Monthly Archives: June 2016

Hacker selling 655,000 patient records from 3 hacked healthcare organizations

A hacker is reportedly trying to sell more than half a million patient records, obtained from exploiting RDP, on a dark web marketplace.

A hacker going by “thedarkoverlord” is reportedly selling 655,000 patient records on a dark web marketplace; he claims to have three separate healthcare databases which include patients’ full names, Social Security numbers, dates of birth, addresses and more – data that could be used for identity theft and fraud.

The hacker claims to have exploited Remote Desktop Protocol (RDP) at three healthcare organizations in order to steal the databases. Thedarkoverlord told DeepDotWeb that “it is a very particular bug. The conditions have to be very precise for it.”

He also provided screenshots taken on June 13 as proof of the intrusions, showing the extent of sensitive patient information in the records. The databases contain Social Security numbers, patients’ full names, race and genders, addresses, dates of birth, phone numbers, insurance information and email addresses. That’s more than enough information for a thug to impersonate a victim to set up a line of credit or to take out a loan.

The databases being advertised on TheRealDeal marketplace allegedly include 48,000 patient records from a healthcare organization in Farmington, Missouri, another 210,000 records from Central/Midwest US, and 397,000 healthcare records from Georgia.

Although “thedarkoverlord” is offering “to sell a unique one-off copy of each of the three databases,” the hacker told Motherboard that he has already sold $100,000 worth of records from the Georgia organization. “Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically.”


The asking price for the full healthcare database with nearly 400,000 records from Georgia is 607.84 bitcoins, which at the time of writing is currently about $389,390. The hacker described it as “a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”

He wants 303.92 bitcoins, about $195,147, for 210,000 patient records from “a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”

As for the 48,000 records being sold for 151.96 bitcoins, about $97,574, he claims the plaintext database came from a healthcare organization in Farmington, Missouri. “It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.”

If thedarkoverlord sells all three healthcare databases just once, then he would make about $682,110. If he also made $100,000 for the Blue Cross Blue Shield data, and only does that once, then he stands to make more than three-quarters of a million dollars for his criminal activities.

Hacker wants hush money, delivered ransom demand to each organization

The hacker is not revealing the names of the breached organizations yet, since he is trying to extort a ransom from them. He told Motherboard the ransom demand is “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Thedarkoverlord asked DeepDotWeb to include the following note for the breached companies:
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Hard Rock Las Vegas suffers a second data breach

For the second time, the card-processing network was compromised

On Monday, Hard Rock Hotel & Casino in Las Vegas disclosed data breach, after malware was discovered on their card processing system. This is the second time the casino has had to report such an incident.

In a statement, Hard Rock said that on May 13, the resort started an investigation after receiving reports of fraudulent activity on cards used at their Las Vegas location. The investigators discovered unauthorized access to the card-processing network, and later discovered malware on the systems themselves.

The malware targeted card details such as the customer’s name, card number, expiration date, and internal verification codes. In other instances, the malware only obtained card data, but no names.

The breach timeline includes cards that were used at some restaurant and retail outlets between October 27, 2015 and March 21, 2016. It’s important to note, this incident only impacts the Hard Rock Hotel & Casino in Las Vegas.

Last year, in May, Hard Rock disclosed a similar data breach that impacted payment cards.

The compromised cards were used between September 3, 2014 and April 2, 2015, at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant.

Given that this is the second data breach under similar circumstances, it looks as if the clean-up on the first incident didn’t catch everything.

Otherwise, the situation is worse from a security standpoint. This week’s disclosure could point to the fact that criminals were able to access the payment network a second time using the previous methods, or managed to find another way in.

Either way, the incident shows that the network was clearly left vulnerable to some degree, and criminals exploited this fact in just over five months.

Zero-Day Warning! Ransomware targets Microsoft Office 365 Users

If just relying on the security tools of Microsoft Office 365 can protect you from cyber attacks, you are wrong.

Variants of Cerber Ransomware are now targeting MS Office 365 email users with a massive zero-day attack that has the ability to bypass Office 365’s built-in security tools.

According to a report published by cloud security provider Avanan, the massive zero-day Cerber ransomware attack targeted Microsoft Office 365 users with spam or phishing emails carrying malicious file attachments.

The Cerber ransomware is invoked via Macros. Yes, it’s hard to believe but even in 2016, a single MS Office document could compromise your system by enabling ‘Macros‘.

Locky and Dridex ransomware malware also made use of the malicious Macros to hijack systems. Over $22 Million were pilfered from the UK banks with the Dridex Malware that got triggered via a nasty macro virus.

You can see a screenshot of the malicious document in the latest malware campaign below, targeting Microsoft Office 365 users:


While the security firm did not specify the exact number of users possibly hit by the ransomware, Microsoft reported in its first quarter 2016 that there are almost 18.2 Million Office 365 subscribers.

“While difficult to precisely measure how many users got infected,” Avanan estimated that “roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

Although Cerber originally emerged in March, the malware campaign targeting Office 365 users began on June 22. However, Microsoft started blocking the malicious file attachment on June 23.

The Cerber Ransomware not only encrypts user files and displays a ransom note, but also takes over the user’s audio system to read out its ransom note informing them that their files were encrypted.

The ransomware encrypts files with AES-256 encryption, asking victims to pay 1.24 Bitcoin (nearly US$810) for the decryption key.

How to Protect Yourself from Cerber Ransomware

In order to prevent yourself from the Cerber or any ransomware attack:

  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disable Macros in your MS Office programs.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.
  • You can also use an Intrusion detection system (IDS), to help you quickly detect malware and other threats in your network.

Dozens of Malicious Apps on Play Store can Root & Hack 90% of Android Devices

It’s not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that’s slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as “android-rooting-tools” to gain root access to the victim’s device.

From there, the malware will make sure the victim’s screen is turned off before executing the malicious code.

Here’s what a Godless-Packed App can do to your Device:
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

“With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices,” Trend Micro says. “This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.”

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it’s still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims’ handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

“Unknown developers with very little or no background information may be the source of these malicious apps,” Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always “review the developer” when downloading apps even from Google’s official store.


AWS and Microsoft get FedRAMP approval for sensitive cloud data


Another day, another piece of good news for both Microsoft Azure and Amazon Web Services (AWS); the vendors are two of three companies which have been given authority by the US government for federal agencies to use them for sensitive cloud data.

Azure and AWS, alongside CSRA’s ARC-P IaaS, have been given the green light under the new FedRAMP High Baseline requirements. The full, mammoth spreadsheet documenting each guideline can be found on the FedRAMP website (XLS), but at a general level the requirements enable government bodies to put ‘high impact’ data – including data which involves the protection of life and financial ruin – in the cloud.

Chanelle Sirmons, communications lead for FedRAMP, explained in an official post: “While 80% of federal information is categorised at low and moderate impact levels, this only represents about 50% of federal IT spend. Now that FedRAMP has set the requirements for high impact levels, that breaks open the remaining 50% of the $80 billion a year the US government spends on IT that could potentially move to the cloud securely.”

“We are pleased to have achieved the FedRAMP high baseline, giving agencies a simplified path to moving their highly sensitive workloads to AWS so they can immediately begin taking advantage of the cloud’s agility and cost savings,” said Teresa Carlson, AWS VP worldwide public sector in a statement. A statement from Microsoft read: “Microsoft remains committed to delivering the most complete, trusted cloud platform to customers. This accreditation helps demonstrate our differentiated ability to support the unique needs of government agencies as they transition to the cloud.”

Amazon and Microsoft have had their clouds FedRAMP accredited since June and October 2013 respectively – back when the latter was still known as Windows Azure – while ARC-P was the first vendor to receive the federal stamp of approval in 2012. Three years on, this represents a major step forward for government use of cloud technologies.

Uber Hack lets anyone find Unlimited Promo Codes for Free Uber Rides


An Independent Security Researcher from Egypt has discovered a critical vulnerability in Uber app that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000 for more than one free rides.

Mohamed M.Fouad has discovered a “promo codes brute-force attack” vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.

Fouad realized that the Uber app did not have any kind of protection against brute-force attacks, allowing him to generate promo codes (that start with ‘uber+code_name’) until he found valid ones.


The brute force attempt helped Fouad find several numbers of valid promo codes with high value in US dollar between $5,000 to $25,000, which would have helped him get a number of free rides between one to three.

Another flaw was also discovered in mid-June that allowed attackers to use promo code without signing up with a new user.

Uber Team Refuses to Patch the Flaw

As a responsible security researcher, Fouad also reported the critical flaw multiple times to the Uber security team, but the company did not accept his bug report and considered the vulnerability out of scope.

“I reported this vulnerability three months ago, and I am not only the one who reported it,” Fouad told The Hacker News. “They always reply with out of scope and considered as a fraud, and we have to send this bug to fraud team.”

Another security researcher, named Ali Kabeel, also reported the same flaw but in URL code customization feature. He also gets the same response from the Uber team that the flaw is out of scope.

Although the company fixed the brute force vulnerability in the payment page by applying the rate-limiting, the above two areas of the app remain still vulnerable, which could lead to many fraud incidents.

Clinton Foundation said to be breached by Russian hackers


The Bill, Hillary and Chelsea Clinton Foundation was among the organizations breached by suspected Russian hackers in a dragnet of the U.S. political apparatus ahead of the November election, according to three people familiar with the matter.

The attacks on the foundation’s network, as well as those of the Democratic Party and Hillary Clinton’s presidential campaign, compound concerns about her digital security even as the FBI continues to investigate her use of a personal e-mail server while she was secretary of state.

Clinton Foundation officials said the organization hadn’t been notified of the breach and declined to comment further. The compromise of the foundation’s computers was first identified by government investigators as recently as last week, the people familiar with the matter said. Agents monitor servers used by hackers to communicate with their targets, giving them a back channel view of attacks, often even before the victims detect them.

Before the Democratic National Committee disclosed a major computer breach last week, U.S. officials informed both political parties and the presidential campaigns of Clinton, Donald Trump and Bernie Sanders that sophisticated hackers were attempting to penetrate their computers, according to a person familiar with the government investigation into the attacks.

The hackers in fact sought data from at least 4,000 individuals associated with U.S. politics — party aides, advisers, lawyers and foundations — for about seven months through mid-May, according to another person familiar with the investigations.

Thousands of Documents

The thefts set the stage for what could be a Washington remake of the public shaming that shook Sony in 2014, when thousands of inflammatory internal e-mails filled with gossip about world leaders and Hollywood stars were made public. Donor information and opposition research on Trump purportedly stolen from the Democratic Party has surfaced online, and the culprit has threatened to publish thousands more documents.

A hacker or group of hackers calling themselves Guccifer 2.0 posted another trove of documents purportedly from the DNC on Tuesday, including what they said was a list of donors who had made large contributions to the Clinton Foundation.

The Republican Party and the Trump campaign have been mostly silent on the computer attacks. In an earlier statement, Trump said the hack was a political ploy concocted by the Democrats.

Information about the scope of the attacks and the government warnings raises new questions about how long the campaigns have known about the threats and whether they have done enough to protect their systems.

The Clinton campaign was aware as early as April that it had been targeted by hackers with links to the Russian government on at least four recent occasions, according to a person familiar with the campaign’s computer security.

U.S. Inquiries

The U.S. Secret Service, Federal Bureau of Investigation and National Security Agency are all involved in the investigation of the theft of data from the political parties and individuals over the last several months, one of the people familiar with the investigation said. The agencies have made no public statements about their inquiry.

The FBI has been careful to keep that investigation separate from the review of Clinton’s use of private e-mail, using separate investigators, according to the person briefed on the matter. The agencies didn’t immediately respond to requests for comment.

Clinton spokesman Glen Caplin said that he couldn’t comment on government briefings about cyber security and that the campaign had no evidence that its systems were compromised.

“We routinely communicate and cooperate with government agencies on security-related matters,” he said. “What appears evident is that the Russian groups responsible for the DNC hack are intent on attempting to influence the outcome of this election.”

The DNC wouldn’t directly address the attacks but said in a written statement that it believes the leaks are “part of a disinformation campaign by the Russians.”

Trump spokeswoman Hope Hicks didn’t respond to e-mails seeking comment about the government warnings. The Republican National Committee didn’t respond to e-mail messages. A Sanders spokesman, Michael Briggs, said he wasn’t aware of the warnings.

IDing the Hackers

The government’s investigation is following a similar path as the DNC’s, including trying to precisely identify the hackers and their possible motives, according to people familiar with the investigations. The hackers’ link to the Russian government was first identified by CrowdStrike Inc., working for the Democratic Party.

A law firm reviewing the DNC’s initial findings, Baker & McKenzie, has begun working with three additional security firms — FireEye Inc., Palo Alto Networks Inc. and Fidelis Cybersecurity — to confirm the link, according to two people familiar with the matter, underscoring Democrats’ concerns that the stolen information could be used to try to influence the outcome of the November election.

A spokesman for Baker & McKenzie didn’t immediately respond to requests for comment. DNC spokesman Luis Miranda said the party worked only with CrowdStrike.

If the Democrats can show the hidden hand of Russian intelligence agencies, they believe that voter outrage will probably outweigh any embarrassing revelations, a person familiar with the party’s thinking said.

So far the released documents have revealed little that is new or explosive, but that could change. Guccifer 2.0 has threatened to eventually release thousands of internal memos and other documents.

Line of Attack

Sensitive documents from the Clinton Foundation could have the most damaging potential. The Trump camp has said it plans to make the foundation’s activities a subject of attacks against Clinton; the sort of confidential data contained in e-mails, databases and other digital archives could aid that effort.

An analysis by Fidelis confirmed that groups linked to Russian intelligence agencies were behind the DNC hack, according to a published report.

The government fills a crucial gap in flagging attacks that organizations can’t detect themselves, said Tony Lawrence, a former U.S. Army cyber specialist and now chief executive officer of VOR Technology, a computer security company in Hanover, Maryland.

“These state actors spend billions of dollars on exploits to gather information on candidates, and nine times out of ten [victims] won’t be able to identify or attribute them,” he said.

Google Accounts

Bloomberg News reported Friday that the hackers who hit the DNC and Clinton’s campaign burrowed much further into the U.S. political system than initially thought, sweeping in law firms, lobbyists, consultants, foundations and policy groups in a campaign that targeted thousands of Google e-mail accounts and lasted from October through mid-May.

Data from the attacks have led some security researchers to conclude that the hackers were linked to Russian intelligence services and were broadly successful in stealing reports, policy papers, correspondence and other information. Dmitry Peskov, a spokesman for President Vladimir Putin, denied that the Russian government was involved.

Russia uses sophisticated “information operations” to advance foreign policy, and the target audience for this kind of mission wouldn’t be U.S. voters or even U.S. politicians, said Brendan Conlon, who once led a National Security Agency hacking unit.

“Why would Russia go to this trouble? Simple answer — because it met their foreign policy objectives, to weaken the U.S. in the eyes of our allies and adversaries,” said Conlon, now CEO of Vahna Inc., a cyber security firm in Washington. Publishing the DNC report on Trump “weakens both candidates — lists out all the weaknesses of Trump specifically while highlighting weaknesses of Clinton’s security issues. The end result is a weaker president once elected.”

Russia Link

Russia has an expansive cyber force that it has deployed in complex disinformation campaigns throughout Europe, according to intelligence officials.

BfV, the German intelligence agency, has concluded that Russia was responsible for a 2015 hack against the Bundestag that forced shutdown of its computer systems for several days. Germany is under “permanent threat” from Russian hackers, said BfV chief Hans-Georeg Maassen.

Security software maker Trend Micro said in May that Russian hackers had been trying for several weeks to steal data from Chancellor Angela Merkel’s Christian Democratic Union party, and that they also tried to hack the Dutch Safety Board computer systems to obtain an advance copy of a report on the downing of a Malaysian aircraft over Ukraine in July 2014. The report said the plane was brought down by a Russian-made Buk surface-to-air missile.

The cyber attacks are part of a broader pattern of state-sponsored hacking by Russia focused on political targets, with a goal of giving Russia the upper hand in dealing with other governments, said Pasi Eronen, a Helsinki-based cyber warfare researcher who has advised Finland’s Defense Ministry.

Hackers would like to join your LinkedIn network – and you’d probably accept them


BELCHATOW, POLAND - APRIL 11, 2014: Photo of Linkedin social network homepage on a monitor screen.

Is that Linked contact really who they say they are?

Research demonstrates how a willingness to connect to strangers on LinkedIn might be putting your company at risk.

For many LinkedIn is a handy way of keeping up with old colleagues and maybe even finding a new job — and many think that the bigger their network of contacts, the better.

So if a contact request comes in from a recruiter, even one they had never heard of before, many might think there would be little harm in accepting.

But what if that wasn’t a recruiter, but rather a hacker using a fake profile in order to gain access to you, your contact details, and the rest of your network? In connecting you’ve potentially put yourself and your company at risk of being hacked, breached, or otherwise targeted by cybercriminals.

Certainly people are often more than willing to accept a request from a complete stranger to join their network on LinkedIn.

In fact, according to a survey of 2,000 people by cybersecurity researchers at Intel Security, nearly one quarter (24 percent) say they’ve connected to someone they don’t know on LinkedIn, thus potentially allowing hackers to access to a wealth of information which could be used for spear-phishing, malware drops, and other nefarious means.

“We’re opening ourselves up to the world without any real consideration with regards to who we’re allowing on our network,” Raj Samani, CTO of EMEA for Intel Security.

Once provided with access to a person’s network, malicious actors are able to gather data and research potential targets for attacks, potentially even eventually connecting up to senior executives and CEOs.

If a hacker successfully gains access to the contact details of an executive, they could potentially use the trust associated with someone in a senior position to carry out fraud and other criminal activities.

The IT Checklist to Prevent Data Breach

A big part of data security is the proactive prevention of data loss, theft, and security breach, and it is always better to prevent these from happening instead of mitigating attacks.

Here is an IT checklist for organizations to go over to prevent breaches from happening. This checklist does not only cover the roles and responsibilities of IT personnel but more importantly, should be known by all employees or team members that have access to critical and confidential data of the company.

Examples of these data include intellectual property such as source codes, product design documents, internal price lists, corporate data such as financial and strategic planning documents, research for mergers and acquisitions, employee information, and customer data—social security numbers, credit card information or financial statements.

Best Practices to Prevent A Data Breach

1. Ensure strict documentation on changes.

Seventy percent of companies undermine the importance of documenting changes, putting most critical IT systems at risk of security violations and downtime according to the 2015 State of IT Changes survey.

This practice ensures that visibility across the entire IT infrastructure is kept and provides a complete audit trail of system activities and changes made.

The human factor is always the most vulnerable area in security and considering thorough documentation of user activity as a solution, reduces the risk of employees’ inadvertence or negligence.

2. Identify threats.

A part of your data security’s responsibility is to be updated with the latest threats to security. This can be done by correlating application security quality with global security intelligence.

Ensure that your users are alerted for potential breach methods along with updating your software and infrastructure accordingly.

The gateway to your data is through your applications. Attackers know these are a weak link, making them look for vulnerabilities in applications that provide access to sensitive data. Testing applications for security vulnerabilities reduces the risk of a data breach.

3. Be proactive when it comes to information protection.

The main point of data security is to protect company information while the main component of data security is knowing your data and who has access to it.

Privilege abuse is hard to detect, so restricting access to the company’s most confidential and sensitive data to those who need it and monitoring those with privileges will greatly help in ensuring that data stays protected.

Data minimization and access control is also a powerful element. Users shouldn’t collect or have information that they don’t need. IT security, as part of database management, should also reduce the number of places users can retain data in the network.

Access to sensitive data can also be on an “as needed” basis, with strict documentation of access control.

4. Implement security policies strictly and consistently.

Continuous auditing of data changes, user activities, system configurations, and security policies helps ensure critical mistakes don’t happen and areas don’t become vulnerable for breaches.

5. Audit and evaluate your environment and network security policies continuously.

Analytics that is generated from audits help detect security incidents and find the cause of each violation. It also provides proof when a company needs to pass compliance audits.

Look Beyond Your IT Security Department

To help ensure breaches are prevented, one must look beyond the IT security department by going beyond and evaluating other departments.

Evaluate employee exit strategies (HR department), remote project protocol (Operations), on and off-site data storage practices such as BYOB devices, among other things. Once you have evaluated policies, establish new or better policies and procedures and set up safeguards.

You should also hold vendors and partners to the same standards. Third-party service providers need to maintain the same level of security standards and deploy the same measures in compliance with your federal regulations.

As hackers get more and more sophisticated, the best thing that companies – no matter the size – can do is mitigate risks and set-up control measures. In a virtual world where it’s possible to be untraceable, the best protection is preparation.


Enterprises may soon get FICO-like cybersecurity scores


This could become reality:

  • Fair Isaac Corp., the company that generates consumer-credit scores, purchased Michigan-based cybersecurity startup QuadMetrics Tuesday.
  • The company said it plans to use QuadMetrics’s predictive analytics and security-risk assessment tools to develop security scores for businesses.
  • The scores would help CIOs and other tech professionals measure their company’s online risks, including better understanding third-party risks.

“Just as the FICO Score gave credit markets a single metric for understanding credit risk, this product will give the industry a common view of enterprise security risk,” Doug Clare, FICO’s vice president of cybersecurity solutions, said in a statement.

QuadMetrics uses predictive analytics and data from various sources to generate a security score.

FICO has been investigating the cybersecurity area for a while now, and recently developed their Falcon Cybersecurity Analytics service. The company says the new service could also help manage cyber risk from third party vendors, a growing problem for enterprises.

“Some large enterprises are dealing with over 10,000 external vendors, suppliers and partners, and many compliance regulations now demand they have to gauge the risk of all of them and somehow remediate that risk,” Garrett Bekker, a cybersecurity analyst at 451 Research, told the Wall Street Journal.

A repoprt released by the Ponemon Institute in early May found that the risk associated with third party data sharing is growing, but the C-Suite is not adequately prioritizing the issue. The report, sponsored by Shared Assessments, found that third party vendors and partners can significantly increase the risk of cyberattacks or data breaches. As a result of “negligent or malicious” third parties, Ponemon researchers found that organizations spent an average of $10 million responding to security incidents.

The cyber insurance market could also use the score to assist in cyber breach policy writing and portfolio management. Though cyber insurance is a fast growing market, there is not yet an industry standard to measures a company’s risk.