- A third-party data breach happens when a vendor, supplier, or partner with access to your data gets compromised.
- At least 36% of all data breaches in 2024 originated from third parties (SecurityScorecard, 2025).
- Third-party breaches cost an average of $4.91M per incident and take longer to detect than direct attacks.
- In 2025, one third-party compromise hit an average of 5.28 downstream companies. You can be a victim without being the target.
- Prevention requires continuous vendor monitoring, contractual security standards, and a clear incident response plan.
In January 2024, AT&T discovered that 109 million subscriber records had been exposed. Their systems were never directly attacked. A third-party cloud vendor had been compromised, and AT&T’s data went with it.
That is a third-party data breach: a cybersecurity incident that originates outside your organisation but reaches your data through a vendor, supplier, contractor, or partner who had legitimate access.
In 2024, at least 36% of all data breaches traced back to a third party. The real number is likely higher. Many companies never confirm the third-party connection publicly. This guide explains how these breaches work, why they are so hard to detect, and what you can do to reduce your exposure.
What Is a Third-Party Data Breach?
A third-party data breach occurs when an attacker compromises a vendor, service provider, or partner, then uses that access to reach the data of one or more of that vendor’s clients.
You did not get attacked. Your vendor did. But your customer records, employee data, or intellectual property were sitting in their systems. Now they are exposed.
It is also called a supply chain attack, a value-chain attack, or a backdoor breach. The target is often chosen specifically because it serves dozens or hundreds of organisations. One compromise, many victims.
First-Party vs. Third-Party Data Breach: What Is the Difference?
Most organisations think of data breach prevention in terms of their own perimeter. Firewalls, access controls, employee training. Third-party breaches bypass all of it.
| First-Party Breach | Third-Party Breach | |
|---|---|---|
| Where it happens | Inside your own systems | At a vendor, supplier, or partner |
| Who is attacked | Your organisation directly | A third party that holds your data |
| Detection time | Average 194 days (IBM, 2024) | Up to 73 days longer than first-party (Black Kite, 2025) |
| Average cost | $4.44M global average (IBM, 2025) | $4.91M (IBM, 2025) |
| Who controls the fix | You | The vendor, not you |
The $4.91M average cost of a third-party breach exceeds the overall average of $4.44M. Harder to detect, harder to contain, and harder to control because the fix is in someone else’s hands.
Why Third-Party Data Breaches Are Getting Worse
In 2025, third-party breach incidents reached record levels. Black Kite tracked 136 major third-party breach events that year, affecting 719 named companies and an estimated 26,000 additional downstream victims who were never publicly identified.
Vendors Hold Enormous Amounts of Sensitive Data
Cloud providers, payroll processors, IT managed service providers, and SaaS platforms all hold sensitive data on behalf of hundreds or thousands of clients. A single compromise at any one of them creates a multi-organisation breach. The attacker gets one entry point and touches thousands of datasets.
Third-Party Security Is Harder to Verify
You can audit your own systems. Auditing every vendor you work with, at the depth required to catch real vulnerabilities, is an entirely different challenge. Most organisations rely on annual questionnaires or SOC 2 reports. Neither catches the vulnerabilities attackers are actively exploiting.
Detection Takes Longer
The median disclosure delay for third-party breaches in 2025 was 73 days. That is 73 days between a vendor being compromised and your organisation being told. During that window, your data is already exposed and attackers are already using it.
How Third-Party Data Breaches Actually Happen
Software Supply Chain Attacks
Attackers compromise software updates, libraries, or build pipelines used by the target vendor. The malicious code ships to every client automatically. SolarWinds and the 3CX breach in 2023 both used this method. The client installs an update and receives malware alongside it.
File Transfer Software Exploitation
File transfer tools are high-value targets because they move sensitive data across organisations at scale. In 2024, file transfer software was the top third-party breach enabler, accounting for 14% of incidents, primarily through exploitation of Cleo software by the Cl0p ransomware group.
Compromised Vendor Credentials
Attackers steal login credentials belonging to vendor employees. They use those credentials to authenticate into client systems, pivot through networks, and exfiltrate data. This is particularly common where vendors have direct system access for support or maintenance.
Misconfigured Cloud Storage
A vendor misconfigures an S3 bucket, an Azure blob, or a database and exposes client data to the internet. No sophisticated attack required. The data is simply accessible. The organisation whose data is stored there is the victim, but they had no visibility into the vendor’s cloud configuration.
5 Recent Third-Party Data Breaches (2024 to 2025)
These are not hypotheticals. Each of these incidents happened to well-resourced organisations with established security programmes. The common thread: a trusted vendor was the entry point.
ShinyHunters stole customer data and leaked a 760 MB archive after extortion failed. Exposed data included names, email addresses, phone numbers, and physical addresses. The attackers originally advertised 14 million records, though analysis from “Have I Been Pwned” confirmed 5.1 million unique accounts. Panera reported notifying authorities while investigating the access path.
Attackers breached a customer contact system over the 7 Feb 2026 weekend. Exposed data included names, addresses, email addresses, mobile numbers, IBANs, and dates of birth. Odido said passwords, call records, billing data, and ID document scans were not impacted. The company notified the Dutch Data Protection Authority within 48 hours and began customer notifications while external responders increased monitoring.
A social engineering attack manipulated an employee into providing access to internal systems. ShinyHunters claimed responsibility and posted roughly 2.5 GB of stolen customer records online. Exposed data included names, dates of birth, email addresses, postal addresses, and phone numbers, raising significant identity theft and phishing risks for affected individuals. Figure stated it is notifying impacted users and offering credit monitoring.
A threat actor accessed PayPal systems starting 1 Jul 2025 and remained undetected until 12 Dec 2025, a six-month dwell time. Breach letters reached impacted users on 10 Feb 2026. Some customers reported unauthorized transactions. PayPal issued refunds and forced password resets. No public aggregate dollar total for stolen funds has been disclosed.
A cyberattack struck the cloud infrastructure hosting the Europa web platform on 24 Mar 2026. Early findings confirmed data was taken from affected websites. The Commission said the incident was contained quickly and its internal systems were not impacted. No threat actor has been named and the full scope of data taken remains under investigation.
Which Industries Are Most at Risk?
Third-party breaches affect every sector. But the exposure is not evenly distributed.
How to Reduce Your Third-Party Breach Risk
You cannot control what happens inside a vendor’s environment. You can control how much access they have, how closely you monitor them, and how fast you respond when something goes wrong.
Map Your Vendor Ecosystem
Build a complete inventory of third parties: who they are, what data they touch, and what systems they can access. Include fourth parties where your most critical vendors use their own subcontractors. You cannot manage risk you cannot see.
Tier Vendors by Risk Level
A vendor with read access to anonymised data is different from one with write access to customer payment records. Tier your vendors by the sensitivity of data they handle and the depth of their system access. Apply your heaviest scrutiny to the top tier.
Move Beyond Annual Questionnaires
A questionnaire filled out once a year tells you what a vendor’s security posture was when they filled it out. Continuous monitoring shows you what it is right now. Tools that track vendors’ external security signals, open vulnerabilities, and dark web exposure give you real-time risk signals.
Set Contractual Security Requirements
Your vendor contracts should specify minimum security standards: encryption requirements, breach notification timelines, penetration testing schedules, and your right to audit. A vendor who won’t agree to a 72-hour breach notification requirement is telling you something important.
Apply Least Privilege to Vendor Access
Vendors should only access the systems and data they need to deliver their service. Review vendor access permissions quarterly. Revoke access immediately when a contract ends. Many third-party breaches persist longer than necessary because vendor credentials were never deprovisioned.
Build a Third-Party Incident Response Plan
When a vendor calls to say they have been breached, you need to know exactly what to do in the next 24 hours. Which data was accessible? Who do you notify? GDPR requires notification within 72 hours. HIPAA requires notification within 60 days. Having the plan before the breach means you spend that time executing, not deciding.
Cybersecurity Skills for a World of Third-Party Risk
Third-party data breaches are now a core focus of enterprise cybersecurity. The analysts, engineers, and security architects managing vendor risk, supply chain monitoring, and incident response are in demand across every industry.
Metana’s Cybersecurity Bootcamp covers the skills that apply directly to this threat landscape: network security, risk assessment, ethical hacking, and compliance frameworks including GDPR, HIPAA, and SOC 2. If you are a beginner and wondering to start a cybersecurity career, this would be a great start!
🛡 ExploreMetana Cybersecurity Bootcamp — Built to Get You Hired →The Bottom Line
A third-party data breach can expose your customers’ data, trigger regulatory penalties, and cost your organisation millions without a single attacker ever touching your systems. Your security posture is only as strong as the weakest vendor in your supply chain.
The organisations that manage this risk well treat vendor security as a continuous discipline, not a compliance checkbox. Map your vendors. Monitor them. Hold them to contractual standards. Have a response plan ready before the call comes.
Want to build the cybersecurity skills to manage this risk professionally? 🚀
Explore the Metana Cybersecurity Bootcamp.
metana.io: Built to get you hired.
Explore the Bootcamp at metana.io →FAQ
Statistics & Data
- 2025 Global Third-Party Breach Report
- Manufacturing Supply Chain Cyber Risks
- Latest Data Breach Statistics
- Data Breach Facts and Figures
- Important Data Breach Statistics
- Third-Party Compromise Data Breach Statistics
- Recent Major Data Breaches
- January 2025 Data Breaches
- Updated List of Major Data Breaches
