SecurityScorecard Third-Party Breach Report 2025

{
  "text": "# Third-Party Breach Risk Is Now the Primary Attack Vector—Not a Secondary Concern\n\n## Why This Structural Shift Matters for Governance, Liability, and Regulatory Exposure\n\nThird-party compromise has ceased to be a peripheral risk category. According to SecurityScorecard's 2025 Global Third-Party Breach Report, 35.5% of all breaches in 2024 originated through third-party infrastructure—a 6.5 percentage point increase from 2023. This is not a marginal trend; it represents a fundamental reordering of the attack surface. For boards, general counsel, chief information security officers, and procurement leaders, this escalation demands immediate recalibration of vendor governance frameworks, contractual liability allocation, incident response protocols, and regulatory notification strategies. Organizations that continue to treat third-party risk as a compliance checkbox rather than a primary threat vector face compounded exposure under NIS2, DORA, sectoral regulations, and cyber liability insurance contestation.\n\n## The Ransomware-as-Supply-Chain-Access Model\n\nRansomware operators have weaponized third-party relationships as a deliberate scalability mechanism. The report identifies that 41.4% of ransomware and extortion incidents began via third-party access—substantially higher than the overall 35.5% third-party breach rate. This reveals attacker methodology: rather than conducting expensive, noisy direct intrusions against hardened primary targets, adversaries identify weaker supply chain nodes, establish persistence, and then laterally pivot to higher-value organizations. C10p, the most prolific attributable threat actor in the dataset (~17% of attributable breaches), exemplifies this approach through campaigns targeting file transfer software and VPN infrastructure used across multiple customer bases.\n\nThe governance implication is severe. When a primary organization is breached via a compromised vendor, contractual indemnification clauses, cyber liability insurance coverage terms, and regulatory notification obligations all become contested. Vendors often disclaim liability for downstream compromise; insurers may deny coverage if the primary organization failed to enforce contractual security requirements; regulators may impose penalties regardless of contractual allocation. Organizations must now demand explicit third-party breach scenarios in vendor contracts, including mandatory notification timelines, forensic cooperation clauses, and liability carve-outs that account for supply chain compromise.\n\n## File Transfer Software: The Overlooked High-Leverage Attack Surface\n\nFile transfer software accounts for 14% of third-party breaches—the single highest-leverage attack vector in the dataset. This finding exposes a critical governance blind spot. Most organizations conduct rigorous assessments of vendors' primary applications and cloud platforms, yet treat file transfer tools (SFTP servers, managed file transfer solutions, legacy FTP infrastructure) as peripheral, low-risk infrastructure. In practice, these tools are frequently deployed with elevated privileges, minimal monitoring, infrequent patching, and weak access controls. Adversaries recognize this asymmetry and exploit it systematically.\n\nCloud services rank second at 8.25% of third-party breaches, with UNC5537's Snowflake campaign demonstrating how a single compromised cloud platform can propagate across dozens of downstream organizations. The report also highlights that third-party software vulnerabilities (notably Ivanti VPN flaws and the Cleo file transfer campaign) contributed to 8.5% of breaches. Organizations should conduct immediate inventory assessments of all file transfer, VPN, and cloud service dependencies, prioritize hardening and continuous monitoring of these tools, and establish vendor-specific security requirements that reflect their actual risk profile rather than assumed peripheral status.\n\n## Sector-Specific and Geographic Concentration of Third-Party Risk\n\nThird-party breach exposure is not evenly distributed. Healthcare leads in absolute breach volume (24.2% of all third-party breaches), but retail and hospitality show the highest within-industry third-party rate at 52.4%—meaning more than half of breaches in that sector involve third-party compromise. Energy (46.7%) and transportation (45.3%) also show alarming third-party rates, with documented targeting by state-sponsored campaigns. Technology and telecommunications sectors face 47.3% third-party involvement, reflecting their complex vendor ecosystems.\n\nGeographically, Northeast Asia exhibits the highest regional third-party share (54.3%), with Singapore (71.4%), the Netherlands (70.4%), and Japan (60%) showing peak concentrations. The report identifies a \"wealth-risk paradox\": wealthier, highly interconnected economies with extensive outsourcing and complex supply chains face higher third-party breach frequency because their trusted relationships are more numerous and exploitable. This finding has direct implications for organizations with global supply chains. A European organization sourcing from Asian vendors, or a U.S. financial services firm with subsidiaries in high-exposure geographies, faces compounded third-party risk that standard vendor risk management frameworks often fail to capture.\n\n## Fourth-Party Cascades and the Hidden Subsidiary Risk Layer\n\nWhile fourth-party compromises (breaches of vendors' vendors) represent a smaller percentage of incidents (4.5%), they demonstrate how a single vendor breach can propagate across multiple organizations and amplify impact. More concerning is the report's finding that subsidiaries and acquisitions account for 11.75% of third-party breaches and are overrepresented relative to domestic entities. This reveals a governance failure in post-acquisition integration and foreign subsidiary oversight. Many organizations conduct rigorous vendor assessments of external suppliers but treat internal corporate structures—foreign subsidiaries, recently acquired entities, joint ventures—as lower-risk because they are \"internal.\" In practice, these entities often operate with legacy security postures, weaker governance integration, and independent vendor ecosystems that create exploitable gaps.\n\nOrganizations should extend third-party risk management frameworks to internal corporate structures, particularly foreign subsidiaries and recent acquisitions. This includes continuous monitoring, vendor inventory alignment across the group, and contractual security requirements that apply uniformly regardless of corporate structure.\n\n## Operational Implications: Periodic Assessment Is Obsolete\n\nThe report's operational findings directly challenge traditional vendor risk management practices. Quarterly or annual vendor security assessments—the standard cadence in most organizations—are inadequate against fast-moving supply chain attacks. C10p's campaigns, the Snowflake compromise, and file transfer software exploits all demonstrate that adversaries move from initial access to lateral movement within weeks or days. By the time a periodic assessment occurs, compromise may already be established and propagating.\n\nThe prescriptive response is continuous monitoring and intelligence integration. Organizations should implement real-time vendor security monitoring (leveraging tools like SecurityScorecard's STRIKE unit findings), integrate threat intelligence specific to their vendor ecosystem, and establish alert thresholds that trigger immediate investigation rather than waiting for scheduled assessments. This requires contractual amendments that permit continuous monitoring, incident response playbooks that account for vendor-origin incidents, and cross-functional coordination between procurement, security, and legal teams.\n\n## Cybersol's Perspective: The Contractual and Regulatory Liability Gap\n\nThis report exposes a systemic weakness that organizations and their legal counsel consistently overlook: the mismatch between contractual vendor risk frameworks and the actual mechanics of third-party breach liability. Most vendor contracts contain generic security requirements (\"maintain reasonable security,\" \"comply with applicable standards\") but lack explicit provisions for third-party breach scenarios. When a vendor is compromised and that compromise cascades into the primary organization, disputes arise over:\n\n- **Notification obligations**: Does the vendor's breach notification clause apply only to data the vendor directly holds, or does it include data accessed through lateral movement?\n- **Liability caps**: Are liability caps enforceable when the vendor's compromise enables ransomware extortion of the primary organization?\n- **Insurance requirements**: Do cyber liability policies cover losses arising from vendor compromise, or are they excluded as \"third-party\" incidents?\n- **Regulatory notification**: Under NIS2 and sectoral frameworks, who bears the cost and reputational damage of mandatory breach notification—the vendor or the primary organization?\n\nOrganizations often discover these gaps only after a breach occurs, at which point contractual renegotiation is impossible. Cybersol recommends that organizations conduct immediate contract audits of all critical vendors, explicitly addressing third-party breach scenarios, continuous monitoring rights, incident response cooperation, and liability allocation. This is not a compliance exercise; it is a liability mitigation imperative.\n\n## Conclusion\n\nSecurityScorecard's 2025 Third-Party Breach Report provides quantitative validation of a structural shift in the threat landscape. Third-party compromise is now the dominant breach pathway, with sector-specific and geographic concentrations that demand differentiated governance responses. Organizations should review the full report to understand threat actor behaviors, attack vector concentrations, and industry-specific exposure patterns. The original analysis is available at https://www.hendryadrian.com/securityscore