In May 2021, Canada Post suffered a data breach that affected over 950,000 customers. The cause of the breach has been traced to a malware attack on Commport Communications, a supplier that provides Electronic Data Interchange (EDI) solutions for Canada Post to manage its customers’ parcel shipping data.
In some ways, this cyber attack echoes the SolarWinds attack. In December 2020, malicious hackers compromised SolarWinds’ Orion IT monitoring software with malware to gain illegal access to hundreds of private and public organizations worldwide. The list of enterprises affected includes Fortune 500 companies, universities, and even the U.S. Military.
Although the Canada Post data breach was not as serious as SolarWinds, it still raises two very important questions: Are Canadian organizations prepared and safeguarded for supply chain attacks? If not, how can they address these gaps?
Canada Post Data Breach Explained
The Canada Post malware attack affected the data of almost a million receiving customers from July 2016 to March 2019. Following a detailed digital forensics investigation, Canada Post found that the data breach majorly impacted customers’ names and addresses (97%) or email addresses and/or phone numbers (3%). It did not affect any financial information.
As soon as the breach was discovered, the Crown corporation informed all affected parties so they could take the necessary action to mitigate its impact. It is also carrying out further investigations to understand the attack’s root cause and take further action.
How Supply Chain Attacks Violate the Chain of Trust
Like the SolarWinds attack, the Canada Post attack and data breach also involved compromising a third party’s infrastructure. As more organizations turn to third-party suppliers and vendors to save costs, improve resilience and achieve economies of scale, they’re also at risk of becoming the target of a supply chain attack.
Hackers find such attacks particularly attractive because they can potentially compromise all the organizations that use that software. Therefore, they can violate the entire “chain of trust” to increase the scale and scope of their attack.
Another problem is that such attacks are often not detected for months. Information about the Canada Post attack was only made public in May 2021. However, some evidence shows that the actual attack started in December 2020, almost half a year earlier. This means that the attackers had a lot of time to launch a truly devastating attack. They also had the advanced tools to move laterally across the network and gain control of the servers that managed and stored user credentials. They could have discovered and stolen sensitive files and even deployed ransomware to extort Canada Post and/or its customers for huge sums of money. Luckily, they didn’t. In this sense, Canada Post and its customers were very lucky.
Nonetheless, all these facts show that supply chain attacks are a huge risk, and modern organizations must take steps to protect themselves.
How to Guard Your Organization Against Supply Chain Attacks
Following the SolarWinds attack, the estimated insured losses were almost $90 million. Another well-known supply chain attack, NotPetya, disrupted operations for several multinational corporations and caused damages worth a whopping $10 billion in 2017. The costs of the Canada Post attack are not yet available. Nonetheless, how can you protect your organization from a Canada Post, SolarWinds or NotPetya-type supply chain attack?
One way is to proactively understand the risk of such attacks with threat modeling. Very few organizations think about detecting these attacks or how they would respond to data breaches. Don’t be one of them!
It’s also important to evaluate the security profile of your web and mobile applications with application security testing, especially if you use open source components or configuration management frameworks like PowerShell.
Testing the resilience of your entire IT infrastructure is also essential. But not with an automated vulnerability assessment. Such scans only look for known vulnerabilities and do not uncover all the security gaps that hackers can exploit to access your data. A manual penetration test is vital to truly understand your security risk to supply chain attacks and data breaches. The expertly-trained pen testers at Packetlabs perform comprehensive tests that mimic the actions of bad actors and create detailed reports to show you how to strengthen your security framework against supply chain attacks.
The risk of supply chain attacks is on the rise, and all kinds of organizations are vulnerable. The Consortium for Information and Software Quality (CISQ) is working on standards and frameworks, so enterprises will know if their software components have known security problems that leave them vulnerable to such attacks and data breaches.
At Packetlabs, we tell our clients to conduct a thorough background check and practice proper security risk management protocols with every vendor supplier, particularly those with privileged access to your company assets. Implement a cybersecurity program to manage third-party risks, and make penetration testing is a part of it. For further guidance on how to stay safe from supply chain attacks, contact Packetlabs.