Hey everyone,
I want to share something that’s been coming up a lot lately—whether it’s from cyber insurance applications, security forms, or compliance requirements from big clients. One question keeps popping up: Have you had a third-party audit done?
If you’re working with any large organization—ones that follow ISO, SoC, or HIPAA compliance—they’re going to ask you this. And it’s not just small businesses that need to worry. I’m talking about companies like Microsoft, Adobe—huge names. We assume they’re doing the right thing when it comes to security. And they probably are. But someone still needs to verify that. That’s where third-party audits come in.
Let me give you a real-world example that really drives this home.
The Target HVAC Breach: A Costly Oversight
Remember the massive Target data breach in 2013? Hackers didn’t break in through Target’s main systems. They got in through a third-party HVAC vendor.
That vendor had remote access to Target’s network for billing and contract submissions. Unfortunately, their systems weren’t properly secured. The attackers stole the vendor’s credentials and used them to access Target’s network. From there, they moved laterally, eventually installing malware on Target’s point-of-sale systems.
The result? Over 40 million credit and debit card numbers were stolen, along with personal information from 70 million customers. The breach cost Target hundreds of millions of dollars in damages, lawsuits, and lost trust.
All because of one vendor. One weak link.
LabCorp and the AMCA Breach: When Your Vendor Becomes Your Vulnerability
Here’s another one that really stuck with me—LabCorp and the AMCA breach back in 2019.
LabCorp was using a third-party billing collections vendor called AMCA. Everything seemed fine—until it wasn’t. Turns out, AMCA’s web payment page had been compromised. And because of that one weak spot, hackers got access to sensitive data from about 7.7 million LabCorp patients. We’re talking medical info, financial data—the works.
And LabCorp wasn’t alone. Quest Diagnostics and Opko Health were also hit. In total, over 20 million patients were affected. That’s not a typo—20 million.
The fallout? Massive. State attorneys general got involved. U.S. senators started asking questions. Suddenly, everyone wanted to know: how are healthcare companies vetting their vendors? And the answer, clearly, was “not well enough.”
But it didn’t stop there. LabCorp also had a separate incident where they had to shut down parts of their own network due to a security breach. That one wasn’t tied to a vendor, but it showed just how fragile things can get when your cybersecurity posture isn’t rock solid.
The lesson? You can’t just assume your vendors have things under control. You’ve got to verify. You’ve got to audit. Because when they go down, you go down with them.
The Petya Ransomware Attack: One Update, Global Fallout
Remember the Petya ransomware attack? When Russia went after Ukraine, they didn’t just target the government—they hit every company in the country. Why? Because they could. And they did it by compromising a piece of accounting software that’s basically the QuickBooks of Ukraine. Over 90% of Ukrainian businesses used it.
This software had an auto-update feature. Russia managed to inject malicious code into one of those updates. So when companies downloaded what they thought was a routine update, they actually installed ransomware. Boom—infected.
And it didn’t stop with Ukrainian businesses. Global companies with offices in Ukraine got hit too. Take Maersk, the shipping giant. They had a server in Ukraine that was just sitting there for reference—outdated, unpatched, but still connected to their network. That was all it took. The malware spread across their entire infrastructure, deleting boot files and rendering every machine unbootable.
The only reason Maersk survived. One domain controller happened to be offline because of a power supply failure. That one fluke saved them. They rebuilt everything from that single server. But the damage? Nearly a billion dollars.
Now think about that. One outdated server. One missed patch. That’s all it took.
Why This Matters
This is why I keep stressing the importance of doing your due diligence with third-party vendors. You can’t afford to have unsupported systems hanging around—even if they’re “just for reference.” And you absolutely need to know whether your vendors are doing everything they can to protect your data.
So when you get those security forms asking about audits and controls, take them seriously. They’re not just paperwork. They’re a reflection of whether your business is ready to work with serious clients—clients who care about protecting their data and yours.
That’s why we built the B SEC service—to help companies put the right controls in place. Because if you don’t have them, you’re not just risking your own business. You’re risking your clients’ trust, their data, and your future opportunities.
Bottom line: know your third parties. Audit them. Patch your systems. And never assume that “just one server” can’t bring everything down. Because it can.
—Guy Baroan
CEO, Baroan Technologies
Information Technology Aligned With Your Business Goals?
Baroan is a complete IT services & IT support company working with organizations in Elmwood Park and across the United States of America.
When it comes to IT services and solutions, you need someone who not only comprehends the IT industry but is also passionate about helping clients achieve long-term growth using proven IT solutions. Guy, in leading our company, is committed to helping clients improve their technology in order to develop a competitive edge in their industries.
At Baroan Technologies, Guy Baroan leads a team of dedicated professionals who are committed to delivering exceptional IT services and solutions. With his extensive expertise and hands-on experience, Guy ensures that clients receive the utmost support and guidance in their IT endeavors. Trust in Baroan Technologies to elevate your business systems and stay ahead in today’s competitive landscape.
