TL;DR: Third-party vendor involvement in data breaches doubled to 30% in 2025 and continues rising. The pattern is clear: attackers target smaller, less-secured vendors as entry points to larger organizations. Recent examples include Ledger (Global-e e-commerce partner), Korean Air (pension administrator), and PowerSchool (student information systems). AI is accelerating these attacks by automating vulnerability discovery and crafting perfect phishing. Your own security doesn't matter if your vendors are compromised. Here's the pattern and what you can do.
The Pattern
Supply chain attacks follow a consistent logic:[1]
- Target selection: Attackers identify a high-value organization with strong security
- Vendor mapping: They map the target's third-party relationships: suppliers, SaaS providers, contractors
- Weak link: They find a vendor with weaker security but trusted access
- Vendor compromise: Attack the vendor through phishing, vulnerabilities, or credential theft
- Pivot: Use the vendor's trusted access to reach the real target
- Payload: Exfiltrate data, deploy ransomware, or establish persistence
The beauty (for attackers) is efficiency: compromise one vendor, access hundreds of their customers.
Recent Cases Show the Pattern
Ledger (January 2026)
Hardware wallet company breached via Global-e, their e-commerce fulfillment partner. Customer shipping addresses and contact details exposed.
Korean Air (January 2026)
30,000 employees exposed via breach of pension benefits administrator. Attackers didn't need to breach Korean Air directly.
PowerSchool (2024-2025)
62+ million student records compromised via customer support portal credentials. One vendor, thousands of school districts.
Gravy Analytics (2025)
17TB of location data from hundreds of apps, all feeding data to one broker that was breached.
Each case: the target organization's own security was irrelevant. The vendor was the entry point.
The Numbers
The trend is accelerating:[2]
- 30% of breaches now involve third parties (doubled from prior year)
- 61% increase in attacks on logistics providers
- Third-party ransomware was the dominant attack pattern in 2025
- SaaS supply chains are expected to become primary entry points in 2026
Organizations may have excellent internal security, but the average enterprise has hundreds of vendor relationships, each a potential vulnerability.
Why Vendors Are Targeted
- Trusted access: Vendors often have direct connections to customer systems or data
- Smaller security budgets: Many vendors lack enterprise-grade security resources
- Force multiplier: One vendor breach = many customer breaches
- Audit gaps: Organizations struggle to assess all vendor security
- Credential reuse: Vendor employees may reuse passwords across systems
AI Accelerates Everything
Artificial intelligence is amplifying supply chain attacks:[3]
Automated Reconnaissance
AI maps vendor relationships and identifies weak links faster than human researchers.
Perfect Phishing
AI crafts personalized phishing emails that bypass traditional detection: no grammar errors, perfect context.
Vulnerability Discovery
AI accelerates finding exploitable weaknesses in vendor software and configurations.
Scale
What took human attackers weeks can now happen in hours, targeting many vendors simultaneously.
The SaaS Supply Chain Problem
Modern organizations depend on sprawling SaaS ecosystems:[4]
- The average enterprise uses 100+ SaaS applications
- Each SaaS provider has its own vendors and integrations
- Data flows through multiple third parties you may not know about
- API connections create implicit trust relationships
- OAuth tokens and service accounts provide persistent access
When a SaaS provider is breached, all their customers are potentially exposed. And most organizations don't have full visibility into their SaaS supply chain.
How to Protect Yourself
For Organizations
- Vendor inventory: Know every third party that touches your data or systems
- Risk tiering: Classify vendors by access level and data sensitivity
- Security assessments: Require security questionnaires and audits for critical vendors
- Contractual requirements: Include security standards, breach notification, and liability in contracts
- Least privilege: Give vendors only the minimum access necessary
- Monitoring: Log and alert on vendor access patterns
- Incident response: Have plans specifically for vendor breach scenarios
For Individuals
- Minimize services: Fewer accounts = fewer potential breach points
- Unique passwords: Breached vendors can't compromise other accounts if passwords are unique
- Monitor breaches: Use breach notification services to learn when your data is exposed
- Freeze credit: Prevent fraud from vendor-sourced identity theft
- Review permissions: Audit which apps and services have access to your accounts
How Defense Is Evolving
Security practices are shifting in response:[5]
- Zero Trust: Verify every access request, even from "trusted" vendors
- Continuous monitoring: Ongoing visibility into vendor access, not just point-in-time audits
- Supply chain visibility: Tools to map and monitor entire vendor ecosystems
- Software bill of materials: Tracking all components in software supply chains
- Faster detection: Emphasis on detecting breaches quickly since prevention will sometimes fail
The Bottom Line
Your security is only as good as your weakest vendor. And you have a lot of vendors.
The pattern is clear and accelerating: Ledger via Global-e. Korean Air via pension administrator. PowerSchool via support portal. Gravy Analytics via app partnerships. In each case, the primary organization's defenses were irrelevant.
Third-party breaches have doubled and will keep rising. AI makes attacks faster and more effective. SaaS dependencies create hidden risks.
Organizations need vendor security programs as a core competency. Individuals need to assume their data will eventually be breached through some third party they've never heard of, and protect themselves accordingly.
The perimeter isn't yours anymore. Your vendors are inside it.