Covers the cybersecurity risks introduced by vendors, contractors, and partner organizations that access your systems or data. Provides guidance on third-party risk assessments, monitoring frameworks, and contractual security requirements.
posts
A Trusted Software Update Became the Biggest Backdoor in History In December 2020, FireEye disclosed that threat actors had compromised SolarWinds Orion — a network monitoring platform used by 33,000 organizations, including multiple U.S. federal agencies. The attackers embedded malicious code into a routine software update. Every organization that
In December 2020, cybersecurity firm FireEye disclosed that a threat actor had compromised SolarWinds' Orion software update mechanism, distributing malware to roughly 18,000 organizations — including the U.S. Treasury, the Department of Homeland Security, and Fortune 500 companies. The attackers didn't break down the front door.
The Breach That Didn't Start With You In February 2024, Change Healthcare — a subsidiary of UnitedHealth Group — suffered a ransomware attack that disrupted healthcare payment processing across the entire United States for weeks. The threat actor didn't breach UnitedHealth directly. They compromised a vendor system that
The $350 Million Acquisition That Fell Apart Over a Data Breach When Verizon moved to acquire Yahoo in 2017, the deal was nearly complete. Then Yahoo disclosed two massive data breaches affecting all three billion user accounts. Verizon knocked $350 million off the purchase price. That single failure in cybersecurity
In December 2020, security firm FireEye discovered that SolarWinds — a company most people had never heard of — had been compromised by a threat actor who injected malicious code into a routine software update. That single update shipped to roughly 18,000 organizations, including the U.S. Treasury, the Department of
The Breach That Didn't Start With You In January 2023, Mailchimp disclosed its second breach in under a year — this time through a social engineering attack on an employee. But the real damage radiated outward. Every company using Mailchimp as a vendor suddenly had a problem they didn&
The $350 Million Lesson Marriott Learned After Closing the Deal When Marriott acquired Starwood Hotels in 2016, the deal looked like a hospitality industry win. What nobody caught during cybersecurity due diligence was that Starwood's reservation system had been compromised since 2014. The breach wasn't discovered
The Attack That Hit 18,000 Organizations at Once In December 2020, security firm FireEye disclosed that it had been breached — and that the attack vector traced back to a routine software update from SolarWinds, a trusted IT management vendor. Within days, the scope became staggering: up to 18,000
When Marriott acquired Starwood Hotels in 2016, the deal looked solid on paper. Two years later, Marriott disclosed that hackers had been inside Starwood's reservation system since 2014 — exposing the personal data of up to 500 million guests. The breach predated the acquisition. The liability didn't.
In December 2020, security firm FireEye discovered that a routine software update from SolarWinds had been weaponized to infiltrate roughly 18,000 organizations — including the U.S. Treasury, the Department of Homeland Security, and multiple Fortune 500 companies. The attackers didn't kick down the front door. They walked
