Third-Party Data Breaches: What You Need to Know

Why third-party breaches are on the rise, who is being affected, and what you can do about it.
Alastair Parr
Senior Vice President, Global Products & Services
May 02, 2024
Blog third party data breach 0621

A third-party data breach occurs when malicious actors compromise a vendor, supplier, contractor, or other organization in order to gain access to sensitive information or systems at the victim’s customers, clients or business partners. Third-party data breaches are becoming increasingly common as technology makes it easier for businesses to connect and as global supply chains grow in complexity. As a result, organizations are often unable to visualize where their data goes, and proprietary or sensitive data can easily be shared with suppliers and subcontractors that the contracting organization knows little to nothing about.

This article examines why third-party data breaches are increasing; provides examples of prominent companies that were compromised by third, fourth, or Nth party vendors; and explains what steps you can take to mitigate the risk of your organization becoming a victim.

Why Third-Party Data Breaches Are Increasing

The last decade has seen an increasing number of large organizations investing heavily in information security. No system can be entirely secure, but heavy investments in cybersecurity do make it far more difficult for malicious actors to compromise well-resourced organizations. Hackers are increasingly incentivized to target smaller subcontractors to bypass robust and well-funded cybersecurity programs. Compromising a small HVAC contractor and using that organization as an unwitting Trojan Horse is far easier to accomplish than directly compromising a Fortune 500 company with a fully staffed Security Operations Center and several layers of security controls.

Small businesses have consistently lagged behind in adopting robust information security practices despite the fact that 43% of attacks target them. This enables malicious actors to compromise smaller third parties and either steal data entrusted to them, or hijack their access to sensitive systems at larger organizations. Third-party data breaches can be extremely damaging and can result in millions of dollars in fines, legal fees and penalties -- along with inordinate reputational damage.

Examples of Prominent Third-Party Security Incidents

Third-party data breaches have become far more common in recent years. As the world economy becomes more integrated, data often flows throughout supply chains with little regard for its protection or how it is managed. This has resulted in a “wild west” approach to applying information security controls, as many organizations have little to no idea where their data is throughout the extended supply chain -- much less what security measures are being taken to protect it.

2024 Third-Party Data Breaches

Microsoft Midnight Blizzard Attack

In January 2024, Microsoft’s Security Team detected an attack on its e-mail systems, later identifying the attacker as Midnight Blizzard, the Russian state-sponsored actor also known as NOBELIUM. This ongoing incident compromised email accounts and data for US government agencies and businesses alike, hackers downloaded about 60,000 emails from the State Department alone.

You should monitor for any critical updates to this incident – even if your account(s) didn’t get compromised directly, there’s a good chance a third party in your ecosystem may have been. Microsoft is embedded into the ecosystem of most organizations’ technology to the point that many have no choice but to trust them.

United Health Group Hack

In February 2024, UnitedHealth Group, the largest health insurer in the United States, confirmed that a ransomware attack targeted its health-tech subsidiary Change Healthcare, continuing to disrupt hospitals and pharmacies nationwide. Change Healthcare processes nearly half of all medical claims in the U.S. for approximately 900,000 physicians, 33,000 pharmacies, 5,500 hospitals, and 600 laboratories.

The cyberattack has halted pharmacy operations and caused widespread outages and issues with processing insurance and patient billing. The incident highlights the escalating ransomware threat to critical services, with experts calling for urgent government intervention.

Infosys McCamish Data Breach

In February 2024, Bank of America announced its customer data was compromised through an Infosys McCamish cybersecurity incident. The incident resulted in an unauthorized party being able to access certain customers’ sensitive information, including names, addresses, business email addresses, dates of birth, Social Security numbers, and other account information. Recently, Infosys McCamish revealed in an update to investors that approximately 6.5 million individuals’ information was subject to unauthorized access and exfiltration.

Numerous threat intelligence reports indicate Infosys may have had poor security hygiene and a highly exposed external attack surface before the ransomware attack. This underscores the need to press leading suppliers and vendors to adhere to well-known security best practices.

American Express Data Breach

In March 2024, American Express revealed that a third-party merchant processor (yet to be named) was impacted by a cybersecurity incident. This third-party breach leaked sensitive customer data, including current or previously issued American Express card account numbers, names, and other card information such as the card expiration dates.

The payment card ecosystem is massive, and there are many interconnected parties involved that could potentially lead to breaches of sensitive financial data. Consumers and businesses should be vigilant and prepared to update payment card information quickly.

Third-Party Cybersecurity: The Top Incidents of 2024 So Far

Join Dave Shackleford of Voodoo Security as he examines the current state of third-party cybersecurity so far in 2024 and shares tips for strengthening your third-party risk management (TPRM) program's security.

Watch Now
Webinar 0425 q1cybersecurity incidents

2023 Third-Party Data Breaches

Progress Software MOVEit Breach

On May 31, 2023, Progress Software disclosed a vulnerability that enables unauthenticated actors to access its MOVEit® Transfer database and execute SQL statements to alter or delete information. MOVEit Transfer is a managed file transfer software that is part of the Progress MOVEit cloud platform used to consolidate all file transfer activities into one system.

Since the disclosure, cybercriminal gang Clop have exploited the vulnerability and used it to target a wide-ranging number of organizations across multiple industries and geographies, including HR software provider Zellis, the BBC, the government of Nova Scotia, and many others.

Okta Third-Party Data Breach

In October 2023, Okta revealed that a healthcare vendor exposed information for 5,000 Okta employees. In the first incident, attackers stole credentials to access its support case management system and steal customer-uploaded session tokens. In early November, they informed their customers that the breach also impacted all Okta customer support system users.
The source of the breach was likely a compromised personal Google account of an Okta employee, who had saved their service account credentials in their account. This latest breach of the support unit in October is the second significant breach affecting the data of Okta customers within the last two years.

London Metropolitan Police

In August of 2023, The London Metropolitan Police experienced a breach from an apparent ransomware attack against an IT supplier, Digital ID. Sensitive information of nearly 47,000 law enforcement officers and staff, including undercover and counter-terrorism cops was exposed. The compromised information included an array of sensitive data, including names of officers and staff, photos, ranks, vetting levels, and identification numbers.

2022 Third-Party Data Breaches

Okta LASPSUS$ Attack

In March 2022, the U.S.-based identity and access management platform Okta acknowledged that an attack against a third-party vendor they used resulted in a data breach impacting approximately 2.5% of their customer base. According to Okta, the damage was limited to permissions that third-party support engineers have on their platform. The ransomware group responsible for the attack, LAPSUS$, had the potential to access:

  • JIRA Tickets

  • Lists of Users

  • Reset Passwords

  • Reset multi-factor authentication

Attacks against critical players in the supply chain ecosystem have escalated in recent years as malicious actors have increasingly pursued a strategy of leveraging one successful attack to damage companies throughout the software supply chain. Cybersecurity companies can be particularly at risk due to their privileged access to other organizations’ IT environments. For more information about the 2022 Okta breach, we recommend reading our blog on four questions you should answer to determine if you are ready for third-party incident response.

LastPass Data Breach

On December 22, 2022, password management company LastPass announced that an unknown threat actor leveraged information obtained during an August 2022 security incident to access a third-party cloud-based storage service that LastPass uses to store archived backups.

Toyota Supply Chain Attack

On February 28, 2022, Toyota announced that the company was suspending operations on all 28 production lines at 14 manufacturing plants in Japan for a day due to a system failure at a supplier, Kojima Industries. Other Toyota partners, including Hino Motors and Daihatsu Motor, were also affected by the shutdown. The cause of the system failure at Kojima appeared to be a cyberattack that prevented communications with Toyota and production monitoring systems. On March 1, Toyota announced that they were resuming operations for only the first production shift starting March 2.

2021 Third-Party Data Breaches

Eye Care Leaders Ransomware Attack

At least eight healthcare providers had to notify millions of patients that their medical records had been compromised in a ransomware attack on a third-party electronic medical records (EMR) platform.

The attack on Eye Care Leaders’ EMR in December 2021, the largest healthcare security incident of the year, exposed the data of 3.7 million people to threat actors who, after getting into the platform, deleted databases and system configuration files, making it impossible to discern whether the attackers saw or took the data before deleting it.

Log4J Vulnerability

In December of 2021, security researchers announced the discovery of CVE-2021-44228, Apache Log4j Java-based logging library. The Log4j vulnerability allows unauthenticated remote code execution and access to servers – in effect, a complete takeover of vulnerable systems. Log4J opened up a massive risk throughout the third-party software ecosystem.

Even though a patch was released by Apache within days, many organizations are reliant on third, fourth, and Nth parties that may have neglected to quickly patch, or been unaware that they were affected. Prevalent put together a list of 8 questions to ask third parties to reduce the risks of being affected by a third-party data breach enabled by Log4J.

Kaseya Ransomware Supply Chain Attack

Remote Monitoring & Management software attacks have become a primary concern for many IT teams and Managed Services Providers. On July 2, 2021, Kaseya announced that attackers had taken advantage of a vulnerability in the company's VSA software to stage a ransomware attack against Kaseya’s customers. Dozens of IT service providers and hundreds of downstream customers were affected resulting in millions of dollars worth of damages.

Like the SolarWinds Orion breach and other recent third-party cyber security incidents, this is another example of the potential exponential impact of supply chain attacks on the extended supply chain.


Mercedes-Benz announced in June 2021 that approximately 1.6 million unique records were leaked through a third-party vendor's cloud storage platform. An eternal cybersecurity researcher reportedly found the flaw and notified Mercedes-Benz of the incident. According to Mercedes-Benz, less than 1,000 customers had sensitive information like social security numbers and drivers license information leaked.

The car manufacturer disclosed the breach on Thursday, June 24th. It appears that potential buyer and customer information was leaked from filling out information on Mercedes-Benz websites between January 1, 2014 through June 19, 2017. Any individual seeking to access these files would need to implement “special software programs and tools” to find the information leaked. The company announced that the security flaw has been remediated and plugged.

Possibly leaked data included:

  • Driver's license numbers

  • Social Security numbers

  • Credit card information

  • Birthdays

  • First and last name

  • Email address

  • Phone numbers

  • Purchased vehicle information


Over 3.3 million customers were impacted in a data breach of car manufacturer Volkswagen announced in June 2021. Current and prospective customers' information was left exposed online between August 2019 and May 2021. According to Volkswagen, they were alerted that an unauthorized third party may have accessed the customer information on March 10, 2020.

Possibly exposed data included:

  • First and last name

  • Personal address

  • Business addresses

  • Email addresses

  • Phone numbers

  • Vehicles purchased

  • Vehicles leased

  • Vehicle ID numbers makes, models, years, and colors

PracticeMax Ransomware Attack

Healthcare billing and IT solutions vendor PracticeMax announced that it was the victim of a ransomware attack that occurred between April 17 and May 5, 2021. PracticeMax is a business associate of healthcare organizations Humana and Anthem. During the breach, an unauthorized actor accessed and stole more than 4,000 Humana patient files containing protected health information (PHI).

Past Third-Party Data Breaches


The SolarWinds supply chain breach, first reported in December of 2020, impacted over 18,000 users of its Orion network management product. The SolarWinds supply chain breach continues to wreak havoc on Orion customers around the world, as they continue to identify and mitigate its risks. The list of impacted companies includes major US government agencies and firms:

  • Department of Energy

  • Department of the Treasury

  • Department of Commerce

  • State and local governments

  • Department of State

  • Department of Homeland Security

  • National Institutes of Health

  • The Department of Defense

Private companies affected by the breach include Microsoft and FireEye. This security incident dealt a major blow to US national security that revealed major flaws in cybersecurity defenses. Recognizing the potentially damaging impact on companies’ operations, Prevalent released a free event and incident management assessment to its customers soon after the breach was first reported.

9 Steps to a Third-Party Incident Response Plan

When one of your critical vendors is breached, being ready with a prescriptive incident response plan is essential to preventing your company from becoming the next victim.

Read Now
White paper incident response 0421

Capital One

In 2019, Capital One reported a data breach affecting over 100 million customers and involving data going back a decade. The Office of the Comptroller of the Currency cited the failure “to establish effective risk assessment processes” before moving IT infrastructure and data to the public cloud as one of the principal causes of the breach. Capital One was fined over $80,000,000 for the breach. Data compromised included:

  • Social Security Numbers

  • Bank Account Numbers

  • Customer Credit Scores

  • Payment Histories

  • Self-Reported Incomes


The 2020 GE breach shows that a security incident can harm not only customer relationships, but also employee relationships and trust in the company. General Electric’s human resources document management provider, Canon Business Process Service, suffered a breach at the beginning of 2020. Over 200,000 current and former employees' sensitive information, including benefits and personal health information (PHI), and more were exposed in the incident.

The personal information released includes:

  • Names

  • Social Security Numbers

  • Bank account information

  • Date of birth

  • Direct deposit forms

  • Driver’s licenses

  • Passports

  • Birth certificates

  • Marriage certificates

Death certificates, medical child support orders, tax withholding forms, beneficiary designation forms and applications for benefits such as retirement, severance and death benefits with related forms and documents were also exposed.


In 2019, over 7 million Adobe Creative Cloud user records were exposed because an internal Elasticsearch database was left exposed online without password protection. The information included usernames and customer account information but not financial data or user passwords.

Other information exposed included:

  • User email addresses

  • Adobe member IDs

  • Country of origin

  • Adobe products used

  • Account creation date

  • Last login date

  • Subscription status

  • Payment status

Although the breach did not include user credentials like names, passwords or financial information, the incident still posed harm to users. Hackers using spear phishing techniques can email high-value accounts, obtain passwords, and sell them on the dark web. Any breach of customer information, no matter how small, can pose enormous risks.


When Marriott acquired Starwood in 2016, the company inherited a compromised reservation system platform that resulted in lawsuits and reputational damage after the breach was announced in 2018. Malicious actors had direct access to Starwood’s networks and systems since 2014. The attackers maintained access to Starwood systems until the breach’s discovery and disclosure in 2018.

The malicious actors stole information on up to 500 million guests, including:

  • Names

  • Addresses

  • Phone numbers

  • Birth dates

  • Email addresses

  • Encrypted credit card details

  • Passport numbers

  • Travel histories

In 2020, Marriott announced a second breach, which affected over 5 million customer accounts and compromised addresses, birthdays, phone numbers, and loyalty card information. This third-party data leak was caused because two Marriott franchise owners had their corporate access to systems stolen. It is important to monitor any third parties who have access to your business infrastructure information, even if this is a partner organization like a franchisee. Franchisees frequently may not adhere to the same cybersecurity requirements as their parent company, exposing the entire organization to risk.


In 2013, major retailer Target was hacked by cyber attackers compromising the data of over 70 million consumers. During this seminal third-party breach, one of Target's HVAC contractors was the victim of a spear-phishing attack that leaked credit card numbers, security codes, phone numbers, and full names.

The hackers accessed Target’s corporate network with stolen credentials and installed malware on Target’s POS devices. The installed malware collected sensitive customer data between November and December of 2013. The Target breach provides a clear example of how even the best-funded information security programs can easily be compromised via security exposures in third-party products and services.

Navigating the Vendor Risk Lifecycle: Keys to Success

This complimentary guide details best practices for successfully managing risk throughout the vendor lifecycle. See what we've learned in our 20+ years of experience working with hundreds of customers.

Read Now
Feature navigating vendor risk lifecycle

Best Practices for Preventing Third-Party Security Breaches Throughout the Vendor Lifecycle

Effectively managing risk throughout the extended supply chain can be difficult, particularly for large organizations. However, there are several steps you can take to better understand your risk environment and mitigate the impact of potential third-party risk. Here are Prevalent’s recommendations to help mitigate the risk of a third-party data breach throughout the vendor lifecycle.

Consider Information Security During Sourcing and Selection

As your IT infrastructure becomes increasingly integrated with third and fourth parties, it is critical to consider information security during vendor sourcing and selection. When considering vendors with a high degree of profiled risk based on their access to your organization's sensitive data and systems, give precedence to those with demonstrable information security maturity. It is worth asking:

  • Does the vendor work with other enterprise clients with complex information security needs?

  • Does the vendor have the necessary security controls to comply with requirements that would flow down from your organization? (e.g. HIPAA, CMMC, GDPR)

  • What is the vendor's information security track record? Do they have multiple publicized data breaches or compliance violations?

Consider leveraging third-party risk management software or vendor risk intelligence networks to inform your sourcing and selection process with preloaded cybersecurity risk data.

Set Clear Contractual Expectations for How Data Is Stored and Transferred

Many organizations fail to build their vendor contract management processes with vendor risk management in mind. Your organization should have clear company policies regarding when personal information, customer data, or other sensitive information can be shared with third parties. For example, you might want to consider including clear stipulations regarding when confidential information can be shared with fourth parties and beyond.

Conduct Continuous Monitoring on Third Parties with Access to Sensitive Data or Systems

Vendors should be monitored for unauthorized access to personal data or other proprietary information. Even if the vendor isn’t acting maliciously, their IT systems could have been compromised resulting in malware spreading to your organization’s systems. Any vendor with any access to your IT assets should be monitored for the duration of access.

In addition, you should practice proactive, external third-party monitoring for all vendors that deal with your confidential information. Organizations change their information security programs over time, and what was originally reported on their vendor risk assessment questionnaire may not hold true a few months later. Additionally, a proactive monitoring approach can help you to catch potential data breaches before they happen. By monitoring the dark web, pastebin and other areas where stolen credentials are posted, you can learn if one of your vendors has been compromised.

Pay Attention to Regulatory Requirements

Information security and data privacy regulations have been ramped up dramatically in the past decade. We’ve seen the introduction of GDPR, CCPA, NY Shield Act, and dozens of other compliance requirements in just the past few years. It is highly likely that regulatory scrutiny will continue to mount as new third-party breaches emerge.

Require Vendors to Independently Verify Their Information Security Practices

Third-party risk assessment questionnaires can be enormously helpful in determining whether vendors are taking appropriate information security measures. However, in some cases, you may want to consider requiring potential vendors to become certified against an information security standard. For example, the Department of Defense recently propagated the Cybersecurity Maturity Model Certification. This regulation required contractors working with the Department of Defense to be certified against a 5-tier standard set by DOD determined by the type of information the contractor is working with.

Your organization can take a similar approach in dealing with vendor cybersecurity concerns. For many vendors, particularly those not dealing with large amounts of confidential data, a simple vendor risk assessment questionnaire might suffice. However, for vendors that need access to proprietary data and systems, you might want to consider requiring compliance against an outside standard such as SOC 2 or NIST CSF.

Get Visibility Into the Extended Supply Chain

The first step of any cybersecurity program is to get visibility into IT assets. The same is true for third-party risk. You need to understand not only which third parties are used across the extended enterprise, but also who makes up their supply chains down to fourth and Nth party vendors. As a rule, the more critical the vendor is or the more data they have access to, the more visibility you need into their extended supply chains. The Kaseya and SolarWinds attacks are illustrative examples of how the security practices of fourth parties can have ripple effects throughout the supply chain.

Audit Your Offboarding Process

Effective vendor offboarding is one of the most essential elements of a third-party risk management program and is essential to preventing third-party data breaches. Most organizations have some form of an offboarding process for third parties and contractors, but in a busy corporate environment, it can be overlooked. Make an effort to routinely audit offboarding processes across multiple departments for third-party vendors. Ensure that permissions and access are fully revoked across departments to comply with corporate policy and government regulations.

Next Steps for Preventing Third-Party Data Breaches

Wondering how prepared your organization is for a third-party data breach? Get started with our 10-question risk calculator. For a custom benchmarking report on your third-party risk management program, request a free TPRM maturity assessment and consulting session. Interested in how Prevalent can help? Read more about our third-party risk management platform and vendor risk assessment services, or request a demo.

Leadership alastair parr
Alastair Parr
Senior Vice President, Global Products & Services

Alastair Parr is responsible for ensuring that the demands of the market space are considered and applied innovatively within the Prevalent portfolio. He joined Prevalent from 3GRC, where he served as one of the founders, and was responsible for and instrumental in defining products and services. He comes from a governance, risk and compliance background; developing and driving solutions to the ever-complex risk management space. He brings over 15 years’ experience in product management, consultancy and operations deliverables.

Earlier in his career, he served as the Operations Director for a global managed service provider, InteliSecure, where he was responsible for overseeing effective data protection and risk management programs for clients. Alastair holds a university degree in Politics and International Relations, as well as several information security certifications.

  • Ready for a demo?
  • Schedule a free personalized solution demonstration to see if Prevalent is a fit for you.
  • Request a Demo