venturebeat.com Open in urlscan Pro
192.0.66.2  Public Scan

Form analysis
1 forms found in the DOM

GET https://venturebeat.com/

<form method="get" action="https://venturebeat.com/" class="search-form" id="nav-search-form">
  <input id="mobile-search-input" class="" type="text" placeholder="Search" name="s" aria-label="Search" required="">
  <button type="submit" class="">
    <svg width="24" height="24" viewBox="0 0 24 24" fill="none" xmlns="http://www.w3.org/2000/svg">
      <g>
        <path fill-rule="evenodd" clip-rule="evenodd"
          d="M14.965 14.255H15.755L20.745 19.255L19.255 20.745L14.255 15.755V14.965L13.985 14.685C12.845 15.665 11.365 16.255 9.755 16.255C6.16504 16.255 3.255 13.345 3.255 9.755C3.255 6.16501 6.16504 3.255 9.755 3.255C13.345 3.255 16.255 6.16501 16.255 9.755C16.255 11.365 15.665 12.845 14.6851 13.985L14.965 14.255ZM5.255 9.755C5.255 12.245 7.26501 14.255 9.755 14.255C12.245 14.255 14.255 12.245 14.255 9.755C14.255 7.26501 12.245 5.255 9.755 5.255C7.26501 5.255 5.255 7.26501 5.255 9.755Z">
        </path>
      </g>
    </svg>
  </button>
</form>

Text Content

WE VALUE YOUR PRIVACY

We and our partners store and/or access information on a device, such as cookies
and process personal data, such as unique identifiers and standard information
sent by a device for personalised ads and content, ad and content measurement,
and audience insights, as well as to develop and improve products. With your
permission we and our partners may use precise geolocation data and
identification through device scanning. You may click to consent to our and our
partners’ processing as described above. Alternatively you may click to refuse
to consent or access more detailed information and change your preferences
before consenting. Please note that some processing of your personal data may
not require your consent, but you have a right to object to such processing.
Your preferences will apply to this website only. You can change your
preferences at any time by returning to this site or visit our privacy policy.
MORE OPTIONSDISAGREEAGREE

Skip to main content
Events Special Issues
VentureBeat Homepage

Subscribe

 * Artificial Intelligence
   * View All
   * AI, ML and Deep Learning
   * Auto ML
   * Data Labelling
   * Synthetic Data
   * Conversational AI
   * NLP
   * Text-to-Speech
 * Security
   * View All
   * Data Security and Privacy
   * Network Security and Privacy
   * Software Security
   * Computer Hardware Security
   * Cloud and Data Storage Security
 * Data Infrastructure
   * View All
   * Data Science
   * Data Management
   * Data Storage and Cloud
   * Big Data and Analytics
   * Data Networks
 * Automation
   * View All
   * Industrial Automation
   * Business Process Automation
   * Development Automation
   * Robotic Process Automation
   * Test Automation
 * Enterprise Analytics
   * View All
   * Business Intelligence
   * Disaster Recovery Business Continuity
   * Statistical Analysis
   * Predictive Analysis
 * More
   * Data Decision Makers
   * Virtual Communication
     * Team Collaboration
     * UCaaS
     * Virtual Reality Collaboration
     * Virtual Employee Experience
   * Programming & Development
     * Product Development
     * Application Development
     * Test Management
     * Development Languages


Subscribe Events Special Issues



GEMINI, UBER DATA BREACHES SHOW THIRD-PARTY RISK CAN’T BE IGNORED 

Tim Keary@tim_keary
December 16, 2022 10:37 AM
 * Share on Facebook
 * Share on Twitter
 * Share on LinkedIn

Image Credit: Shutterstock

Check out all the on-demand sessions from the Intelligent Security Summit here.

--------------------------------------------------------------------------------



Third-party risk is one of the most overlooked threats in enterprise security.
Research shows that over the past 12 months, 54% of organizations have suffered
data breaches through third parties. This week alone, both Uber and
cryptocurrency exchange Gemini have been added to that list.

Most recently, Gemini suffered a data breach after hackers breached a
third-party vendor’s systems and gained access to 5.7 million emails and
partially obfuscated phone numbers.  

In a blog post reflecting on the breach, Gemini acknowledged that while no
account information or systems were impacted as a result, some customers may
have been targeted by phishing campaigns following the breach. 

1
/
6
Internal threats that create external attack opportunities and how to combat
them
Read More

137.1K
5




Video Player is loading.
Play Video
Unmute

Duration 0:00
/
Current Time 0:00
Playback Speed Settings
1x
Loaded: 0%

0:00

Remaining Time -0:00
 
FullscreenPlayUp Next

This is a modal window.



Beginning of dialog window. Escape will cancel and close the window.

TextColorWhiteBlackRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentBackgroundColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyOpaqueSemi-TransparentTransparentWindowColorBlackWhiteRedGreenBlueYellowMagentaCyanTransparencyTransparentSemi-TransparentOpaque
Font Size50%75%100%125%150%175%200%300%400%Text Edge
StyleNoneRaisedDepressedUniformDropshadowFont FamilyProportional
Sans-SerifMonospace Sans-SerifProportional SerifMonospace SerifCasualScriptSmall
Caps
Reset restore all settings to the default valuesDone
Close Modal Dialog

End of dialog window.

Share
Playback Speed

0.25x
0.5x
1x Normal
1.5x
2x
Replay the list

TOP ARTICLES






 * Powered by AnyClip
 * Privacy Policy



Internal threats that create external attack opportunities and how to combat
them
NOW PLAYING
UP NEXT
Optimizing security strategies during an acute talent shortage
NOW PLAYING
UP NEXT
Becoming Secure by Design
NOW PLAYING
UP NEXT
Investing in technologies and people to defend financial institutions
NOW PLAYING
UP NEXT
Rebuilding cybersecurity threat detection and response
NOW PLAYING
UP NEXT
Identifying and mitigating the most critical security risks
NOW PLAYING
UP NEXT


Internal threats that create external attack opportunities and how to combat
them


While the information exposed in the Gemini breach is limited to emails and
partial phone numbers, the hack highlights that targeting third-party vendors is
a reliable way for threat actors to gather information to use in social
engineering scams and other attacks. 


WHY THIRD PARTIES ARE AN EASY TARGET FOR DATA BREACHES

In the case of the Uber breach, hackers first gained access to Teqtivity’s
internal systems and an AWS server, before exfiltrating and leaking the account
information and Personally Identifiable Information (PII) of roughly 77,000 Uber
employees.


EVENT

Intelligent Security Summit On-Demand

Learn the critical role of AI & ML in cybersecurity and industry specific case
studies. Watch on-demand sessions today.

Watch Here

Although the Uber and Gemini breaches are separate incidents, the two
organizations have been left to pick up the pieces and run damage control after
a third-party vendor’s security protections failed. 

advertisement


“In the grand scheme of things, lost email addresses aren’t the worst data
element to be used; however, it is a stark reminder that enterprises are still
going to take heat for breaches that (allegedly) occur with their third-party
vendors,” said Netenrich principal threat hunter John Bambenek. 

When considering these incidents amid the wider trend of third-party breaches,
it appears that threat actors are well aware that third-party vendors are a
relatively simple entry point to downstream organizations’ systems. 

After all, an organization not only has to trust their IT vendors’ security
measures and hand over control of their data, they also have to be confident
that the vendors will report cybersecurity incidents when they occur. 

Unfortunately, many organizations are working alongside third-party vendors they
don’t fully trust, with only 39% of enterprises confident that a third party
would notify them if a data breach originated in their company. 


THE RISKS OF LEAKED EMAILS: SOCIAL ENGINEERING 

advertisement


Although email addresses aren’t as damaging when released as passwords or
intellectual property, they do provide cybercriminals with enough information to
start targeting users with social engineering scams and phishing emails. 

“While this specific instance [the Gemini breach] involves a cryptocurrency
exchange, the takeaway is that of a much more general problem [with] threat
actors gaining target information (emails, phone numbers) and some context on
that information (they all use a specific service) to make it relevant,” said
Mike Parkin, senior technical engineer at cyber risk remediation provider Vulcan
Cyber. 

“Random emails are fine if you are shotgunning Nigerian Prince scams, but to
deliver more focused cast-net attacks that target a specific organization or
user community, having that context is threat-actor gold,” Parkin said.

In the future, fraudsters will be able to use these email addresses to draw up
highly-targeted phishing campaigns and crypto scams to try to trick users into
logging into fake exchange sites or handing over other sensitive information. 


THE ANSWER: THIRD-PARTY RISK MITIGATION 

advertisement


One way organizations can begin to mitigate third-party risk is to review vendor
relationships and assess the impact they have on the organization’s security
posture. 

“Organizations need to understand where they could be exposed to vendor-related
risk and put in place consistent policies for re-evaluating those
relationships,” said Bryan Murphy, senior director of consulting services and
incident response at CyberArk. 

At a fundamental level, enterprises need to start considering third-party
vendors as an extension of their business, and take ownership so that necessary
protections are in place to secure data assets. 

For Bambenek, the most practical way CISOs can do this is to embed security at
the contract level.

“CISOs need to make sure at least their contracts are papered to impose
reasonable security requirements and they used third-party risk monitoring tools
to assess compliance. The more sensitive the data, the stronger the requirements
and monitoring need to be,” said Bambenek. 

While these measures won’t eliminate the risks of working with a third party
entirely, they will afford organizations additional protections and highlight
that they’ve done their due diligence in protecting customer data. 

VentureBeat's mission is to be a digital town square for technical
decision-makers to gain knowledge about transformative enterprise technology and
transact. Discover our Briefings.




INTELLIGENT SECURITY SUMMIT ON-DEMAND

Did you miss a session at Intelligent Security Summit? Head over to the
on-demand library to hear insights from experts and learn the importance of
cybersecurity in your organization.

Watch Here


 * VentureBeat Homepage
 * Follow us on Facebook
 * Follow us on Twitter
 * Follow us on LinkedIn
 * Follow us on RSS

 * Press Releases
 * Contact Us
 * Advertise
 * Share a News Tip
 * Contribute to DataDecisionMakers

 * Careers
 * Privacy Policy
 * Terms of Service
 * Do Not Sell My Personal Information

© 2023 VentureBeat. All rights reserved.