A monthly Information Security publication for the WPI community.

This month's focus is COMPROMISED VENDORS. It's when an organization's vendors or business partners are attacked in a way that exposes their customers' sensitive data. This may also be referred to as a third-party data breach. The graphic  below shows an example of a compromised vendor.

Picture of falling dominoes. Left ones are labeled software provider. Middle ones are labeled large organization. Right ones are labeled organization's clients.

Industry experts estimate that about 60 percent of all data breaches happen via third-party vendors.

How to Prevent Third-Party Vendor Data Breaches (RiskOptics)

In this issue: 

  • Compromised Vendors
  • Business Email Compromise
  • Vendor Security at WPI
  • Massachusetts Cybersecurity Crime Statistics
  • Learning with Laughter
  • From Our CISTO: Caller ID Spoofing
  • Where to Find Information Security?  At a Webinar!
  • Meet an Information Security Student Worker!
  • Featured Videos & In the News
  • Diversity in Cybersecurity
  • Coming Next Month...

At a former workplace of mine, a scammer impersonated the email address of one of our business partners. They sent a deceptive email requesting a payment to be transferred to an out-of-state bank account. Thankfully, the recipient bank detected the unusual activity—a substantial payment being sent to a newly established account—and placed a hold on the funds. Due to the bank's proactive measures, we managed to retrieve our funds.

Compromised Vendors

Vendors who have a large number of customers are an attractive target for cybercriminals. If they can successfully impersonate a vendor, then they can persuade multiple organizations to pay them or provide sensitive information.

This infographic compares third-party breaches in 2022 and 2023.

Infographic from Black Kite showing in 2022 63 third-party breaches led to 298 cascading data breaches. In 2023  81 third-party breaches led to 251 cascading data breaches. This averages about 3.1 victims per breach.

Most notable is how the 2023 breaches in the education sector led to an average of 14.1 victims per breach. This is due to a vulnerability in the MOVEit file transfer system, which compromised the National Student Clearinghouse. That single event cascaded into breaches at 890 schools. 

2023 Spotlight: Cascading data breaches in the education sector. 81 third-party breaches led to 1150 cascading data breaches (including 890 schools). This averaged 14.1 victims per education sector breach.

Black Kite’s annual Third-Party Breach Report examines the impact of third-party cyber breaches.

Black Kite’s Report (blackkite.com)What is vendor email compromise? (Cloudflare)

Business Email Compromise

Business Email Compromise (BEC) is a type of invoice scam.

Given that over $65 million dollars was lost in Massachusetts  in 2023 due to BEC, make sure you address communications from your suppliers at times when you can give them your undivided attention. Does something seem off? Compare the current communication to previous ones. If you think it's a Business Email Compromise scheme, then contact phishing@wpi.edu.

Email Fraud / BEC (help.wpi.edu)Phishing Explained (help.wpi.edu)

Vendor Security at WPI

Processes in Procurement and Information Security, and diligence by all community members helps protect WPI!

Procurement

Procurement reviews new supplier requests and their accompanying documentation. There is a list of preferred suppliers available on the Procurement website. The details for each supplier and their relationship with WPI is updated and managed by Procurement. All new suppliers that are created in Workday automatically run through the Sanctioned Supplier Screening, which will create a Workday inbox item for the Procurement team to review potential matches, or simply approve if there are no matches found. A sanctions list is a compilation of individuals, companies, or countries that are restricted or penalized by governments or international bodies. There are different types of sanctions, such as economic sanctions, international sanctions, embargo, and diplomatic sanctions.

In addition, Workday uses an integration to screen suppliers against the Office of the Inspector General’s List of Excluded Individuals/Entities from U.S. federally funded health programs, for reasons such as Medicare or Medicaid fraud. The Workday screening results are reviewed in tandem with the Sanction screening on new suppliers.

Information Technology

Our Data Governance and Management model includes Information Security Review of any new technologies being considered for purchase or implementation at WPI. Details about the review and a link to the Project Intake Form where it all begins are at: 

Information Security Review 

Access to systems and data is vetted; vendors requiring access have their own accounts which require multi-factor authentication. 

WPI Community

Security also depends upon community members carefully inspecting invoices, reviewing PCard purchases, and handling WPI data securely. As a WPI partner to vendors and system contacts, you may be alerted if they experience a security breach. If you are notified of an external cybersecurity issue, please immediately forward details to WPI's Chief Information Security & Technology Officer at CISO@WPI.edu.

Information Security Breach Notifications (help.wpi.edu)

Cybersecurity Crimes in Massachusetts in 2023

This small excerpt from the FBI's Internet Crime Complaint Center (IC3) Annual Reports for Massachusetts shows BEC at the top of the list for both number of victims impacted and amount of money lost. 

Crime# of VictimsLoss Amount
Business Email Compromise (BEC)501$65,960,320
Confidence/Romance262$8,556,162
Non-payment/Non-Delivery807$3,783,378
Phishing/Spoofing147$228,542

People over 60 accounted for about 25% of the cybercrime victims in Massachusetts, while those under 20 were about 4% of the victims. The other 71% were working age people between ages 20 - 59. A significant number of people at WPI are in that age range. 

A bar graph showing that Massachusetts residents over 60 had the highest number of complaints and lost the most money. 
2023 FBI State Report for MassachusettsFBI Internet Crime Complaint Center (IC3) Annual Reports

Learning with Laughter  

Image: Boromir from Lord of the Rings. Text: One does not simply... choose the cheapest vendor every time.
Image: Benny the Bank Teller from South Park. Text: Let's just collect millions of social security numbers into this database here....and we've been hacked.

   

From Our CISTO: Caller ID Spoofing

Caller ID spoofing is when  someone makes it appear that they are calling from an organization you know and trust in order to trick you into revealing valuable information about yourself or your organization.

Since many of WPI's phone numbers are publicly available, it is possible for a scammer to try caller ID spoofing with a WPI number.

Here are some signs it might be a scammer:

- The caller mispronounces Worcester or other relevant proper nouns. 

- The caller's tone is aggressive.

- You're asked to push a button in order to receive a message.

Visit this page from the FCC to learn more.

Caller ID Spoofing (fcc.gov)

Where to Find Information Security? At a Webinar!

This month Information Security partners with Procurement to offer a webinar about vendor security. Join us via Zoom on Tuesday, 1/28 from 11:00AM - 12:00 PM to learn the best security practices when interacting with vendors.

Register for Compromised Vendors Webinar

Meet an Information Security Student Worker! 

Justin Healey, Information Security Assistant

Justin Healey is a senior in the BS/MS Computer Science program with an MS in Cybersecurity. He has been part of Information Security for over a year and a half. He typically takes on triaging alerts and investigating events.

"Working with the InfoSec team has been an amazing experience. It's been awesome to see the real world applications of what I learn in school, and to be able to be part of a team with such great, smart people. So far, the most interesting thing I've learned is to ask lots of questions, even when you're not sure if anyone knows the answer. There are no wrong questions, and sometimes asking the right question can help others find a solution."

ITS is very fortunate to have Justin on our team!

Featured Videos 

In July 2024, AT&T announced they had suffered a data breach in April 2024. This was caused by a breach at their data management provider, Snowflake.

Phone breaches: The AT&T data breach - Hacker Headlines (4 min)

This news report about the Truliant credit union breach is from CBS in Greensboro, NC and ran in May 2024. Truliant's breach was caused by a breach at their vendor, Doxim.

Truliant reports customer data breach after third-party cyber attack (2 min)

Compromised Vendors in the News 

In July 2024 Washington State University students who used a campus pharmacy received an email notifying them that their personal information may have been exposed in a cyberattack against Change Healthcare, a third-party service provider that runs the pharmacy.

Third-party data breach may impact WSU students (DailyEvergreen.com)

PowerSchool is a cloud-based platform that provides products for managing the operations of K-12 schools and districts. In late December 2024, they discovered that someone used compromised credentials to log into a customer support portal and gain unauthorized access to students' and teachers' private information.

PowerSchool hack exposes student, teacher data from K-12 districts (BleepingComputer.com)

Diversity in Cybersecurity 

Keatron Evans, VP Of Portfolio And Product Strategy

Keatron is smiling at the camera and the city background is blurry.
Keatron Evans

Coming Next Month...

Best Security Practices for Financial Aid and Taxes

   

Is there a cybersecurity topic that you would like to know more about? Please contact WPI Information Security using Get Support below.

Title

Content