Your vendor may be the weakest link: Percentage of third-party breaches doubled in a year
(2025/04/24)
- Reference: 1745486888
- News link: https://www.theregister.co.uk/2025/04/24/security_snafus_third_parties/
- Source link:
The percentage of confirmed data breaches involving third-party relationships doubled last year as cybercriminals increasingly exploited weak links in supply chains and partner ecosystems.
That's according to Verizon's Data Breach Investigations Report (DBIR) —one of the industry's most-watched autopsies on what actually goes wrong in infosec. This year's edition, released Wednesday, covers incidents that occurred between November 1, 2023, and October 31, 2024.
It found that the proportion of breaches involving third parties rose from 15 percent in last year's dataset to 30 percent in this year's report. This figure includes those breaches (incidents in which data loss was confirmed) caused by exploited software vulnerabilities and supply chain compromises.
[1]
Ilia Kolochenko, CEO at ImmuniWeb and fellow at the British Computer Society, said during a [2]launch event for the [3]report that cybercriminals are increasingly looking at organizations such as accountants and law firms as ways to reach their intended targets.
[4]
[5]
"Criminals are smart and pragmatic; they count every cent and are cost-conscious," he said, explaining why more vulnerable companies can act as reliable gateways into much bigger target environments.
Verizon said that vendors and other business partners are expanding the attack surface by failing to enforce proper access controls, including preventing credential misuse. In particular, weak third-party practices continue to expose organizations to downstream risks.
[6]
One example: in third-party environments, the median time to remediate leaked secrets, such as API keys or tokens discovered in public GitHub repositories, was 94 days, giving attackers ample opportunity to exploit them.
Leaked secrets weren't the only problem. The report also highlights how credential reuse played a key role in several high-profile incidents, including a major Snowflake-related breach, where attackers used previously exposed credentials to access customer accounts due to the lack of mandatory multi-factor authentication (MFA).
Other key takeaways:
There are other juicy tidbits in the 117-page report — here are some of the highlights:
Exploiting vulnerabilities for initial access is up 34 percent year over year, now accounting for one in five breaches.
Only 54 percent of perimeter device vulnerabilities were fully remediated, and it took organizations 32 days to do so on average.
44 percent of breaches involved ransomware, a yearly increase of 37 percent.
However, the median ransom payment was down to $115,000, and 64 percent refused to pay up at all.
The human element was a factor in 60 percent of breaches – a figure that's statistically unchanged from the previous year.
State-sponsored attacks with a clear financial focus comprised 28 percent of all those carried out by those with state backing. Espionage-focused operations accounted for only 17 percent overall.
The percentage of malicious emails featuring AI-generated content doubled over the past two years, rising from around 5 percent to roughly 10 percent.
15 percent of employees routinely accessed generative AI platforms on work devices which Verizon claimed increased the risk of corporate data leaks.
Major organizations such as Santander and [7]Ticketmaster got hit after threat actors from the [8]ShinyHunters group used stolen credentials to access Snowflake customer accounts last summer, affecting hundreds of millions of records.
Verizon noted that it wasn't solely Snowflake's fault - roughly 80 percent of the affected customer accounts had previously exposed credentials, which amplified the fallout.
However, the lack of mandatory MFA across Snowflake accounts made the campaign particularly effective. This gap was one of the first things Snowflake [9]moved to address after the incident.
[10]
"Only in a perfect world with no conflict of responsibilities would the challenge of securing infrastructure (or platform) as a service providers be the same as that of securing on-premise assets for areas they don't explicitly cover," the report reads.
"That means managing credentials will likely be harder in an environment you don't control. Secure-by-default standards on those platforms make a significant difference in the security bottom line, as the quick post-incident policy updates from Snowflake would suggest."
Other major incidents involving software providers over the past year include [11]CDK Global , [12]Blue Yonder , and [13]Change Healthcare . Verizon classified these as ransomware breaches that not only compromised of millions of personal records, but also triggered widespread business interruption for customers - particularly across healthcare, retail, and food service sectors.
Securing the source
Organizations looking to mitigate the risk of third-party breaches should be ensuring cybersecurity is treated as a priority during the procurement process, Verizon recommends.
That's not always possible for organizations with existing contracts, especially when there are no viable alternatives on the market. Even then, removing a deeply entrenched provider from an environment is an arduous task.
[14]American Express admits card data exposed and blames third party
[15]Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine
[16]Snowflake slams 'more MFA' button again – months after Ticketmaster, Santander breaches
[17]Mega US healthcare payments network restores system 9 months after ransomware attack
But during your next sales call, it may be worth asking vendors how they handle cyber hygiene and how they ensure access to data is limited. Then, during the contract-drawing phase, ensure the third party's responsibilities toward security are clearly codified. This will makes it easier to hold vendors accountable when things go sideways.
That's all in addition to ensuring the basics are covered: MFA by default, network segmentation, strict authentication policies, and API key aging.
In the end, some threats are impossible to avoid, but collaboration can help mitigate the risks. "At the end of the day, there is no simple or infallible method of avoiding some of the threats we discuss in this report," Verizon said.
"Holding vendors accountable is certainly part of the equation. However, it is only through collaborating with transparency and increased information sharing that organizations can build good, structured frameworks for threat modeling, and as a result, make better and more sustainable decisions for safeguarding their data and the customers they serve." ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.linkedin.com/feed/update/urn:li:activity:7320829262784073729/
[3] https://www.verizon.com/dbir
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/
[8] https://www.theregister.com/2024/06/24/snowflake_breach_accelerating_into_snowball/
[9] https://www.theregister.com/2024/09/16/snowflake_mfa_default/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2024/07/12/cdk_ransom_payout/
[12] https://www.theregister.com/2024/11/26/blue_yonder_ransomware/
[13] https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/
[14] https://www.theregister.com/2024/03/04/american_express/
[15] https://www.theregister.com/2025/04/16/law_firm_ico_fine/
[16] https://www.theregister.com/2024/09/16/snowflake_mfa_default/
[17] https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/
[18] https://whitepapers.theregister.com/
That's according to Verizon's Data Breach Investigations Report (DBIR) —one of the industry's most-watched autopsies on what actually goes wrong in infosec. This year's edition, released Wednesday, covers incidents that occurred between November 1, 2023, and October 31, 2024.
It found that the proportion of breaches involving third parties rose from 15 percent in last year's dataset to 30 percent in this year's report. This figure includes those breaches (incidents in which data loss was confirmed) caused by exploited software vulnerabilities and supply chain compromises.
[1]
Ilia Kolochenko, CEO at ImmuniWeb and fellow at the British Computer Society, said during a [2]launch event for the [3]report that cybercriminals are increasingly looking at organizations such as accountants and law firms as ways to reach their intended targets.
[4]
[5]
"Criminals are smart and pragmatic; they count every cent and are cost-conscious," he said, explaining why more vulnerable companies can act as reliable gateways into much bigger target environments.
Verizon said that vendors and other business partners are expanding the attack surface by failing to enforce proper access controls, including preventing credential misuse. In particular, weak third-party practices continue to expose organizations to downstream risks.
[6]
One example: in third-party environments, the median time to remediate leaked secrets, such as API keys or tokens discovered in public GitHub repositories, was 94 days, giving attackers ample opportunity to exploit them.
Leaked secrets weren't the only problem. The report also highlights how credential reuse played a key role in several high-profile incidents, including a major Snowflake-related breach, where attackers used previously exposed credentials to access customer accounts due to the lack of mandatory multi-factor authentication (MFA).
Other key takeaways:
There are other juicy tidbits in the 117-page report — here are some of the highlights:
Exploiting vulnerabilities for initial access is up 34 percent year over year, now accounting for one in five breaches.
Only 54 percent of perimeter device vulnerabilities were fully remediated, and it took organizations 32 days to do so on average.
44 percent of breaches involved ransomware, a yearly increase of 37 percent.
However, the median ransom payment was down to $115,000, and 64 percent refused to pay up at all.
The human element was a factor in 60 percent of breaches – a figure that's statistically unchanged from the previous year.
State-sponsored attacks with a clear financial focus comprised 28 percent of all those carried out by those with state backing. Espionage-focused operations accounted for only 17 percent overall.
The percentage of malicious emails featuring AI-generated content doubled over the past two years, rising from around 5 percent to roughly 10 percent.
15 percent of employees routinely accessed generative AI platforms on work devices which Verizon claimed increased the risk of corporate data leaks.
Major organizations such as Santander and [7]Ticketmaster got hit after threat actors from the [8]ShinyHunters group used stolen credentials to access Snowflake customer accounts last summer, affecting hundreds of millions of records.
Verizon noted that it wasn't solely Snowflake's fault - roughly 80 percent of the affected customer accounts had previously exposed credentials, which amplified the fallout.
However, the lack of mandatory MFA across Snowflake accounts made the campaign particularly effective. This gap was one of the first things Snowflake [9]moved to address after the incident.
[10]
"Only in a perfect world with no conflict of responsibilities would the challenge of securing infrastructure (or platform) as a service providers be the same as that of securing on-premise assets for areas they don't explicitly cover," the report reads.
"That means managing credentials will likely be harder in an environment you don't control. Secure-by-default standards on those platforms make a significant difference in the security bottom line, as the quick post-incident policy updates from Snowflake would suggest."
Other major incidents involving software providers over the past year include [11]CDK Global , [12]Blue Yonder , and [13]Change Healthcare . Verizon classified these as ransomware breaches that not only compromised of millions of personal records, but also triggered widespread business interruption for customers - particularly across healthcare, retail, and food service sectors.
Securing the source
Organizations looking to mitigate the risk of third-party breaches should be ensuring cybersecurity is treated as a priority during the procurement process, Verizon recommends.
That's not always possible for organizations with existing contracts, especially when there are no viable alternatives on the market. Even then, removing a deeply entrenched provider from an environment is an arduous task.
[14]American Express admits card data exposed and blames third party
[15]Law firm 'didn't think' data theft was a breach, says ICO. Now it's nursing a £60K fine
[16]Snowflake slams 'more MFA' button again – months after Ticketmaster, Santander breaches
[17]Mega US healthcare payments network restores system 9 months after ransomware attack
But during your next sales call, it may be worth asking vendors how they handle cyber hygiene and how they ensure access to data is limited. Then, during the contract-drawing phase, ensure the third party's responsibilities toward security are clearly codified. This will makes it easier to hold vendors accountable when things go sideways.
That's all in addition to ensuring the basics are covered: MFA by default, network segmentation, strict authentication policies, and API key aging.
In the end, some threats are impossible to avoid, but collaboration can help mitigate the risks. "At the end of the day, there is no simple or infallible method of avoiding some of the threats we discuss in this report," Verizon said.
"Holding vendors accountable is certainly part of the equation. However, it is only through collaborating with transparency and increased information sharing that organizations can build good, structured frameworks for threat modeling, and as a result, make better and more sustainable decisions for safeguarding their data and the customers they serve." ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.linkedin.com/feed/update/urn:li:activity:7320829262784073729/
[3] https://www.verizon.com/dbir
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://www.theregister.com/2024/05/29/breachforums_ticketmaster_data/
[8] https://www.theregister.com/2024/06/24/snowflake_breach_accelerating_into_snowball/
[9] https://www.theregister.com/2024/09/16/snowflake_mfa_default/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aAoLxx3ezlDjyunEIgiGmwAAAAs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://www.theregister.com/2024/07/12/cdk_ransom_payout/
[12] https://www.theregister.com/2024/11/26/blue_yonder_ransomware/
[13] https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/
[14] https://www.theregister.com/2024/03/04/american_express/
[15] https://www.theregister.com/2025/04/16/law_firm_ico_fine/
[16] https://www.theregister.com/2024/09/16/snowflake_mfa_default/
[17] https://www.theregister.com/2024/11/20/change_healthcares_clearinghouse_services/
[18] https://whitepapers.theregister.com/