Techie Tonic: Third-party risk and its role in recent cybersecurity breaches

The fact: No organisation can stand alone operate business, business success, failure and risk depends on connected third party services.

In today’s hyper-connected business environment, organisations rarely operate in isolation. Almost every company relies on a network of third parties, whether for cloud hosting, customer service platforms, payment systems, or specialist software integrations. While this interconnectedness brings efficiency and innovation, it also introduces a growing threat “third-party risk”. As recent breaches demonstrate, cybercriminals are increasingly exploiting these weaker links to gain access to sensitive information.

Third-party risk refers to the cybersecurity threats organizations face from their vendors, partners, and supply chains, playing a significant role in recent breaches due to increased reliance on these external entities, limited visibility into their security practices, and vulnerabilities in shared software and systems. By targeting third parties, attackers gain access to a larger network and more sensitive data, leading to financial losses and reputational damage for the victim organization.

Third-party risk is multifaceted. It stems not only from technical weaknesses, such as unpatched systems or weak access controls, but also from insufficient oversight, poor incident response, and lack of transparency in vendor operations. In some cases, even fourth or fifth-party suppliers, companies that an organisation’s vendors depend on can introduce risks. The challenge lies in the fact that while an organisation can tightly manage its own security practices, it has far less direct control over its partners. This imbalance creates opportunities for attackers to infiltrate networks indirectly, often with devastating consequences.

Several recent cybersecurity incidents illustrate the seriousness of third-party risk. For example, an airline disclosed a breach in which up to six million customers’ personal data was exposed through a third-party customer service platform. While financial data remained intact, sensitive personal information such as names, phone numbers, and loyalty account details were accessed. This case highlights how data handled by vendors, even when not financial, can still lead to privacy violations and reputational harm. Similarly, a leading CRM platform users were impacted when hackers exploited vulnerabilities in integrations with platforms. By abusing OAuth tokens and poorly secured connections, attackers exfiltrated records containing valuable corporate information. These incidents show that the problem is not limited to core systems but extends to the ecosystem of applications and services that businesses routinely rely on.

Another industry affected was fashion industry, the parent company of luxury brands, reported a breach tied to the hacker group ShinyHunters, in which customer information including names, emails, and phone numbers was exposed. Though financial records were not compromised, the event once again underscored the dangers of third-party involvement in handling sensitive data. Importantly, these examples are not isolated. Most of the researches indicate that that over 35% of all breaches involved third-party connections, and the majority of those were linked to vulnerabilities in the software supply chain. Another survey revealed that more than 70% of organisations experienced at least one material incident tied to a third party within the past year.

As recent breaches involving airlines, technology firms, and luxury brands have shown, vulnerabilities in external systems can lead to large-scale data exposure, regulatory scrutiny, and loss of customer trust.

A key driver is the growing dependence on external services. From cloud-based collaboration tools to outsourced IT services, businesses expand their attack surface with every new vendor relationship. Attackers are also shifting tactics, increasingly using valid credentials or exploiting trusted integrations instead of relying on brute-force intrusions. Once a malicious actor gains access through a vendor, they can move laterally across systems, often remaining undetected for long periods because the activity originates from what appears to be a trusted partner. Furthermore, many organisations lack continuous visibility into third-party practices, relying instead on infrequent audits or basic questionnaires that provide little assurance against evolving threats.

Mitigating third-party risk requires more than one-off assessments. Organisations must adopt a layered approach, starting with rigorous vendor due diligence before contracts are signed. This includes evaluating a partner’s patching practices, security policies, and incident response capabilities. Once a vendor is engaged, least-privilege access should be enforced so that third parties only receive the permissions strictly necessary to perform their duties. Continuous monitoring tools can help detect suspicious behaviour, while contractual agreements should establish clear expectations around security controls, reporting obligations, and liability in the event of a breach. Network segmentation and isolation of vendor systems from core infrastructure can further limit the damage if a third-party account is compromised.

Ultimately, third-party risk is no longer a secondary concern but a central pillar of cybersecurity and business resilience. Businesses that fail to prioritise vendor risk management may find themselves blindsided by threats emerging from their own supply chain. By embedding third-party oversight into governance frameworks, implementing continuous monitoring, and demanding accountability from partners, organisations can begin to close the gaps that attackers so readily exploit.

In conclusion, the rise of third-party breaches reflects the reality of a digital economy built on shared platforms and outsourced services. No company can afford to ignore the risks embedded in its vendor ecosystem. Cybersecurity resilience today depends not only on strengthening internal defences but also on extending that vigilance outward towards every partner, platform, and provider that touches organisational data. The lesson from recent incidents is clear “security is only as strong as the weakest link, and in many cases, that link lies outside the organisation itself”.