

Taking these steps can go a long way from protecting you from the harm that can come from a data breach.

Become a Saturday Evening Post member and enjoy unlimited access. Subscribe now


Your email address will not be published. Required fields are marked *