Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label third-party risk. Show all posts
Vendor
Cybersecurity Strategy Data Breach Data Breach Cost Extended Enterprise Security IT Risk Management ransomware protection Regulatory Compliance supply chain security third-party risk Vendor

Vendor Data Breaches and Their Business Impact


 

It is evident in the world of digital trust that the financial and reputational costs of a data breach are reaching staggering new heights as the backbone of global commerce becomes increasingly digitally trusted. There is a recent study, Cost of a Data Breach 2025, which shows that the average cost of a single breach has increased by $4.76 million globally, with figures for the US and UK soaring over $9.5 million. 

Finance and healthcare, among other highly targeted sectors where a great deal of sensitive information is at risk, often incur massive losses which often exceed $10 million in damages. However, the monetary settlements and ransomware payouts that usually dominate headlines are only scratching the surface of the crisis. 

Behind the numbers lies a web of hidden expenditures—legal counsel, forensic investigations, regulatory compliance, and extensive recovery efforts—that drain corporate resources years after the initial incident. 

As corrosive as they are, indirect repercussions of a breach are equally as damaging: prolonged downtime that reduces productivity, the cost of fortifying systems against future threats, and the uphill battle it takes to rebuild consumer trust once it has been compromised. 

All these losses are visible and invisible, which illustrates that a security breach is not merely an isolated incident that causes financial losses, but rather is a profound disruption that has a profound impact on the entire organisation. 

Today, third-party data breaches are becoming an increasingly urgent issue for enterprises due to the increasingly interconnected business ecosystems and the increasing complexity of global supply chains, which make them one of the most pressing challenges they face. Research by the industry suggests that nearly one-third of all breaches occur as a result of external vendors, a figure that has nearly doubled over the last year. 

It is not just a matter that these incidents have become more prevalent, but also that they are the most costly ones. According to IBM's latest Cost of a Data Breach Report, third parties are the most reliable predictors of increased breach costs, adding on average 5 per cent more to the already staggering financial burden. There are several reasons behind the rise of this rate. 

The large companies of the world have invested heavily in advanced cybersecurity frameworks over the past decade, which makes direct compromise more difficult for attackers. Because of this, cybercriminals are increasingly turning to smaller subcontractors, suppliers, and service providers whose defences are often weaker. 

Threat actors are able to gain access to larger organizations' systems through trusted connections by infiltrating these weaker links, such as small IT vendors, logistics providers, and even HVAC contractors, by exploiting trusted connections. In particular, for industries that heavily rely on vendor networks that are extremely intricate, indirect infiltration has proven particularly devastating. 

Although small businesses are prime targets for hackers—with 43 per cent of attacks being directed at them—they continue to face significant challenges in adopting comprehensive security practices despite being prime targets. 

There are many consequences associated with such breaches that are much greater than just direct financial losses. They often result in costly regulatory penalties, litigation, and long-term reputational damage that can undermine trust across entire supply chains, resulting in long-term consequences. 

Over the past few years, it has been observed with stark clarity that even the most established businesses remain vulnerable to vendor failures and cyberattacks, including those caused by vendor failures. One of the four data centres operated by the French cloud service provider OVHcloud was destroyed by fire in 2021. The disruption unfolded in a major way. 

A temporary outage of millions of websites, including bank websites, government websites, and major e-commerce platforms across Europe, resulted in a temporary suspension of service. While backups were present, the event revealed critical shortcomings in disaster recovery planning, which led to the loss of millions of dollars of business and data exposure. 

Similar vulnerabilities have been exposed in other high-profile cases as well. There were several breaches in recent months, including Orange Belgium compromising the personal information of 850,000 customers, Allianz Life exposing the data of more than one million policyholders, and Qantas exposing the personal information of more than six million customers, which affected more than six million customers in total. 

Ransomware attacks, targeting the technology providers of the National Health Service, Advanced Computer Systems, disrupted essential hospital services, including blood testing, in the United Kingdom and are associated with at least one patient's tragic death. As a result of this breach, the company was fined £3 million, a penalty which underscored its responsibility but did not come until irreversible harm had been done to the company. 

There is a recurring pattern in the cases: vulnerabilities are not generally caused by a lack of investment on the part of the primary organisation but rather by vulnerabilities in their vendors' infrastructures. It is well known that weak backup systems, inadequate disaster recovery frameworks, and reliance on manual responses can exacerbate the consequences of any breach or outage. 

However, even when basic safeguards are in place, such as data integrity checks, a lack of rigour in implementation leaves critical systems vulnerable. This is the result of NVIDIA's cascading effect—where failures on the virtualisation platform cause widespread operational disruptions, financial losses, regulatory penalties, and, in the case of most NVIDIAs, the loss of lives.

In order to effectively mitigate third-party risks, companies need to go beyond superficial oversight and take a structured, proactive approach throughout the entire lifecycle of their vendors. The experts at the Institute for Information Technology and Innovation emphasise that organisations must begin by integrating security considerations into their vendor selection and sourcing processes. 

Companies that handle sensitive data or operate in highly regulated industries are advised to prioritise partners who demonstrate that their security maturity is in order, have a proven record of compliance with frameworks such as HIPAA, GDPR, or CMMC, and have a track record of no repeated breaches. It is possible to gain deeper insights into potential partners by utilising vendors' risk intelligence platforms or third-party monitoring tools before potential vulnerabilities become systemic threats. 

The contract should be clear about how sensitive data will be stored, accessed, and transferred, including relationships with third parties and even fourth parties. Once the contract is signed, the expectations must be clearly stated. Unless these issues are addressed, organisations run the risk of losing control of confidential information as it travels across vast digital ecosystems. 

Continuous monitoring is equally critical. In order to ensure that vendors that have access to proprietary information or proprietary systems are regularly examined, not only for malicious intent, but also for inadvertent lapses that could allow malware or unauthorised entry, it is crucial to routinely analyse vendors who have access. 

By monitoring external channels, including the dark web, organisations can take measures to get early warnings when credentials have been stolen or data has been compromised. With more and more regulatory frameworks like GDPR, CCPA, and the NY Shield Act coming into effect, compliance obligations have become increasingly demanding, and non-compliance has serious financial and reputational consequences. 

It has been argued that in some industries, third-party certifications, such as the SOC 2, NIST CSF, or the Department of Defence Cybersecurity Maturity Model Certification, can strengthen accountability by ensuring that vendors independently verify their security postures. The issue of vendor offboarding, often overlooked by organisations, is a challenging one that organisations need to address, as well as onboarding and oversight. 

A failure to properly revoke departmental access once a contract is completed can result in lingering vulnerabilities that could be exploited even years after the partnership has ended. As a result, regular audits of the offboarding process are necessary for the protection of assets and compliance with government regulations. Finally, it is becoming increasingly important to have a clear view of the extended supply chain. 

A number of high-profile attacks on software companies, such as SolarWinds and Kaseya, have demonstrated the potential for a cascading effect at the fourth-party level, causing widespread damage across industries. Defining vendor networks and demanding greater transparency will allow organisations to minimise blind spots and minimise the ripple effects of breaches originating far beyond their immediate control, thereby preventing the spread of these breaches. 

Increasingly, organisations have recognised that cybersecurity is no longer purely an internal responsibility, but a shared responsibility for everyone in their supply chain, as breaches related to vendors continue to rise. By taking an integrated approach to vendor risk management, not only will companies be able to mitigate financial and operational damage, but they will also strengthen their resilience to evolving cyber threats in the future. 

A company that invests in comprehensive risk assessments, maintains continuous monitoring, and enforces rigorous contractual obligations with its vendors has a better chance of detecting vulnerabilities before they escalate. In addition, implementing structured offboarding procedures, requiring third-party certifications, and maintaining visibility into extended vendor networks can also lead to a significant reduction in the risk of both direct and cascading attacks. 

Beyond compliance, these measures foster trust with customers, partners, and stakeholders, reinforcing a brand's credibility in a digitally dominated market by consumers, partners, and stakeholders. As long as organisations integrate cybersecurity into each step of the vendor lifecycle—from selection and onboarding to monitoring and offboarding—they safeguard sensitive information, ensure continuity and operational efficiency, and maintain the reputation of the organisation. 

When a single weak link in the electronic system can compromise millions of records, adopting a future-oriented, proactive strategy can transform cybersecurity from a reactive necessity to a competitive advantage that offers both long-term business value and protects against long-term threats.
Read more »
TransUnion
Consumer Protection Cybersecurity Data Breach Identity Theft Social Engineering third-party risk TransUnion

Credit Bureau TransUnion Confirms Breach Impacting Millions


 

In the apparent wake of growing threats to consumers' personal information, credit reporting giant TransUnion has recently announced a cybersecurity incident that exposed personal information from more than 4.4 million Americans. Several regulators and state attorneys general have confirmed that the breach took place on July 28, 2025, and was discovered just two days later by investigators. 

Among the data exposed was sensitive information such as names, Social Security numbers, and dates of birth, which were linked to a third-party application that was used by TransUnion in its U.S. consumer operations. In its statement, TransUnion clarified that the breach was limited in scope, clarifying that its internal systems and core credit reporting databases were not impacted by the breach. 

The company also stated that no credit reports or core financial records - information that could be highly valuable to fraudsters - were accessed by anyone. TransUnion filed notifications in Maine and Texas indicating that the incident was related to a third-party platform that was reportedly linked to Salesforce, rather than TransUnion's own infrastructure. 

Despite the company’s description of the exposure, which was limited to “some limited personal data”, the magnitude of the breach underscores the ongoing risks associated with external service providers in the financial services industry. 

Recent years have seen a growing concern for credit bureaus as consumer information has become increasingly attractive to cybercriminals as a target. This latest security incident is another in a long string of security incidents that have impacted major financial institutions in recent years, highlighting the difficulty of safeguarding sensitive information across a complex digital ecosystem. 

In addition to Experian and Equifax, TransUnion is one of the nation's "big three" credit reporting agencies, and together with them, they play an important role in shaping our nation's financial system by compiling detailed credit histories on nearly every consumer who has an active credit history. These files are used to create credit reports that lenders, landlords, and employers use in order to gauge a person's financial security, and they are also used to build widely known scoring models like FICO. 

This is the method by which lenders, landlords, and employers use to calculate a credit score that is composed of three digits. It is therefore natural for breaches involving such institutions to have such a significant impact on consumers and the economy as a whole. Taking a step in response to the latest incident, TransUnion has begun to send out letters to affected individuals directly and has urged consumers to contact the fraud helpline at 1-800-516-4700, which is open on weekdays, to find out if they are in good standing. 

In addition, experts suggest that consumers periodically review their credit reports across the three credit bureaus—which can be accessed for free once a week by visiting AnnualCreditReport.com.com—to see if there are any inaccuracies or if there are signs that something is amiss. As a measure of further security, paid services, like MyFico, can track FICO scores in real time and monitor fraud, while platforms like Credit Karma and WalletHub offer free VantageScore reports to subscribers who enrol in them. 

The TransUnion company initially stated that there had been no compromise of credit files; however, subsequent disclosures told a much more troubling story. According to regulatory filings filed with the Texas Attorney General’s office, among the exposed data set were names, dates of birth, and Social Security numbers, which are some of the most sensitive identifiers in the world today. 

There is no way to monitor or reset Social Security numbers, unlike credit information, which can be monitored or reset, and it may serve as a gateway to long-term identity theft and fraud. Several financial security experts warn that such information can be used for a number of purposes, including opening unauthorised credit lines, applying for loans or government benefits under stolen identities, submitting false tax returns, and other financial crimes. 

Considering that TransUnion is among the largest credit bureaus in the nation and holds records on over 260 million Americans, this breach raises serious concerns about the resilience of institutions that safeguard some of the country’s most critical consumer information. As a consequence of the breach, which was detected on July 28  and contained within hours, affected individuals have now been notified about it. 

There has been no compromise of TransUnion's core credit database or consumer credit reports, a company that is among the nation's three primary credit bureaus, along with Equifax and Experian. Rather, the intrusion was traced back to a third-party application supporting U.S. consumer operations, where unauthorised access allowed for the publication of limited personal information. According to court filings in Maine and Texas, however, names, birthdates, and Social Security numbers were among the data that had been compromised. 

In order to assess the full scope of this incident, TransUnion has engaged an independent cybersecurity expert to conduct a forensic analysis. The incident occurred in the midst of a large wave of cyberattacks targeting Salesforce-connected software. In June, Google revealed that hackers were using modified versions of Salesforce-related tools for infiltration and stealing large amounts of sensitive data from cloud systems. ShinyHunters, a cybercriminal organisation suspected of being involved in such campaigns, has been accused of using extortion tactics against employees of victim companies.

Security researchers have noted that some of the biggest corporations in the world have been breached in similar ways in recent months, including Google, Farmers Insurance, Allianz Life, Workday, Pandora, Cisco, Chanel, and Qantas. This highlights the importance of supply-chain vulnerabilities in a wide range of popular platforms as well as the dangers they pose. 

According to Salesforce, social engineering attacks against users, and not flaws in Salesforce's platform, were at fault, as it has maintained. A comparison is inevitably drawn with Equifax's 2017 data breach, one of the biggest in U.S. history, in which 147 million Americans' personal data was exposed, costing the company nearly $700 million in settlements and fines, and ultimately causing the company to lose millions of dollars. 

In the wake of this incident, congressional hearings were held and scrutiny of the credit reporting industry heightened, which led to state and federal government reforms aimed at strengthening consumer data protection. As a result of the TransUnion breach, security experts are once again urging the affected to be vigilant, reviewing their credit reports, setting up fraud alerts, and monitoring their accounts to ensure that unusual activity does not occur. 

As of right now, AnnualCreditReport.com is providing free weekly credit reports from all three major credit bureaus. Additional monitoring services may also provide a means of detecting signs of fraud, while in the meantime, Schubert Jonckheer & Kolbe has announced an investigation into the TransUnion incident, signalling the possibility of further litigation. 

TransUnion has yet to provide any details regarding the new safeguards that TransUnion intends to implement, nor has it specified whether financial restitution will be provided to victims. There have been a growing number of high-profile breaches involving third-party providers, which have been attributed to vulnerabilities in those third parties during the last few years.

For example, in June 2025, a cyberattack against chains IQ chain exposed proprietary data and banking information of the banking giant UBS. The following month, Allianz Life announced that a compromised cloud-based customer relationship management system had been used to obtain personal information regarding the majority of the company's 1.4 million American customers. That same month, Qantas confirmed that approximately six million customer records were exposed after hackers breached a third-party customer service platform on which Qantas had relied. 

Researchers have identified many of these incidents as related to cybercriminal groups such as ShinyHunters and Scattered Spider, both of which specialise in exploiting third-party information technology and cloud providers, and both of which specialise in using advanced social engineering tactics to do so. A number of these groups are thought to be associated with "The Com," a sprawling, loosely organised, cybercriminal community comprised of thousands of English-speaking actors who have collaborated on data theft, extortion, and fraud campaigns across a wide range of industries. 

A number of recent incidents have highlighted the persistent vulnerability of third-party platforms, as well as the increasing sophistication of cybercriminal groups attacking the financial services industry. As consumers are reminded by the breach, even when core systems remain intact, the theft of identifying information like Social Security numbers can result in long-term impacts that go beyond the initial intrusion, even if the original intrusion is not detected. 

It is highly recommended that individuals do more than simply review their credit reports—by freezing their credit with all three credit bureaus, a person is preventing the opening of a new account in their name by criminals, while a fraud alert can assist in making it more difficult for the criminals to take advantage of stolen information. 

Moreover, consumers should also consider employing identity monitoring tools that can provide them with the ability to scan the dark web for compromised information before potential misuse turns into financial damage. 

There is also a clear lesson to be learned from reliance on third-party applications: organisations need not only contractual protection but also continuous monitoring, rigorous vetting, and layers of defence to prevent unauthorised access to their systems. Increasingly, supply chain attacks will be a growing problem, and resilience will be dependent upon proactive investment in security as well as consumer awareness of the threats.
Read more »
third-party risk
business disruption Cyber Attacks Cyber Insurance Cybersecurity Data Breach Ransomware third-party risk

Cyberattacks on Key Vendors Trigger Widespread Disruptions Across Industries

Cybercriminals are increasingly targeting a single point of failure within companies to create large-scale disruption, according to a recent report by Resilience. The analysis highlights how such attacks can have a ripple effect across entire industries.

In 2024, the global average cost of a data breach was estimated at nearly $4.9 million, based on IBM research. However, certain incidents proved to be significantly more damaging.

One of the most costly breaches occurred when UnitedHealth reported a staggering $3.1 billion expenditure in response to a cyberattack on its Change Healthcare subsidiary. This division processes billions of medical claims annually, and the ransomware attack led to prolonged disruptions in the healthcare sector.

“It was the most significant and consequential cyberattack in the history of U.S. health care,” said John Riggi, national advisor for cybersecurity and risk at the American Hospital Association, in a blog post.

Another major incident targeted CDK Global, a software provider for car dealerships across the U.S. The ransomware attack caused financial damages exceeding $1 billion collectively, as estimated by Anderson Economic Group.

The cyberattacks on Change Healthcare and CDK Global exemplify how disruptions in interconnected organizations can have widespread industry consequences, Resilience noted in its report.

According to Resilience’s analysis, third-party risks have become a leading factor in cyber insurance claims, representing 31% of claims filed by its clients in 2024. While a slightly higher percentage (37%) of third-party claims was recorded in 2023, none resulted in material financial losses.

The study also revealed that ransomware attacks targeting vendors have become a “new and significant” contributor to insurance claims, accounting for 18% of such cases.

Although ransomware remained the primary cause of cyber losses in 2024—responsible for 62% of claims—its overall occurrence may be declining. Resilience attributes this trend to cybercriminals shifting focus toward larger, high-profile organizations that offer bigger financial payouts, moving away from the traditional “spray and prey” strategy.
Read more »
Subscribe to: Comments (Atom)