What Is a Third-Party Data Breach?

Learn what third-party breaches are, how they happen, and how to stop them from hitting your company.

One vendor’s missing MFA control caused a $3.1 billion breach at Change Healthcare. Another vendor’s compromised cloud platform exposed 110 million AT&T customers.

Third-party breaches are getting worse. The Verizon 2025 DBIR found that third-party involvement in breaches doubled year over year, reaching 30%.

The problem isn’t just that vendors get hacked. It’s that you often don’t find out until months later.

This guide covers what third-party data breaches are, how they happen, recent real-world examples, and how to prevent them.

What Is a Third-Party Data Breach?

A third-party data breach happens when attackers access your data through an external vendor or service provider. Your systems aren’t directly compromised. The breach occurs in your vendor’s environment, but your data gets exposed because it was there.

This covers any external company you share data with: cloud providers, payroll processors, marketing platforms, IT contractors, and SaaS tools. If they have access to your data or your network, they’re a third party.

The key distinction from a regular data breach is that your own systems may not be compromised at all. The attackers never touch your network. They breach the vendor, and your data gets caught in the blast radius because it was sitting in the vendor’s environment. That’s what makes third-party breaches so frustrating. You can do everything right on your end and still get hit because someone else didn’t.

How Common Are Third-Party Breaches?

The numbers are getting worse, not better.

SecurityScorecard’s 2025 Global Third-Party Breach Report found that 35.5% of all breaches in 2024 originated through third parties, up 6.5 percentage points from the prior year. The Verizon 2025 DBIR found third-party involvement doubled year over year to 30%.

File transfer software is the single biggest entry point, responsible for 14% of third-party breaches. Cloud products and services account for another 8.25%.

The financial impact is steep. IBM’s 2025 report puts supply chain compromise breaches at $4.91 million on average, with a 267-day lifecycle to identify and contain. That’s the longest of any attack vector, because the breach is happening in someone else’s environment.

Ransomware groups have figured this out. 41.4% of ransomware attacks now start through third parties, according to SecurityScorecard. Attackers target vendors specifically because one compromise gives them access to dozens or hundreds of downstream companies. It’s more efficient than attacking each company individually.

The geographic variation is worth noting for international teams. Singapore had the highest third-party breach rate at 71.4%. The Netherlands was at 70.4%. Japan at 60%. The US was below the global average at 30.9%. If you have vendors based in high-risk regions, that should factor into your risk assessment.

How Do Third-Party Data Breaches Happen?

Here’s the usual sequence.

Step 1: The attacker targets the vendor. Attackers go after vendors because one compromised vendor gives them access to dozens or hundreds of downstream companies. It’s more efficient than attacking each company individually.

Step 2: They gain access. Usually through stolen credentials, phishing, or exploiting a vulnerability in the vendor’s software. The AT&T/Snowflake breach and the Change Healthcare breach both started with stolen credentials and missing MFA.

Step 3: They move through the vendor’s systems. Once inside, attackers look for customer data, access tokens, or connections to downstream networks. In the SolarWinds attack, they injected malware into a software update that was then distributed to 18,000 customers.

Step 4: Your data gets exposed. The attacker accesses your data sitting in the vendor’s environment, or uses the vendor’s trusted connection to pivot into your network directly.

Step 5: Discovery is delayed. You typically don’t know until the vendor tells you, which can be weeks or months after the initial compromise. Some vendors don’t discover the breach themselves for months.

What Are the Biggest Recent Third-Party Breach Examples?

These cases from 2023-2024 show how third-party breaches play out at scale.

Change Healthcare / UnitedHealth (February 2024). ALPHV/BlackCat ransomware gang breached Change Healthcare through stolen credentials on a server without MFA. 190 million people affected. $3.1 billion in response costs. 94% of hospitals in the US experienced disruption. UnitedHealth paid a $22 million ransom. A $22 million ransom for a server without MFA. That’s the cost of skipping a basic control.

AT&T / Snowflake (April 2024). Attackers used stolen credentials to access AT&T’s data stored on Snowflake’s cloud platform. No MFA was enabled on the Snowflake instances. 110 million AT&T wireless customers had call and text metadata exposed. AT&T settled for $177 million.

MOVEit / Progress Software (May 2023). The Clop ransomware gang exploited a SQL injection vulnerability in Progress Software’s MOVEit file transfer tool. The breach cascaded to over 2,500 organizations and 90 million individuals. Victims included the BBC and Shell, along with multiple US government agencies. This is a textbook example of how one vendor vulnerability becomes everyone’s problem.

Microsoft Midnight Blizzard (January 2024). Russian state-sponsored attackers (Midnight Blizzard/Nobelium) compromised Microsoft corporate email accounts. They accessed emails between Microsoft and its customers, exposing sensitive communications. The breach raised questions about how much access cloud providers have to customer data.

Target (November 2013). Attackers stole credentials from an HVAC contractor to access Target’s network. 40 million payment cards compromised. Over $200 million in damages. This is the case that put third-party breach risk on the map.

Bank of America / Infosys McCamish (February 2024). Infosys McCamish, a technology services provider, was breached. Bank of America customers had names, addresses, dates of birth, Social Security numbers, and account information exposed. The breach showed that even major banks can lose customer data through vendor compromises.

The pattern across these cases is consistent. Attackers target the vendor (not you), gain access through stolen credentials or software vulnerabilities, and your data gets exposed because it was in the vendor’s environment. The entry points are almost always the same: missing MFA, unpatched software, or compromised credentials.

Who Is Liable in a Third-Party Data Breach?

Short answer: you are.

Most data protection laws hold the company that collected the data responsible. You can outsource the processing, but you can’t outsource the liability. The FTC investigates the hiring company for vendor security failures, not the vendor itself.

Under GDPR, data controllers are liable for ensuring processors protect personal data. Controller liability exists even when the processor caused the breach. Under US state laws, breach notification obligations fall on the company that collected the data.

Vendor contracts typically contain broad liability limitations that protect the vendor. Courts have found you often can’t fully shift liability through contractual terms alone.

This doesn’t mean contracts are useless. Indemnification clauses, required cyber insurance, breach notification SLAs, and audit rights all matter. But they limit your financial exposure after a breach. They don’t eliminate your legal responsibility to protect the data in the first place.

In practice, this means you need to treat vendor security as your own security problem. You can’t sign a contract and walk away. You need to assess, monitor, and respond as if the vendor is an extension of your own network, because legally, they are.

For practical steps on reducing this risk, see our guide to preventing third-party data breaches. For building a vendor risk assessment program, see our third-party risk assessment framework.

How Do You Prevent Third-Party Data Breaches?

You can’t eliminate third-party breach risk, but you can reduce it. Here are the controls that matter most.

Assess vendors before onboarding. Request SOC 2 reports or ISO 27001 certifications. Run security questionnaires. Check their breach history. Tier your vendors by risk based on what data they access.

Require MFA for vendor access. The two biggest third-party breaches of 2024 (Change Healthcare and AT&T/Snowflake) both started with stolen credentials and no MFA. This single control would have prevented both.

Segment your network. Don’t give vendors flat access. Put vendor connections on isolated network segments so a breach at the vendor can’t spread laterally to your core systems.

Monitor for credential exposure. When your vendor’s employees’ credentials appear in stealer logs or breach data, it’s an early warning that their environment may be compromised. Credential monitoring catches this before attackers exploit the access. Dark web monitoring extends this to criminal marketplaces where stolen vendor access gets sold.

Limit data sharing. Only share the data your vendor actually needs. The less data in their environment, the less damage a breach can cause.

Have an incident response plan for vendor breaches. Your breach response plan should include a specific playbook for when a vendor gets breached. Who do you call? How do you assess what data was exposed? What are your notification obligations?

For a detailed prevention playbook, see our guide to preventing third-party data breaches.

Conclusion

If you do one thing after reading this, set up credential monitoring for your top ten vendors. The two entry points behind the biggest third-party breaches of 2024 were stolen credentials and missing MFA. Catching exposed vendor credentials early is the single highest-ROI control you can add.

Check your exposure to see if your vendors’ credentials have already appeared on criminal markets.