On April 30, 2019 Motherboard reported on a combined data breach and extortion attempt against Citycomp, a network and internet infrastructure firm based in Germany. Attackers claimed to have over half a terabyte of sensitive data belonging to 100 million Citycomp accounts, including some very recognizable technology sector brand names.

When Citycomp chose not to pay the extortion demand, the attackers released an index of the breached records on the general internet with all the details and downloads available via a .onion domain on the Tor network. According to firsthand reports, the data dump includes a mix of logistics information, some finance-related data and even information relating to physical lock/combination codes of computer rooms/racks and secure storage areas used in shared hosting facilities.

Details are scant on how the attackers initially gained access to Citycomp’s core network, though the likely point of entry was via a phishing attack since that is still the most common and most successful initial breach vector. Citycomp stated they discovered evidence of the breach on Friday, April 26, 2019 but have not disclosed how long the attackers may have maintained persistence within the company’s network.

Steps you can take when responding to a third-party breach

When an organization relies on a third-party for any type of business process, they are taking on some level of risk, including cybersecurity-related risks. There are some fundamental steps you can take to help you triage the extent of your exposure and plan for response and recovery:

1. Ensure contracts with third-parties have detailed sections on breach notification and response requirements. When a third-party breach happens, you will definitely want speedy notification along with detailed requirements on what you need from the provider. This should be a required part of every contract.

2. Keep detailed records on what business processes are being supported by the third-party in question. This will help you reach out to key internal stakeholders and bring them into the triage and response processes. It will also help you provide initial estimates of scope and impact to senior management.

3. Understand potential cyber-physical crossover issues in response processes. The data exposed in the Citycomp breach included physical lock tumbler codes along with digital keypad codes for secure areas in shared hosting facilities. While digital codes can likely be changed from a central location, physical tumbler settings require manual, in-person intervention. Attackers also had access to this data for an undisclosed period of time, so it’s also important to maintain an up-to-date inventory of what has been stored in these types of areas.

4. Work with your corporate insurance firm to add third-party cyber and cyber-physical risks into your cyber risk mitigation policies. Cyberinsurance can help cover the costs your organization incurs, which can include losses related to investigation time and resources, liability for any information disclosure related to the breach at the third-party, and direct losses stemming from cyber-physical issues. Cyberinsurance may also enable you to call upon the resources of dedicated investigations teams to handle any necessary direct or remote responses.

Most modern business processes rely in some part on one or more third-parties to augment internal resources. While the steps above are a good starting point it is important that you work with your corporate risk management, legal, and finance teams to ensure you have all the tools necessary at your disposal in the unfortunate event your sensitive data is caught up in a third-party incident.