Hackers stole the personally identifiable information of 5,678 customers of the Corporation Service Company (CSC), according to a notice the company sent to the California attorney general's office.
During routine security monitoring, the company, which provides services, including domain registration and agent for service of process for clients, some of which are Fortune 500 firms, discovered that “an unauthorized third party accessed its network and certain systems.” CSC said it “took immediate steps” to thwart the activity, contacted law enforcement and brought in two outside cybersecurity firms to investigate. It also began notifying affected customers.
The outside actor “exfiltrated a database table from its network that contained certain personally identifiable information provided by CSC's clients,” the company told the AG's office.
CSC is adopting a stronger security posture, implementing two-factor authentication for some services and requiring 16-character passwords for employees in addition to extending its firewalls.
“The Corporation Service Company breach is another in a long line of examples of hackers accessing sensitive data through vulnerable third party. CSC collects personal information on behalf its clients, including some of the biggest companies in the world, and it's those clients' reputations that are on the line when CSC gets hacked,” Scott Schneider, chief revenue officer at CyberGRX. “Large enterprises that interact with thousands of third parties need to start paying closer attention to the security controls of the vendors, contractors, suppliers and customers in their digital ecosystem.”