In the aftermath of the SolarWinds hack, a better understanding of third-party hacks in any update that you provide to your colleagues, bosses, and even the board of directors may be warranted. Any such update that you provide on SolarWinds should certainly cover whether or not your organization is one of the 300,000 SolarWinds customers and whether or not you were one of the 18,000 or so that were using the specific version of Orion that was hacked (versions 2019.4 through 2020.2.1 HF1).
If you were using a version that was hacked, you should certainly report on what you did to investigate whether or not there was further compromise, how closely you were able follow CISA recommendations, what were the results of the investigation, what you did to contain the affected systems, and whether or not (in consultation with your legal department) you suffered a breach as a result – but you should definitely do not stop there.
Different types of third-party compromises
The SolarWinds hack is just one example of a third-party, supply chain compromise. And while the scale of the SolarWinds hack is certainly novel, third-party compromises are not. Target was initially compromised through its third-party HVAC supplier in 2013, which led to a breach of over 40 million credit card numbers.
JPMorganChase, which was spending $250 million annually on security in 2014, was breached due in part to Simmco Data Systems, a third-party supplier that helped it run its non-profit, charitable marathon races. The U.S. Office of Personnel Management (OPM), from which over 20 million government employee identities were stolen in 2015, was breached in part through KeyPoint Government Solutions, a third-party supplier that helped it conduct background checks.