What are third-party data breaches?

Third-party data breaches occur when cyber attackers compromise an organization’s data through its external partners or vendors. Rather than attacking the primary target directly, threat actors infiltrate less secure partners, gaining access to shared systems, credentials, or sensitive information.

Recent examples of this include:

• Healthcare disruption – A cyber attack on a third-party vendor led to widespread IT outages and care disruptions across Ascension, one of the largest U.S. healthcare networks.
• Financial institutions compromised – Western Alliance Bank confirmed a data breach tied to the Cleo integration platform, affecting sensitive customer data.
• Government contractor attack – A ransomware incident affecting Conduent, a key government contractor, resulted in operational outages and possible data exposure.
• Identity theft from car rental firm – Hertz suffered a breach through a third party, compromising customer driver’s license data and exposing users to identity theft.

The Verizon 2025 Data Breach Report shows that nearly 62% of all system intrusions in the past year involved a third-party component, marking a 17% increase from the previous year. This highlights that third-party breaches are not just a potential risk but an increasingly common attack vector. Additionally, a report from Hyperproof’s IT Compliance Benchmark found that nearly 48% of organizations reported compliance violations linked to inadequate third-party oversight, further emphasizing the critical need for robust risk management strategies when working with external vendors.

Why does this happen?

1. Weaker vendor security – Many vendors do not maintain the same cyber security standards as their clients, creating exploitable gaps.
2. Shared credentials and systems – Compromising one partner often gives attackers access to multiple connected organizations.

What’s the risk?

• Sensitive data exposure –Breaches often leak sensitive information, which may include Personally Identifiable Information (PII), health data, or financial data, potentially leading to compliance violations and lawsuits.
• Operational disruption – Attacks on service providers can halt business-critical operations, such as payment processing, logistics, and patient care.
• Reputational damage – Even if the breach occurs outside the organization, customers and stakeholders may still hold the brand responsible.
• Regulatory penalties – Companies can face hefty fines if they don’t properly check their third-party vendors’ cyber security practices.

How can organizations stay safe?

1. Evaluate third-party vendors thoroughly – Often, businesses rush into agreements with third-party providers without understanding the full scope of risks. Before making a decision, conduct background checks on the vendor’s reputation, certifications, security policies, and history of incidents. Proper vetting can save significant long-term costs and prevent future breaches.
2. Limit access to critical data – Not every employee or third party needs access to all sensitive information. By applying the principle of least privilege, only those who truly need access should have it. This reduces the exposure of critical data to potential threats. Also, incorporating additional security measures like passkeys or Multi-Factor Authentication (MFA) makes it harder for attackers to exploit weaknesses.
3. Minimize shared data – It’s essential to review what data is actually needed by third parties. Over-sharing can increase the risk of exposure. Consider periodic audits of the data you’re sharing and ensure it is only what’s necessary for the third party to perform their job. Anonymizing sensitive data where possible further mitigates risks.
4. Consider using encrypted channels for all data exchanges – Encryption should be standard practice when sharing sensitive information with any third party. Ensure that all data shared, especially Personally Identifiable Information (PII), is transmitted and stored using encrypted channels. This helps protect against unauthorized access, even if a vendor’s security is compromised.
5. Review and update contracts – Periodically consider reviewing third-party contracts to ensure they include clear provisions for data protection, incident reporting, and compliance with security standards. Update the contracts as needed to make sure vendors are still responsible for protecting data and responding quickly to any breaches.

References

1. Hertz confirms customer info, drivers’ licenses stolen in data breach
2. Government IT contractor Conduent says ‘third-party compromise’ caused outages
3. Western Alliance Bank Discloses Data Breach Linked to Cleo Hack