The seven largest banking data breaches of 2025

By Cybersol·March 13, 2026·5 min read
SourceOriginally from The seven largest banking data breaches of 2025View original

Third-Party Vendor Compromise as Systemic Banking Risk: 2025 Breach Pattern Reveals Contractual and Regulatory Governance Gaps

Why This Matters at Board and Regulatory Level

The 2025 banking sector breach landscape documents a structural shift in attack surface: financial institutions are no longer the primary targets—their vendors are. This distinction carries profound implications for board-level vendor governance, contractual liability allocation, and regulatory reporting obligations under NIS2 and DORA. When a single vendor compromise cascades across multiple regulated institutions, the governance failure is contractual and organizational, not technical. The incidents documented by American Banker reveal that institutions treat vendor risk as a compliance checkbox rather than material supply chain liability.

The Vendor-as-Attack-Vector Pattern

According to Carter Pape's analysis in American Banker, third-party vendor vulnerabilities and sophisticated social engineering campaigns defined the cybersecurity landscape for financial institutions in 2025. The scale is significant: Prosper Marketplace (13.1 million records), 700Credit API (5.8 million records), and TransUnion (4.5 million records) collectively exposed data for tens of millions of consumers. What distinguishes these incidents from traditional breaches is the attack vector. Attackers did not compromise core banking infrastructure; they exploited weaknesses in vendors holding sensitive customer data—credit bureaus, peer-to-peer lending platforms, and specialized software providers.

The 700Credit case exemplifies the contractual governance gap. Attackers first compromised an unnamed third-party partner to view communication logs containing valid credentials and decryption keys. 700Credit then failed to validate consumer reference IDs, allowing attackers to launch a "velocity attack" that scraped data from unrelated accounts. This sequence reveals two governance failures: (1) insufficient contractual controls over partner access to sensitive systems, and (2) inadequate application-level security controls (API validation) that should have been mandated in vendor security agreements.

Cascading Liability and Regulatory Fragmentation

The Marquis Software Solutions ransomware attack exemplifies the cascading liability exposure that current governance frameworks fail to address. A single vendor serving more than 70 banks and credit unions was compromised via a SonicWall firewall vulnerability (CVE-2024-40766), affecting at least 400,000 consumers. The attack occurred on August 14; Marquis notified client institutions on October 27—a 74-day gap. During this period, affected banks faced regulatory uncertainty: when must they notify their own regulators? What is their liability if Marquis fails to disclose the full scope of compromise?

This incident reveals a contractual ambiguity that regulators will increasingly scrutinize. Most banking vendor agreements lack explicit clauses defining incident response timelines, data segregation responsibilities, or liability caps tied to breach scope. When a vendor is compromised, regulatory notification burden fragments across jurisdictions with different timelines and thresholds. The National Automobile Dealers Association had to coordinate with the Federal Trade Commission to allow 700Credit to file a consolidated breach notice on behalf of affected dealers—a workaround that should not be necessary if vendor agreements embedded clear incident response protocols.

NIS2 and DORA Compliance Gaps Exposed

From a regulatory perspective, these incidents expose a gap between NIS2's essential service operator requirements and actual vendor oversight practice. NIS2 mandates supply chain security controls and incident reporting; DORA requires operational resilience testing of critical third-party dependencies. Yet the 2025 breach pattern suggests vendor security assessments remain superficial and post-incident coordination remains ad hoc. The TransUnion breach, attributed to social engineering attacks (vishing) targeting a third-party Salesforce application, demonstrates that attackers are exploiting the human and process weaknesses in vendor environments—areas that standard security questionnaires and SOC 2 attestations do not adequately address.

Regulatory response will likely intensify scrutiny of vendor management documentation and contractual security clauses. Institutions will face questions about how they validated vendor security controls, what continuous monitoring mechanisms were in place, and whether incident response procedures were pre-negotiated and tested. The absence of binding vendor security standards embedded in master service agreements is now a material governance weakness.

Systemic Weakness: Contractual Security Standards Remain Superficial

A critical systemic weakness is the absence of binding, operationally specific vendor security standards embedded in master service agreements. Institutions rely on annual questionnaires, SOC 2 attestations, and periodic risk assessments lacking specificity around API security, encryption standards, incident notification timelines, or vulnerability disclosure procedures. Vendor security is treated as a pre-engagement due diligence exercise rather than an ongoing operational control subject to contractual enforcement and continuous monitoring.

Organizations often overlook the contractual dimension of vendor risk. Security clauses in vendor agreements should mandate: (1) real-time vulnerability disclosure with defined response timelines, (2) continuous security monitoring with audit rights, (3) pre-negotiated incident response procedures with specific notification windows, (4) data segregation and encryption standards aligned with regulatory requirements, and (5) liability allocation tied to breach scope and institutional impact. The Coinbase breach—involving insider wrongdoing at overseas support locations—further illustrates that vendor risk extends beyond technical vulnerabilities to include personnel access controls and third-party service provider vetting.

Closing Reflection

The 2025 banking breach pattern is not an anomaly; it is a governance inflection point. Institutions must treat vendor security as a material supply chain liability requiring contractual specificity, continuous monitoring, and pre-negotiated incident response coordination. Board-level vendor governance frameworks should move beyond annual risk assessments to include binding security standards, real-time vulnerability disclosure obligations, and operational resilience testing of critical third-party dependencies. Regulatory enforcement under NIS2 and DORA will increasingly focus on the contractual and organizational controls institutions have implemented to manage vendor risk.

For detailed analysis of each breach, attack vector, and institutional response, review the full article by Carter Pape in American Banker: https://www.americanbanker.com/news/the-seven-largest-banking-data-breaches-of-2025

Original Source: Carter Pape, "The seven largest banking data breaches of 2025," American Banker, December 26, 2025. https://www.americanbanker.com/news/the-seven-largest-banking-data-breaches-of-2025

← Back to Blog