Yahoo confirmed yesterday that 500 million of their clients personal information was stolen in a 2014 breach of historic proportion.
The theft may have included email addresses, phone numbers, dates of birth, passwords and security questions and answers. Yahoo said it is warning its customers who may have been effected to reset their passwords and secure their accounts.
The question vendor risk management teams should ask themselves today is: How many vendors signed up for active access to corporate resources using a Yahoo account? Granting vendors network access is a common necessity for most organizations. But as breaches continue to grow in number and scope this practice compounds the necessity for a proper and regular vendor access review program.
The Target breach, that resulted in millions of stolen credit card data is suspect to have happened by this very method. It was reported that hackers accessed the Target system though stolen password credentials from an HVAC vendor that provided services to Target. Both the Target theft and the Yahoo stolen username and passwords happened in the same year.
Access review is an important element of network security, but if you don’t include vendors in that activity you could have big gaps. Securing any network can be complicated when you rely on outsourced suppliers. It can be problematic to control how much access 3rd parties have and how they deliver service and when that access is no longer needed. Often these users are not held to the same security standard as internal users. Sometimes outside parties get access to internal corporate resources without the necessary scrutiny and internal password policy, leaving the organization at risk.
To guarantee security procedures are set up and working properly, you should perform intermittent access reviews with a specific end goal to identify errors in provisioned access. Understand the who, the what and the when criteria and performing scheduled access surveys for your vendors could prevent their breach from becoming your breach.