Fourth-Party Risk: Breach at Service Provider Exposes Google Employee Data

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Google last week began notifying an undisclosed number of employees that their names, contact information and payment card data may have been exposed as a result of a security incident.

Crucially, as the company pointed out in its notification letter [PDF] to those affected, "This did not affect Google's systems. However, this incident impacted one of the travel providers used by Googlers, Carlson Wagonlit Travel (CWT)."

But CWT itself wasn't breached either -- CWT's data was exposed in a larger breach of travel technology company Sabre's SynXis Central Reservations System (CRS), which was disclosed two months ago.

Since neither Google nor CWT were breached themselves, this wasn't a third-party breach, but a fourth-party one -- Google was working with third-party vendor CWT, which itself was leveraging Sabre's SynXis CRS.

Looking for Weak Links

In its notification letter, Google explained that Sabre had notified CWT that an unauthorized attacker had gained access to some of CWT's hotel reservations made through Sabre's SynXis CRS.

"CWT subsequently notified Google about the issue on June 16, 2017, and we have been working with CWT and Sabre to confirm which Google travelers were affected," the company stated.

Google employees who made hotel reservations between August 10, 2016 and March 9, 2017 may have been affected, potentially exposing names, contact information and payment card data. "However, because the SynXis CRS deletes reservation details 60 days after the hotel stay, we are not able to confirm the specific inforamtion associated with every affected reservation," Google noted.

CyberGRX CEO Fred Kneip told eSecurity Planet by email that the Google breach shows how difficult it is for companies to determine which vendors pose the greatest cyber risk to their organizations.

"A company the size of Google, whose reputation depends in large part on its ability to keep data secure, has thousands of third parties in its digital ecosystem," Kneip said. "Attackers are clearly focused on the weakest links within those ecosystems -- third parties like HVAC vendors and travel agencies -- in order to do real damage."

Auditing Your Vendors

Regardless of which business function you may be outsourcing, it's always advisable to audit all third-party service providers that have access to your critical business data -- including sensitive employee information.

A recent Bomgar survey of 608 IT professionals found that an average of 181 vendors are granted access to a company network. Sixty-seven percent of survey respondents have already experienced a data breach that was either definitely or possibly linked to a third-party vendor.

"Security professionals must balance the business needs of those accessing their systems -- whether insiders or third parties -- with security," Bomgar CEO Matt Dircks said in a statement.

"As the vendor ecosystem grows, the function of managing privileged access for vendors will need to be better managed through technology and processes that provide visibility into who is accessing company networks, and when, without slowing down business processes," Dircks added.

A recent eSecurity Planet article offered advice on how to mitigate fourth-party risks.