Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover Now
RESOURCES TYPES
Brandefense Academy Your trusted hub for learning, developing, and mastering the skills that shape tomorrow's digital defense.
Discover NowAPRIL 23, 2026
Your perimeter is hardened. Your internal systems are patched. Your SOC monitors every endpoint. And then a company you have never heard of, an HR software vendor used by one of your procurement partners, gets breached. Days later, your employee records are on a dark web forum.
This is not a hypothetical. It is a pattern that defined 2025. The year in which third-party involvement in breaches doubled, reaching 30 percent of all confirmed incidents globally. The year in which a single vendor compromise produced an average of 5.28 downstream victims. The year in which the blast radius of a single supplier’s security failure was measured not in thousands of records, but in hundreds of millions of dollars in operational losses.
Third-party risk is no longer a compliance category. It is the primary attack surface for the most impactful cyber incidents of the current era. And the majority of organizations are still trying to manage it with annual questionnaires.
This blog explains what third-party risk is and how it actually propagates; the attack vectors most commonly exploited in 2025; two major 2025 cases that illustrate how supplier vulnerabilities cascade; and what a continuous third-party risk program looks like in practice.
| 30% of all 2025 breaches involved a third party; double the previous year (Verizon DBIR 2025) | 5.28x average downstream victims per vendor breach; highest level ever recorded (Black Kite 2025) | $4.9M average cost of a third-party breach; second costliest breach category after insider threats (IBM 2025) | 73 days median vendor breach disclosure delay; most downstream victims learn about it weeks after the fact |
Third-party risk refers to the cyber exposure that an organization inherits through its relationships with vendors, suppliers, partners, and service providers. Every business relationship that involves access to your data, systems, or infrastructure, however indirect, represents a pathway through which an attacker can reach you without ever directly targeting you.
What makes this structural problem so difficult to manage is scale and depth. Most large organizations maintain direct relationships with hundreds of vendors. Those vendors maintain their own vendor ecosystems. Fourth-party and fifth-party dependencies extend the risk surface far beyond what any questionnaire-based program can map. Security scorecard research from 2025 found that 12.7 percent of third-party breaches cascaded into fourth-party incidents: a single compromise propagating through multiple organizational layers simultaneously. The cascade mechanics are straightforward. A threat actor does not need to breach your network. They breach a vendor who has privileged access to your systems, handles your data, or operates infrastructure you depend on. From that position, they reach you through the trusted relationship that your organization itself established.
| Direct Attack | Third-Party Breach | |
| Target | The organization itself | A trusted vendor or supplier |
| Attacker entry point | Your perimeter, employees, systems | Vendor’s systems, software, or infrastructure |
| Your visibility | High — it’s your own environment | Low — often zero until vendor discloses |
| Detection speed | Faster — your tools monitor your environment | Slower — breach occurs outside your visibility |
| Scale of impact | One organization | One vendor compromise can affect 400+ downstream orgs |
| Your defensive control | Direct — you can patch, monitor, respond | Indirect — you rely on vendor security posture |
| Cost | Average $4.88M (IBM 2025) | Average $4.8M + reputational and regulatory exposure |
The economics are simple: attacking one organization directly requires significant effort and investment for a single target. Compromising one vendor that serves 400 organizations achieves 400 times the return on the same investment. The asymmetry is structural. Defenders must secure every connection across their entire vendor ecosystem. Attackers need only find one gap in one vendor.
This is exactly why third-party breach rates have doubled in a single year. Attackers have rationally calculated that vendor ecosystems are the highest-yield attack surface available to them, and 2025 case data confirms their calculation is correct.
| 💡 The Trust Paradox The same trusted access that makes a vendor relationship operationally valuable makes it dangerous when the vendor is compromised. You granted that access deliberately, and the attacker inherits it without needing to defeat any of your own security controls. Your perimeter never saw the attack coming because it never touched your perimeter. |
Not all third-party relationships carry equal risk, and not all attack vectors are equally common. The 2025 breach data reveals four dominant entry points that security and risk teams should prioritize.
When a vendor operates as a shared service platform, providing centralized infrastructure to multiple clients simultaneously, a single ransomware attack against that vendor cascades automatically. Clients do not need to be individually targeted. They inherit the disruption, the data exposure, and the extortion pressure through their service dependency.
This attack pattern is particularly acute in sectors where shared platforms handle operationally critical functions: HR systems, payroll, logistics management, and compliance reporting. A ransomware group that compromises one such platform immediately holds leverage over every organization dependent on it.
Modern enterprise environments are densely connected through application integrations. When organization A grants application B access to its systems via OAuth tokens, and application B is subsequently compromised, the attacker inherits those tokens without requiring any credentials from organization A’s own infrastructure.
In 2025, this attack vector was responsible for some of the highest-volume third-party breach events: single compromised integrations producing access to hundreds of downstream organizations simultaneously. The attacker’s leverage scales with the number of organizations that had granted the compromised application access.
When a vulnerability is discovered in enterprise software deployed across thousands of organizations, attackers can exploit it systematically: each vulnerable installation is a separate breach with minimal additional effort per target. The exploitation scales with deployment breadth, not with attack sophistication.
The most impactful third-party breaches of 2025 followed this pattern: zero-day or n-day vulnerabilities in enterprise platforms with broad deployment footprints, exploited before patches could be deployed at scale. The vendor’s responsibility was to patch; the downstream organization’s exposure was determined by how quickly they could apply that patch, or whether the vendor had disclosed the vulnerability before exploitation began.
Not every third-party breach originates from a technology supplier. Procurement partners, facilities management vendors, consulting firms, and professional services providers all maintain some form of access to organizational systems or data. When these non-technology vendors are compromised, attackers use that access to reach the primary target.
This category is the most frequently overlooked in formal vendor risk programs, precisely because the relationship does not appear to carry technical access. But a procurement vendor that handles supplier contracts has access to financial terms, counterparty identities, and operational details that are highly valuable to threat actors. A facilities vendor with building management system access may have network adjacency that creates pivot opportunities.
| ⚠️ The 73-Day Disclosure Gap Black Kite’s 2025 analysis found a median of 73 days between vendor breach occurrence and downstream notification. Organizations waiting for their vendors to inform them of a compromise are operating with a two-and-a-half-month blind spot. Most of the damage, lateral movement, data exfiltration, and access establishment, occurs within that window. |
| CASE STUDY 1 | April 2025 // Retail Sector // Third-Party Contractor Exploitation Marks & Spencer: A Third-Party Contractor Entry Point and a £300M Operating Loss Source: Silobreaker 2025 Supply Chain Review; Int-Comp Cybersecurity Breach Analysis; publicly disclosed incident reporting |
On April 19, 2025, Marks & Spencer disclosed a cyberattack that had begun disrupting contactless payments and click-and-collect services across more than 1,000 UK stores. What became clear in subsequent investigation was that the initial compromise had not been traced to April. The domain-level breach had been established as early as February 2025, giving attackers a two-month dwell period before the disruptive payload was deployed.
The attackers, operating under the DragonForce ransomware group, had exploited vulnerabilities in third-party contractor access to reach M&S’s internal environment. The specific entry point was third-party software used in their supply chain and logistics operations: the same software that had already been flagged in broader vulnerability advisories, but which had not been patched within the window that attackers exploited. The impact extended far beyond a typical data breach. Logistics disruptions cascaded into stock availability failures across stores. Waste increased as perishable goods could not be routed efficiently. E-commerce operations were partially suspended. The final financial assessment placed the estimated operating profit impact for 2025 and 2026 at approximately £300 million, equivalent to roughly $400 million USD.
| £300M estimated operating profit loss across 2025 and 2026 fiscal periods | 2 months attacker dwell time before destructive payload deployed; breach began in February | 1,000+ UK stores disrupted; contactless payments and click-and-collect taken offline |
The M&S case illustrates two structural failures that appear repeatedly in high-impact third-party breaches. First, the entry point was a third-party contractor relationship, not a direct attack on M&S’s own infrastructure. Second, the breach was not detected during the two months of dwell time, meaning all standard internal monitoring failed to surface the compromise until the attacker chose to make it visible by deploying the ransomware payload.
💡 Key Lesson: Contractor Access Is the Perimeter The M&S breach entered through trusted third-party contractor access. The attacker did not need to defeat M&S’s perimeter security directly. They used a vendor’s credentials and access to walk through a door that M&S had opened legitimately. Until organizations treat contractor and vendor access with the same rigor as employee access, this entry point will remain available.
| CASE STUDY 2 | June 2025 // Financial Sector // Procurement Vendor Cascade Chain IQ Group: One Procurement Vendor, 19 Financial Clients, 130,000 Employee Records Source: FortifyData Third-Party Breach Analysis 2025; publicly disclosed breach notification filings |
On June 12, 2025, Chain IQ Group AG, a Switzerland-based procurement services provider, suffered a sophisticated cyberattack. Chain IQ operated as a shared procurement platform for a number of major financial institutions, providing centralized procurement infrastructure and associated data management across its client base.
The attackers accessed data from Chain IQ and at least 19 of its clients, uploading the exfiltrated files to the dark web within hours of the initial compromise. The breach used previously unseen tools and tactics, suggesting a threat group with significant operational sophistication and preparation. The exfiltrated data covered more than 130,000 employee records from client organizations, including names, email addresses, phone numbers, and workplace location codes.
Among the confirmed victims were employees of two of Europe’s largest financial institutions. The sensitivity of the exposed data extended beyond employee contact information: workplace location codes and organizational metadata provide intelligence about internal structure that threat actors use to craft targeted spear-phishing campaigns against high-value individuals. The incident also exposed what appeared to be direct contact information for C-level individuals at client firms, information that was subsequently verified by independent journalists examining the leaked dataset.
| 19 financial sector client organizations breached through a single shared procurement vendor | 130K+ employee records exposed and uploaded to dark web within hours of initial access | 0 technology vulnerabilities required by the attackers; the access was through the vendor relationship itself |
The Chain IQ incident is a particularly instructive example of the non-technology third-party risk category. Chain IQ was not a cybersecurity vendor, not a cloud services provider, and not a software company. It was a procurement services firm. Its clients’ primary exposure came not from any software vulnerability or technical misconfiguration, but from the access and data they had entrusted to a service provider as part of a normal business relationship.
| 🔴 Key Lesson: Procurement Vendors Are Not Low-Risk Organizations routinely apply lower security scrutiny to non-technology vendors than to software or cloud providers. Chain IQ demonstrates why this assumption is wrong. A procurement vendor handles supplier contracts, organizational data, employee information, and financial terms. When that vendor is compromised, everything it handles becomes available to the attacker. The risk level of a vendor relationship is determined by the sensitivity of the data and access it holds, not by the technology category of its services. |
Most organizations have some form of third-party risk management program. The majority of those programs were designed for a threat environment that operated at a different speed and scale. Annual questionnaires, periodic assessments, and compliance checklists were adequate controls when supply chain attacks were occasional and their impact was contained. They are structurally inadequate when third-party breach rates are doubling year-over-year and a single vendor compromise can cascade to hundreds of downstream organizations within hours.
Vendor security questionnaires are self-reported assessments completed by the vendor and reviewed by the organization’s risk team. They are periodic rather than continuous, self-reported rather than independently verified, and they do not detect vulnerabilities or active compromises that occur between assessment cycles. A vendor that returned a clean questionnaire in January is not necessarily less compromised in August. The questionnaire cannot tell you that.
The 73-day median disclosure delay identified in Black Kite’s 2025 data is not a vendor communication failure. It is a reflection of how long breaches go undetected internally before vendors can disclose them to downstream customers. An organization waiting for breach notification has no visibility into their vendor’s security posture between assessment cycles. They will learn about the breach when the vendor chooses to disclose, or when their own data appears somewhere it should not.
A mature enterprise maintains relationships with hundreds of direct vendors. Each of those vendors maintains its own vendor ecosystem. The total vendor surface that an organization needs to monitor, including fourth-party and fifth-party dependencies, is orders of magnitude larger than any questionnaire-based program can practically cover. Continuous automated monitoring is the only operationally viable approach to this scale.
🔍 From Periodic Assessment to Continuous Intelligence The organizations that avoided becoming downstream victims in the highest-impact 2025 third-party breaches were not those with more thorough questionnaires. They were those with continuous external monitoring: real-time visibility into vendor security posture changes, dark web signals indicating vendor credential exposure, and threat intelligence surfacing when vendors were being actively targeted. Static assessment cannot compete with dynamic attack.
Effective third-party risk management in the current environment is not a questionnaire process. It is a continuous intelligence program that operates across three layers: vendor inventory and tiering, continuous external monitoring, and contractual controls with tested incident response.
| LAYER 1: VENDOR INVENTORY AND RISK TIERING |
| Maintain a complete, current inventory of all third-party relationships: technology and non-technology vendors, subsidiaries, acquired entities, and fourth-party dependencies for high-tier relationships. |
| Tier vendors by risk level based on data access, system integration depth, and operational criticality. Apply different monitoring rigor and assessment frequency to each tier. A procurement vendor with access to employee data requires the same scrutiny as a cloud infrastructure provider. |
| Extend vendor inventory to fourth-party relationships for critical vendors: map your most important vendors’ own critical vendor dependencies. 12.7 percent of 2025 third-party breaches cascaded into fourth-party incidents. |
| LAYER 2: CONTINUOUS EXTERNAL MONITORING |
| Monitor vendor external attack surfaces continuously: exposed assets, unpatched services, certificate anomalies, and misconfigured cloud resources. Security posture can degrade significantly between annual assessments without any internal indicator. |
| Monitor dark web sources for vendor credential exposure: when vendor employee credentials appear in stealer logs or combolist distributions, your organization is at risk before any technical breach has occurred at your systems. |
| Track vulnerability disclosures for software products in your vendor ecosystem, particularly enterprise platforms with broad deployment footprints. Early awareness of exploitation campaigns provides a response window that periodic assessments cannot offer. |
| Monitor ransomware group activity for targeting signals relevant to your vendor ecosystem and the sectors your critical vendors operate in. The 73-day disclosure gap means the signal often appears on dark web forums long before official notification. |
| LAYER 3: CONTRACTUAL CONTROLS AND INCIDENT RESPONSE |
| Include mandatory breach notification timelines in vendor contracts: require vendors to notify you within 24 to 72 hours of discovering a security incident, rather than waiting for their own disclosure timeline. The 73-day median gap is partly a contractual failure. |
| Require vendors to maintain minimum security controls as a condition of contract: MFA enforcement, vulnerability management cadence, and incident response capability. Make security a buying criterion that vendors must demonstrate, not merely attest to. |
| Develop vendor-specific incident response playbooks for critical vendors: pre-defined steps to take when a critical vendor is breached, including data isolation, alternative sourcing, and regulatory notification procedures. |
| Conduct tabletop exercises that simulate third-party breach scenarios, including scenarios where you learn of a vendor breach through a dark web monitoring alert rather than official vendor notification. The M&S and Chain IQ cases both demonstrate that the signal often arrives through external channels before the vendor discloses. |
Brandefense’s External Attack Surface Management and Digital Risk Protection platform extends your security visibility beyond your own perimeter, providing continuous monitoring of your vendor ecosystem and the threat intelligence signals that precede third-party breach events.
| Brandefense Capability | What It Detects in Third-Party Risk Scenarios |
| Vendor External Attack Surface Monitoring | Continuous discovery and assessment of your critical vendors’ externally exposed assets: open ports, unpatched services, misconfigured cloud resources, and certificate anomalies indicating security posture degradation between formal assessments |
| Dark Web Vendor Credential Monitoring | Real-time scanning of stealer logs and credential markets for your vendors’ employee credentials; when a vendor’s staff credentials are compromised, your organization’s data and access are at risk before any technical breach occurs at your systems |
| Ransomware Group Targeting Intelligence | Monitoring of ransomware group dark web activity and sector-specific targeting patterns relevant to your vendor ecosystem; early warning when groups are focusing on suppliers or software platforms in your supply chain |
| Vulnerability Exploitation Intelligence | Early warning when vulnerabilities in software deployed by your vendors are being actively exploited by threat actors; provides a response window before mass exploitation reaches your specific vendor relationships |
| Leak Site Monitoring | Continuous monitoring of active ransomware data leak sites for your vendors’ names; detects vendor breach disclosures before official notification, often while the incident is still in progress or within hours of data publication |
| Supply Chain Risk Alerting | Automated alerts when any monitored vendor shows signals of active compromise, targeted attack, or significant security posture degradation; enables proactive response rather than reactive notification processing |
| 24/7 Analyst Coverage | All third-party risk intelligence is supported by continuous analyst review; escalation protocols for high-severity vendor incidents that require immediate organizational response before formal disclosure arrives |
The organizations that avoided becoming downstream victims in 2025’s highest-impact supply chain incidents were not those with the most thorough annual assessments. They were those with the earliest warning: continuous external monitoring that surfaced vendor credential exposure, attack targeting signals, and vulnerability exploitation activity before the breach notification arrived, or before the breach was even disclosed.
Third-party risk is not a compliance problem. It is a visibility problem. And the 73-day gap between breach and disclosure is not a timeline your security program can afford to wait through.
Take control of your digital security with an exclusive demo of our powerful threat management platform.
