The grocery chain Wegmans is suing one of its suppliers (Invermar) for a supply chain breach. Though all the details aren’t yet available, Wegmans claims that Invermar was compromised and that the compromise allowed attackers to reroute payments. Wegmans’ total losses aren’t known, though the suit asks for $900,000 in damages.

When we talk about supply chain attacks, some people only think about firmware modifications. Others include software backdoors as well. But supply chain attacks are about so much more than that.

Wegmans has a legal obligation to pay for goods that it receives from its suppliers. But suppose a supplier is compromised by hackers and uses that access to email the accounting department at another organization, requesting that they update their payment information. In this scenario, it is common that attackers will request an ACH transfer to an alternate bank account. The email, although fraudulent, isn’t fake – it comes from a legitimate account in the supplier’s domain. If Wegmans updates payment information as per the supplier’s request and pays for goods, despite intending to, it isn’t actually fulfilling its contractual obligations.

Note: Although we don’t yet know that this happened in Wegmans’ case, Rendition Infosec has worked multiple breaches involving this specific scenario, so it’s at least plausible.

So who is at fault here? Wegmans made a good faith effort to pay Ivermar. Invermar suffered a breach of its cyber security. But for the Invermar breach, Wegmans’ payments would have satisfied its contractual obligations to Invermar. However, it is common practice for finance departments to confirm payment information change requests through some secondary means (not simply relying on an email, no matter the source). It would appear that both sides had some lapses in cybersecurity best practices – Invermar when their email was compromised and Wegmans when they didn’t confirm updated payment information out of band. There is no doubt however that the Invermar email system breach is a proximate cause of the loss.

Wegmans effectively suffered a supply chain breach. We don’t classify this as a supply chain breach because Invermar is a Wegmans supplier. Rather, it is because by doing business with Invermar, Wegmans assumed Invermar’s cybersecurity risk. Ideally, before entering into business with Invermar, Wegmans would have performed a cybersecurity risk assessment. Even if Invermar offered the lowest prices on raw goods, that may not have translated to the highest overall value when the cybersecurity risk was factored in.

Evaluating your own cybersecurity risk is hard. Evaluating the cybersecurity risk of another organization is much harder. To help organizations quantify the risk to their organization, Rendition Infosec introduced SCREATH – a supply chain risk assessment tool. By using this free tool, cybersecurity teams can perform apples to apples comparisons of third party risk induced by working with different organizations.