DoorDash, a $4 Billion company which enables small businesses to provide its customers with local delivery services, announced on Sep 26 a breach of financial and other private data of almost five million customers. According to DoorDash, the customers suffering stolen data were limited to those who created accounts prior to April 5, 2018, though not every consumer prior to April 5 was affected. Those who were, had their name, email, delivery addresses, order history, and phone numbers stolen. Further, over 100,000 delivery workers had their driver’s license information stolen, and both delivery workers and merchants had the last four numbers of their bank accounts stolen.
This article’s purpose is not to take shots at DoorDash. Many organizations today struggle to keep sensitive data secure despite rigorous attention and extensive effort. DoorDash is merely a high profile company that recently announced a breach, and there are a number of items reported in the TechCrunch article about the breach that should grab your attention if your organization handles sensitive data and depends on services and products provided by vendors.
Surprises and Mistakes
There are three things that might surprise you about the incident, even though they really shouldn’t. Other details surface after analyzing the incident that point to six common mistakes made in managing vendor risk.
Surprise #1 – DoorDash unaware for five months
DoorDash claims this most recent breach occurred on May 5, 2019, which means they were unaware for nearly five months. If that sounds like a long time, you will be surprised to learn that five months is actually less than the average. A study by the Ponemon Institute on behalf of IBM found the average time required to identify a data breach is currently 197 days — almost six and a half months!
It gets worse. The study also found that the average time required to contain a data breach after it’s discovered is another sixty-nine days. That’s 266 days — almost nine months — from the occurrence of the breach to its containment. Serious damage can be done in nine days — or even nine hours. It’s obvious that the industry average of nearly nine months for detection and containment needs to shrink dramatically!
In this enormous time gap, hackers and thieves are able to take their data loot to the black market and make their deals with no one the wiser. That data is disseminated and combined with other sources, and then used against the ultimate victims – the individual customers, patients, or employees. Of these individual victims, some begin to subsequently notice, and each begins to sound their alarm bell. Too often it is only when enough small alarm bells join to form a persistent and loud enough noise to alert the original breached company, that enough dots are connected to draw a line to the source. Too many customers, patients, and employees will continue to suffer from these breaches until organizations are able to dramatically improve the average time to detect an incident or breach. Since organizations exist because of these customers, patients, and employees, you might think that most organizations are focusing their resources on incident detection. But, as you will see in the common mistakes section in this article, you will be surprised!
Surprise #2 – Vendor responsible for the breach
DoorDash is pinning the blame on one of its vendors. DoorDash spokesperson Mattie Magdovitz blamed the breach on “a third-party service provider,” but the third-party was not named. According to Crunchbase, DoorDash employs eighty-nine other technology products and services in its company technology stack, and forty-nine active technologies on its website. This is not an unusual number, as Grubhub – a competitor for DoorDash – uses sixty-three in its company technology stack and eighty-eight technologies on its website.
Due to increasing specialization in the information technology industry, and the efficiency and effectiveness it brings technology solutions, it shouldn’t be a surprise that vendors are also increasing as the reason for a breach. According to Yahoo! Finance, in a recent survey by Ponemon of over 1000 information security professionals in the United States and United Kingdom, fifty-nine percent of respondents confirm that their organizations experienced a data breach caused by a third party or vendor. And while vendor dependence is growing rapidly, confidence among IT security professionals is decidedly not. According to the same survey, only 16 percent say their organizations are highly effective in mitigating third party risks.
Surprise #3 – Another DoorDash incident twelve months prior
It’s ironic that DoorDash experienced a security incident a year previous almost to the day. Below is more information about the earlier incident.
A number of DoorDash customers complained that their accounts were hacked on September 25, 2018. At the time, TechCrunch interviewed a dozen or so affected customers from that incident. Some of their responses conflicted with DoorDash’s official explanation that the incident was wholly due to hackers getting access to some users’ commonly used passwords by hacking another site, and then in turn using them on the DoorDash site (credential stuffing). This explanation dealing with the September 2018 incident, according to DoorDash, was verified by a third-party forensic firm.
The TechCrunch interviews, however, seem to rule out credential stuffing as the sole explanation, at least for some of the users interviewed. The TechCrunch reporter from the earlier incident in September 2018 states: “But six people we spoke to said that their password was unique to DoorDash, and three confirmed they used a complicated password generated by a password manager…when asked, DoorDash could not explain how six accounts with unique passwords were breached.”
The information TechCrunch elicited from a few of their customers should have been viewed as a favor that might have helped more fully understand the incident and possible risk. It’s unclear from the September 2018 article if it caused DoorDash to do any further investigation, or if they dismissed the idea that the incident was caused by something other than their official explanation. DoorDash probably has not yet finished its investigation into the more recent breach. The two may never prove to be related. But if we learn that they were related, will you be surprised?
Six Common Mistakes
DoorDash is probably still analyzing and responding to the breach they just announced in late September. We don’t know what mistakes were made in either incident. A good dose of humility is in order, because incidents and breaches can happen even to companies that have very aggressive and comprehensive risk management programs and tools in place. Nevertheless, certain aspects about what we do know about these incidents highlight six common vendor risk management mistakes organizations often make, and a few more surprises.
Mistake #1 – Not maintaining a comprehensive list of your vendors
This may strike you as so obvious that it seems silly to note at all, much less cite as mistake number one. However, you will be surprised to learn that “nearly two-thirds of IT security professionals surveyed stated that their organizations do not maintain a comprehensive list of third-party vendors and dependencies.” (Yahoo! Finance, November 21, 2018)
If you estimate that your organization only depends on a few vendors, you may not believe it is too difficult to establish and maintain an accurate and comprehensive list. Until you do a thorough inventory, though, you may be setting yourself up for an unwelcome surprise at just how many vendor dependencies you really have. In fact, some organizations discover that they depend on many hundreds of vendors, with new ones being added and others dropping off routinely.
When your vendor dependencies reach any kind of scale, merely maintaining a current, accurate, and comprehensive list of which vendors handle what sensitive data, or introduce technology which might compromise certain sensitive data, and which do not, represents a herculean task. It’s especially daunting when you consider that if your organization is like most and does not have a comprehensive list of vendor dependencies, just getting one established seems very labor and time intensive when you estimate you may be starting from an existing report from accounts payable of fifty, 500, or even 5,000 current active vendors to comb through and classify.
Mistake #2 – Not evaluating risks from vulnerabilities introduced by your vendors
It’s natural when evaluating a vendor to focus on the capabilities and resulting improved performance or bottom-line impact its product or service brings to your organization. On average, relatively less energy is expended in evaluating risks from vulnerabilities introduced by vendors. This is critical, because a vendor during the sales process will rarely bring up vulnerabilities he introduces to your organization — that’s your responsibility.
Yet the majority of organizations are not systematically shouldering that responsibility. According to an August 2017 Ponemon study sponsored by F5, only twenty-seven percent of IT executives who play the senior information security role for their company “have established a direct communication channel between the organizations’ security program and management responsible for contracts and procurement.” Security, whether intentional or not, is effectively an afterthought. This results in a huge business process gap — and a fundamental mistake — that is very common: seventy-three percent of the time.
In the context of information technology, software developers and IT professionals naturally focus on finding a tool, a piece of equipment, an application, or code library that solves or helps simplify adding a new feature or solving a problem. Your organization must also adopt the discipline that the discovery of the solution is merely the first step in determining whether to incorporate the new dependency. Your organization must maintain a culture where a new vendor dependency is thoroughly researched, learned, and discussed as to what vulnerabilities it may bring once incorporated. Preferably prior to the contract or the service adoption so those vulnerabilities can be more easily mitigated and baked-in to any agreement. But even post adoption, vulnerabilities need to be systematically searched for and discovered, and persistently tracked and tested.
Wait. Where are mistakes 3-6?
We will send you the full article with all six mistakes as a link, and as a downloadable PDF, if you will kindly send us your email address using the form below. (Your contact information will not be sold nor shared with anyone else).
Written by: Curtis Jones (LinkedIn)
With over 25 years of experience leading healthcare information technology companies, Curtis helps leaders at healthcare organizations and their vendors manage their shared risk effectively, efficiently, and cooperatively.
About us: ConfidentVMS helps healthcare organizations reduce the resources required to lower vendor security risk, increase compliance, and achieve and maintain vendor HIPAA OCR audit readiness. Contact us for more information or to request a demo.