Manufacturing companies are particularly vulnerable to cyberattacks according to research released by IBM’s X-Force cybersecurity intelligence division. The data shows that last year manufacturing overtook the finance and insurance sectors as the most commonly targeted industry. Unfortunately, the situation seems to be growing worse as third party vendors expand the attack surface of manufacturing giants like Nissan and Toyota.
On January 17, Nissan North America began sending data breach notifications informing customers of a breach at a third-party service provider that exposed customer information. It is disclosed that 17,998 customers were affected by the breach. Nissan claims it received notice of a data breach from one of its software development vendors on June 21, 2022. The third party had received customer data from Nissan to use in developing and testing software solutions for the automaker, which was inadvertently exposed due to a poorly configured database.
Earlier this month, Toyota Kirloskar Motor (TKM) was notified by one of its service providers of an incident that might have exposed personal information of customers on the internet without disclosing the size of the data breach or number of customers affected. However, the extent of the intrusion is still unclear.
Toyota is no stranger to breaches. This data breach occurs in the wake of recent breaches and data leaks for the manufacturing giant. In February 2022, one of its suppliers suffered a cyberattack shutting down its production. Two weeks after Toyota Motor was forced to halt manufacturing at its plants in Japan following an attack on Kojima Industries Corp., another Toyota supplier. On September 15, 2022, Toyota Kirloskar Motor announced a data breach that may have exposed the data of up to 300,000 customers for a period of nearly five years. Toyota confirmed that a section of the source code for the T-Connect site had been posted on GitHub, a source code repository.
These incidents show us how difficult it is for organizations to protect their data assets these days. As per a recent Eureka Security study, almost 40% of survey respondents said they experienced a data breach. According to research from Ponemon Institute only 34% of organizations are confident their suppliers would notify them of a breach of their sensitive information. The report continues explaining why weak third-party security controls continue to be a chink in the armor for enterprises, as 59% of respondents confirm that their organizations have experienced a data breach caused by one of their third parties, with 54% occurring in the past 12 months.
Regardless of how developed your program is or how big the budget may be, it is always appropriate to take a step back and review the basics of cloud security and ensure your teams have the right tools to protect the data you own. This includes third-party vendors.
If you are managing a third party who is handling your organization's sensitive data, it is important for them to understand and adhere to the same guidelines as your organization to ensure the data is protected. Firstly, the third party should be aware that the data is sensitive and take appropriate measures to control access to it.
Additionally, the third party vendor should have a clear understanding of how long they are permitted to retain the data. Once the data is no longer needed, it should be securely deleted or destroyed to prevent any potential misuse. Lastly, they should have a minimum level of protection in place to ensure the data is protected.
In the event of a breach or security incident, the third party should have a clear incident response plan in place to minimize the impact of the incident and to notify the appropriate parties as soon as possible. A clearly defined data sharing agreement with the data owner that outlines the use case, security measures, data handling and data destruction is required. Overall, it is important for the third party to take responsibility for the security of the sensitive data and take all necessary steps to protect it from unauthorized access, breaches, or misuse.
If you are allowing third party access to sensitive data within your boundaries, it is important for third party vendors to understand the organization retains control and ownership of the data. This means that the organization can set and enforce access controls, monitor usage, and revoke access as necessary. The organization is still responsible for complying with any relevant laws, regulations, and industry standards that apply to the data even though the third party vendor may be utilizing it.
The manufacturing industry has become a prime target for data breaches. It is understandable that the security teams at Nissan, Toyota, and their respective third party vendors might feel a great sense of responsibility and disappointment following the data breaches at their companies. It is never easy to have to deal with the aftermath of a breach, and it can be especially difficult to handle the pressure when it is a high-profile incident. We understand that it can be overwhelming to think about the potential harm that a data breach can cause, but it's crucial to take proactive steps today to protect against third-party breaches that might happen tomorrow. We hope the tips above will help your organization on its journey to securing cloud data.