SAN FRANCISCO -- They came in through the Chinese takeout menu.
Unable to breach the computer network at a big oil firm, hackers infected with malware the online menu of a Chinese restaurant that was popular with employees. When the workers browsed the menu, they inadvertently downloaded code that gave the attackers a foothold in the business's vast computer network.
Security experts summoned to fix the problem were not allowed to disclose details of the breach, but the lesson from the incident was clear: Companies scrambling to seal up their systems from hackers and government snoops are having to look in the unlikeliest of places for vulnerabilities.
Hackers in the recent Target payment card breach gained access to the retailer's records via its heating and cooling system. In other cases, hackers have used printers, thermostats and videoconferencing equipment.
Companies have always needed to be diligent in keeping ahead of hackers -- email and leaky employee devices are an old problem -- but the situation has grown increasingly complex and urgent as countless third parties are granted remote access to corporate systems. This access comes through software controlling all kinds of services a company needs: heating, ventilation and air-conditioning; billing, expense and human-resources management systems; graphics and data analytics functions; health insurance providers; and even vending machines.
Break into one system, and you may break into them all. "We constantly run into situations where outside service providers connected remotely have the keys to the castle," said Vincent Berk, chief executive of FlowTraq, a network security firm.
Figures on the percentage of cyberattacks that can be tied to a leaky third party are difficult to come by, in large part because victims' lawyers will find any reason not to disclose a breach. But a survey of more than 3,500 global IT and cybersecurity practitioners conducted by a security research firm, the Ponemon Institute, last year found that roughly a quarter -- 23 percent -- of breaches were attributable to third-party negligence.
Security experts say that figure is low. Arabella Hallawell, vice president of strategy at Arbor Networks, a Burlington, Mass., network security firm, estimated that third-party suppliers were involved in some 70 percent of breaches her firm reviewed. "It's generally suppliers you would never suspect," she said.