Third‑party breaches doubled last year as criminal crews pivot to vendors and managed service providers, weaponizing trust at global scale

LONDON/FRANKFURT — The criminal business model behind ransomware has always rewarded leverage. In 2025, that leverage increasingly comes from somewhere off the balance sheet: the suppliers, outsourcers and software platforms that knit modern companies together. By compromising a single vendor, attackers can pry open dozens — sometimes hundreds — of downstream customers.

That “many-for-one” return on effort is a big reason why third‑party involvement in breaches doubled year over year to 30% of cases, according to Verizon’s 2025 Data Breach Investigations Report (DBIR). Security teams say the shift is reshaping incident response and board‑level risk conversations. What used to be a perimeter problem has become an ecosystem problem.

“Adversaries are going after the soft underbelly,” says a European threat‑intelligence lead at a major cybersecurity company. “If the front door is hardened, they’ll ring the doorbell from next door — a support vendor, a software integrator, a cloud data platform.”

The playbook varies, but the economics are consistent. One popular route is credential theft against third‑party environments with persistent access to customer networks or data. Another is exploiting edge devices and managed file-transfer tools that many suppliers run on behalf of clients. In 2024, the world watched as a data‑theft and extortion campaign hit customer databases hosted on a well‑known cloud data platform, leveraging stolen user credentials. Earlier waves saw mass exploitation of a managed file transfer product ripple through thousands of organizations — not because each was directly targeted, but because many entrusted the same software with sensitive workflows.

Those incidents helped push the illicit ransomware market into multibillion‑dollar territory over the past two years. Blockchain‑forensics firm Chainalysis recorded an all‑time high of more than $1 billion in extorted payments in 2023, before victims’ growing refusal to pay and law‑enforcement pressure contributed to a 35% drop in 2024. Yet even as total payments fell, median and average ransoms surged in several quarters, reflecting a pivot toward larger, better‑resourced targets — often reached via suppliers.

A crisis of connectedness

The single biggest driver behind the surge, security leaders argue, is the sheer density of connections in enterprise IT. Cloud platforms, outsourced help desks, managed security providers and software libraries expand capability — and the attack surface. Vendors frequently hold privileged access, API tokens or data mirrors that, if stolen, can be turned into leverage.

“Supplier due diligence used to be questionnaires and contracts,” says the CISO of a German industrial manufacturer. “Now my team treats third‑party identity and access like our own: enforcing multi‑factor authentication, setting up just‑in‑time privileges, and monitoring vendor sessions in real time. It’s the only way to sleep.”

But even well‑run programs struggle with the long tail of partners. Large enterprises may rely on hundreds or thousands of suppliers, many of which subcontract further. Asset owners often lack visibility into where sensitive datasets travel, or how credentials are protected across that chain. Attackers thrive in those blind spots, mixing commodity tools with professionalized operations: dedicated data‑extortion crews, initial‑access brokers, and affiliates trading intrusion playbooks in private markets.

From encryption to exfiltration

The tactics are shifting too. While encryption‑driven “big‑game hunting” remains common, data theft and pure extortion have surged. In these cases, attackers quietly copy data from a supplier environment or shared SaaS repository, then threaten to leak it. With no files to decrypt, traditional backup strategies offer limited leverage. For highly regulated sectors — finance, healthcare, utilities — the prospect of sensitive data exposure can be even more damaging than downtime.

The UK’s health system learned that lesson the hard way in 2024 when a pathology services provider was hit, disrupting patient services across multiple hospitals. In the private sector, a third‑party support breach at a household‑name retailer exposed customer information. And a campaign against customer instances at a global cloud data warehousing firm became a case study in what happens when single‑sign‑on gaps and stale credentials collide with supplier trust.

Industrial supply chains, finely tuned for “just‑in‑time” efficiency, have proved especially brittle. A single compromised logistics or IT provider can halt assembly lines for days. Security services firms tracked record‑setting ransomware activity against manufacturing in 2024, with attackers timing intrusions to peak season and maintenance windows. The cost calculus here is brutal: even companies that refuse to pay may absorb multimillion‑euro losses from production outages and expedited recovery.

Regulation: carrots, sticks and registers

Policymakers are racing to catch up. In Europe, the updated NIS2 Directive became enforceable after the October 2024 transposition deadline, broadening security obligations to thousands more “essential” and “important” entities and spelling out incident‑reporting timelines. The EU’s Digital Operational Resilience Act (DORA) for financial services took effect on 17 January 2025, imposing stringent vendor‑risk provisions — including detailed registers of third‑party ICT services and mandatory contractual clauses — with supervisors already signaling little tolerance for paper‑only compliance.

The intent is clear: force organizations to inventory who has access to what, reduce excessive privileges, and prove they can keep operating through supplier outages. But implementation is uneven. Several Member States lagged in fully embedding NIS2 into national law through 2025, leaving multinational firms to navigate a patchwork of expectations and deadlines.

Across the Atlantic, U.S. policy remains more sector‑specific. Federal procurement rules have tightened for government suppliers, and critical‑infrastructure sectors face heightened scrutiny from regulators and insurers. Yet there is no single national equivalent to DORA. In practice, boards and audit committees are moving faster than lawmakers, hardening contractual terms with vendors and insisting on continuous evidence — not point‑in‑time questionnaires — that controls work as designed.

What works (and what doesn’t)

Security leaders interviewed by this publication describe five moves that demonstrably reduce supply‑chain exposure:

1) Kill standing vendor access. Rotate to just‑in‑time access brokering through privileged‑access tools, with per‑session approval, recording and automatic expiry. Where possible, use ephemeral credentials bound to device posture and location.

2) Make MFA non‑negotiable — and phishing‑resistant. Classic one‑time codes are repeatedly bypassed by social engineering. Hardware‑bound passkeys or FIDO2 tokens for suppliers, with strict device enrollment, blunt many intrusion attempts seen in 2024–2025.

3) Continuously validate with telemetry, not questionnaires. Ingest vendor identity logs, API call patterns and EDR signals into your own SIEM/XDR. Require suppliers to stream alerts, not just email monthly summaries.

4) Segment shared platforms and edge devices. Treat managed file transfer, VPNs, load balancers and customer‑hosted data platforms as untrusted until proven otherwise. Use network isolation, egress controls and service‑to‑service authentication to prevent a supplier foothold from lateraling into crown‑jewel systems.

5) Rehearse third‑party incident playbooks. Table‑top exercises should include pre‑negotiated crisis communications with customers, forensics data‑sharing with suppliers, and legal triggers for mandatory reporting across jurisdictions.

What doesn’t work? Relying on indemnities or SLAs to absorb the blast. “Contracts help after the fact,” says a partner at a leading cyber‑insurance carrier. “But when a supplier outage spirals into a week of downtime, the insured expects business‑interruption coverage to bridge the gap. Underwriters now want to see hard evidence of third‑party controls, not promises.”

The ransomware economy, still evolving

Despite headline‑grabbing takedowns of prolific groups, the ecosystem continues to adapt. Law‑enforcement operations in late 2024 and early 2025 rattled several franchises, yet new crews quickly filled the vacuum. Average and median ransom payments whipsawed quarter to quarter, reflecting a tug‑of‑war between hardened backups and more targeted extortion. Analysts also note the return of “double‑and‑delay” tactics: attackers leak a small tranche of stolen data, vanish for weeks, then re‑emerge with new threats, stretching response teams thin.

One constant is the professionalization of the supply‑chain intrusion path. Initial‑access brokers now advertise footholds specifically in managed service providers, call‑center platforms and SaaS admin consoles. Tooling has matured around token theft, API abuse and automated discovery of cross‑tenant misconfigurations. And state‑linked groups, notably from North Korea, have blended financial motives with espionage, blurring lines between criminal and geopolitical campaigns.

A new baseline

For executives, the message is stark: vendor risk is now core business risk. The era of treating supplier security as a procurement checklist is over. The organizations weathering 2025’s storm share a few traits — ruthless inventory discipline, identity‑first architecture, rehearsed crisis playbooks, and a willingness to demand (and verify) higher standards from partners. The weakest link may sit outside your org chart. But its failure can still be existential.