SecurityScorecard Third-Party Breach Report 2025

Keypoints

• Typical report structure: title and executive summary, table of contents, methodology/data sources, top takeaways, industry and region breakdowns, threat actor and vector analysis, vulnerability case studies, and prescriptive risk management recommendations.
• Methodology and data: integrates OSINT, threat intelligence, underground research, and SecurityScorecard STRIKE unit findings; sample includes 1,000 breaches across industries and geographies to compare third‑party vs general breach patterns.
• Definition of third‑party breach: includes lateral movement from compromised vendor accounts and vendor custody data exposures, with an expanded lens to capture fourth‑party cascades.
• Headline statistic: 35.5% of all breaches in 2024 involved a third‑party compromise, up 6.5% versus 2023, with fourth‑party spillovers in 4.5% of incidents.
• Ransomware nexus: 41.4% of ransomware/extortion incidents began via third‑party access, showing how third‑party vectors amplify scalability for extortion campaigns.
• Threat actor landscape: ransomware groups account for 64.8% of breaches, non‑ransom criminal groups 21.9%, and state‑sponsored actors 13.3%; C10p is the most prolific attributable group (~17% of attributable breaches), with RansomHub emerging strongly.
• Key attack vectors: file transfer software is the top single source (14% of third‑party breaches), followed by cloud products & services (8.25%); third‑party software vulnerabilities contributed to 8.5% of breaches (notable drivers: C10p Cleo campaign, Ivanti VPN flaws).
• Technology vs non‑technology split: 46.75% of third‑party relationships involved technology products and services, while 53.25% arose from non‑technology sources (processes, subsidiaries, services).
• Industry exposure — counts vs rates: Healthcare leads total breach volume (24.2%) and third‑party breach count (22%); Retail & Hospitality has the highest within‑industry third‑party rate (52.4%); Technology & Telecommunications also show elevated third‑party exposure (47.3%).
• Critical infrastructure risk: Energy, utilities, and transportation show alarming third‑party rates (energy 46.7%; travel/transport 45.3%), with targeted campaigns (e.g., C10p) contributing to sector concentration.
• Geographic hotspots: Northeast Asia has the highest regional third‑party share (54.3%); country‑level peaks include Singapore (71.4%), the Netherlands (70.4%), and Japan (60%); the U.S. has the largest absolute number of third‑party breaches due to overall breach volume.
• The wealth‑risk paradox: wealthier, highly interconnected economies face higher third‑party breach frequency because extensive outsourcing and complex supply chains create more exploitable trusted relationships.
• Subsidiaries and acquisitions: internal corporate structures pose hidden third‑party risk—foreign subsidiaries and acquisitions account for 11.75% of third‑party breaches and are overrepresented versus domestic entities.
• Cascading failures: fourth‑party compromises, while a smaller percentage, demonstrate how a single vendor breach can propagate across multiple organizations and amplify impact.
• Notable campaigns and victims: UNC5537’s Snowflake campaign pushed cloud platforms to become the second most common third‑party attack vector; C10p’s Cleo campaign and file transfer targeting illustrate supply‑chain focus.
• Recurring attacker approach: adversaries prefer compromising a single trusted vendor to gain lateral access to many victims, prioritizing scalability and stealth over noisy direct intrusions.
• Operational implications: traditional periodic vendor assessments (quarterly/annual) are inadequate against fast‑moving supply‑chain attacks; continuous monitoring and intelligence integration are required.
• Top prescriptive actions: align TPRM to industry/geography/tech stack, require “secure by design” procurement, prioritize hardening of file transfer tools, cloud services, and VPNs, enforce vendor TPRM and fourth‑party controls, and avoid ransomware payments where possible.
• Measurement and KPIs recommended: track third‑party breach rate, time‑to‑detection for vendor‑origin incidents, percentage of critical vendors with continuous monitoring, and fourth‑party exposure metrics to inform remediation prioritization.
• Strategic takeaway: security programs must shift from inward perimeter defense to extended‑perimeter resilience—see vendors and supply‑chain partners as active attack surfaces that require continuous, intelligence‑driven risk management.