What Can Companies Learn from the Treasury Department Breach?

Author: Jeff Weeks, Senior Vice President and Chief Information Security Officer 

The major breach the U.S. Department of Treasury suffered in late December 2024 rocked the government and cybersecurity communities. Let's look at what we can learn from the breach. The attack was attributed to a Chinese government-sponsored group and enabled by a compromised API key from BeyondTrust, a third-party cybersecurity provider. The attackers gained access to unclassified documents and remotely controlled several workstations, affecting multiple offices within the department.

The Effect of Data Breaches

We all know the possible results of a data breach: reputation damage, financial losses, and in some cases, national security concerns. The Treasury Department breach highlights the growing use of third parties in the government sector and in most businesses. As a result, our focus needs to include not just the overall strength of security measures, policies, and defenses of our own networks — but also the strength of our third-party partners. 

Importance of Third-Party Cyber Risk Reviews

The Treasury Department breach emphasizes the need for comprehensive third-party cyber risk assessments. Although organizations often depend on outside service providers for different purposes, these linkages can cause weaknesses in a company's overall security posture. 

Of note, 98% of companies have at least one third-party provider that has experienced a data breach.¹ Establishing and maintaining a third-party risk management program to routinely evaluate the security posture of third parties helps to identify problems early and potentially avoid future high visibility and high-impact incidents. 

Continuous Monitoring

There are multiple vendors available to provide continuous monitoring of your critical partners. In some industries, this is a requirement, but it is something all businesses should strive toward. Third-party risk reviews tend to happen once a year, but continuous monitoring is, well, continuous. For example, a penetration test is a snapshot of a moment in time, and other audits of security controls, such as the Statement on Standards for Attestation Engagements (or SSAE report), focus on a period of six months to a year. Using a continuous monitoring tool will provide nearly real-time issue alerts. In addition, there are negative news services available, but this information may come too late. Many breaches happen months before discovery and reporting by news outlets. Using a combination of these tools will provide a good indicator of the effectiveness of the third-party’s security controls. 

Contracts

Contracts with your third-parties should require notification of breaches within hours (not days) to help mitigate risks. Be sure to check with your legal counsel to include basic security requirements in your contracts. 

Incidents Happen – Planning is Key

Reducing the effects of cyberattacks is critically dependent on a well-planned incident response strategy. Containment of this breach was greatly aided by the Treasury Department's quick response of taking the compromised service offline and the early inclusion of the FBI and the Cybersecurity and Infrastructure Security Agency. 

Creating, testing, and routinely updating your company's incident response strategy will help ensure your ability to effectively and quickly handle security events, resulting in reduced damages and recovery time.

Frequent Testing with Critical Stakeholders

Including law enforcement, critical third parties, and key personnel in tabletop scenarios to test preparedness should become the norm when possible. Although it may be difficult for some entities to include law enforcement or critical vendors, at a minimum, test key personnel and update your incident program with lessons learned.

At the very least, establish relationships with your vendors and law enforcement so you aren’t meeting them for the first time during a critical incident. 

Forward Movement

This event reminds us sharply of the always-changing cybersecurity terrain and the importance of strong security policies and practices. Companies must stay alert, always evaluating their security posture, and be ready to react decisively and swiftly to events.

About the Author

Jeff has been with First National Bank of Omaha for more than 26 years and is currently the Senior Vice President and Chief Information Security Officer. The executive leadership and oversight provided by Jeff in the development, management, and execution of information security for FNBO enables the company’s ability to posture and protect private, personal information, and assets of the company’s clients, employees, and business partners.