In December of 2021, a cyber-attack on FlexBooker compromised the personal data of Bunning’s clients. Anthill featured an article by our CEO, Ajay Unni, where he dissected the attack and commented on the increase in supply chain attacks and provided advice on how companies can reduce and manage their third party risk.
Read the full article below as featured in Anthill:
In December of 2021, the third-party software firm suffered a cyber-security breach that led to the information of 3.7M clients being exposed, Bunnings was forced to warn its customers of the incident.
Although Bunnings is adamant that no sensitive information was lost in the recent cyber attack, incidents like these can lead to significant reputational damage.
Known as ‘Supply Chain Attacks’, malicious actors go after third-party vendors like FlexBooker to infiltrate their large organisations like Bunnings, the main target.
Lately, there has been a steady increase in these types of attacks as it is difficult for both vendors and their customers to protect their networks against well-resourced actors with the ability to compromise widely used software products.
Many companies including Bunnings rely on vendors like FlexBooker for a variety of services and given the value of these third-party providers, simply avoiding these partnerships to remove the risk of a cyber-attack is not a solution.
There are things that organisations can do to reduce third party risk largely:
Firstly, businesses should acknowledge third-party risk and work on their exposure – defining their tolerance to risk goes a long way in combating supply chain attacks.
Secondly, ensure the key stakeholders you work with understand your supply chain process and that third-party risk processes are established.
Thirdly, when your organisation identifies possible vendors to partner with, ensure that cyber-security is covered in the contract.
Once your organisation partners with a vendor, it is important that a process is in place to continually assess and monitor risk, for example, utilising vendor risk assessment questionnaires can help you make sure that a vendor’s internal data handling practises and procedures are secure and can help you identify any possible risks.
Understanding where your most critical assets are and who has access to them is a vital component of any cyber-security strategy.
Lastly, even with all these measures in place, due to the increase in sophistication of hackers, it is important to be always prepared and have an incident response plan in place to mitigate the impact a security incident can have on your organisation.
Bunnings and FlexBooker is another unfortunate addition to the rapidly growing list of victims of cyber-attacks in Australia and globally.
It is important that organisations, large or small, prioritise the uplift of all facets of their cyber-security policies as well as ensuring their vendors do the same.
Adopting a proactive approach when it comes to fighting back against cybercrime is the best way to protect your business from becoming the next cautionary tale.