Announcing New Legit Prevention Capabilities!  Click to read more -->

Blog Contact Us Sign In
Platform
Platform - ASPM Iconx
Application Security Posture Management (ASPM)
Platform - Secrets Detection & Prevention
Secrets Detection & Prevention
Platform - Continuous Compliance and SBOM Icon
Continuous Compliance and SBOM
Platform - Software Supply Chain Security SSCS Icon
Software Supply Chain Security (SSCS)
Platform - AI Security Posture Management (AI-SPM) Icon
AI Security Posture Management (AI-SPM)
Platform - AppSec Vulnerability Management Icon
AppSec Vulnerability Management
Integrations
Why Legit
Why Legit - Customers Icon
Customers
Resources
header mobile nav icon
Resources
Resources - Blog Icon
Blog
Resources - Resource Library Icon
Resource Library
Resources - Open Source with Legitify Icon
Open Source w/ Legitify
Resources - Events Icon
Events
Company - About Legit Icon 2
ASPM Knowledge Base
Company
Company - Partners Icon
Partners
Company - About Legit Icon 2
About Legit
Company - Press Releases Icon 1
Press Releases
Company - In the News Icon
In the News
Company - Careers Icon
Careers

Blog

Third-Party Data Breach: Examples and Prevention Strategies

Legit Security
Published on
June 20, 2025

Updated on
June 20, 2025

If attackers breach your vendors, they take your data with them. A third-party data breach gives attackers a side door into your environment—often through tools and services you rely on daily. 

While these breaches are problems, they clearly reveal what went wrong and how stronger risk management could have prevented them. And with the growing complexity of software supply chains and vendor ecosystems, preventing third-party breaches has become as important as securing your systems. 

You can’t control every partner’s cybersecurity posture, but you can control how much risk you inherit. Here’s how.

What Is a Third-Party Data Breach?

A third-party data breach happens when attackers compromise one of your vendors, suppliers, or service providers and gain access to your data. 

These attacks don’t target your systems directly. Instead, they go through someone you rely on, like a payroll processor, cloud storage provider, or CI/CD tool. Because those partners often hold access to sensitive information, a single vendor data breach can put your entire environment at risk.

These incidents are sometimes called third-party attacks, and for good reason. They exploit trust across your supply chain, exploiting partners with weaker security controls or lower visibility. It’s about inheriting risk from every connected service. Your defenses might be solid, but the more integrations and vendors you rely on, the more ways attackers can find a way in.

How Does a Third-Party Data Breach Happen?

Not every third-party breach is a sophisticated attack. Many data breaches begin with simple missteps—a leaked credential here, an overlooked asset there. Attackers don’t need to break in when third parties unlock the door.

Here are some of the ways these attacks happen:

  • Compromised credentials: Stolen login details, often bought on the dark web or collected through earlier breaches, are among the most common ways attackers infiltrate a vendor's system. From there, they move laterally into your environment with credentials that look legitimate on the surface.
  • Phishing attacks: Threat actors use phishing to trick vendor employees into handing over credentials or installing malware. These social engineering attacks often masquerade as urgent requests or familiar services. Once successful, they give attackers a foothold without raising immediate alarms.
  • Unsecured assets: Delayed patches, misconfigured cloud storage, and neglected APIs open doors that attackers don’t need to force. Vendors who skip routine maintenance or misunderstand shared responsibility models in the cloud create vulnerabilities that ripple downstream into your systems. Many of these tactics overlap with those used in software supply chain attacks.
  • Malware steals data: A compromised device on a vendor's network can quietly collect and exfiltrate sensitive information. Keyloggers and remote access trojans often evade detection, allowing attackers to capture credentials and session data they later use to breach your environment.

Examples of Notorious Third-Party Data Breaches

Looking at real-world third-party data breach examples is one of the fastest ways to understand how these incidents unfold and how devastating the impact can be. According to the Verizon 2024 Data Breach Investigations Report (DBIR), supply chain and third-party involvement contribute to data breaches across industries. 

In each case below, the breach didn’t start inside the primary organization but caused significant operational, financial, or reputational damage. These breaches offer clear takeaways on what went wrong and what could have helped prevent it.

1. Microsoft Midnight Blizzard Attack (2024)


In early 2024, a Russian-linked group, Midnight Blizzard (also known as NOBELIUM), pulled off a strategic hack by exploiting a third-party app’s OAuth connection to access Microsoft’s corporate email accounts. The attackers stole tens of thousands of emails, including those belonging to U.S. government officials.

Third-party integrations—even those built years ago—can quietly become backdoors if you don’t regularly audit token permissions and connected apps for outdated access.

2. American Express Data Breach (2024)


Attackers breached a third-party merchant processor used by American Express, leaking sensitive cardholder data like names, account numbers, and expiration dates.

Payment ecosystems rely heavily on third-party infrastructure. Even if your systems are secure, your processor’s misstep can cost you brand trust and regulatory scrutiny.

3. SolarWinds Supply Chain Attack (2020)


The SolarWinds breach was a wake-up call for the industry. Nation-state hackers injected malicious code into Orion software updates, and more than 18,000 customers, including government agencies and Fortune 500 companies, downloaded it.

Signed software updates aren’t bulletproof. Integrity checks, behavioral analysis, and continuous monitoring help detect tampered builds earlier in the supply chain.

4. Infosys McCamish Incident (2023)


Through a third-party vendor used by Bank of America, attackers accessed names, birth dates, and Social Security numbers for over 6.5 million people. Public reports and lawsuits suggest the vendor lacked adequate cybersecurity controls, which may have included weaknesses in its external-facing systems.

Even “trusted” partners may have outdated security practices. During third-party assessments, you should treat public-facing misconfigurations as red flags.

5. MOVEit File Transfer Exploits (2023)


Attackers exploited zero-day flaws in Progress Software’s MOVEit platform to gain access to sensitive data across hundreds of organizations. Affected parties included payroll vendors, airlines, universities, and state governments. In this case, the MOVEit platform became a breach vector, and each organization relying on it became an indirect attack victim.

Managed file transfer tools are high-value targets. When these tools sit at the center of sensitive workflows, their vulnerabilities cascade across entire ecosystems.

6. Toyota Kojima Industries Incident (2022)


A ransomware attack on Kojima Industries, a parts supplier, forced Toyota to shut down 14 production lines across Japan. Although hackers didn’t breach Toyota directly, the disruption still affected nearly a third of its global output.

Cyber risk isn’t just about stolen data. Operational downtime from supplier incidents can hit revenue just as hard and demand a more holistic view of risk across vendors.

7. Uber and Teqtivity Breach (2022)


In this breach, threat actors exploited a vulnerability in Teqtivity, a vendor Uber uses for IT asset management. The breach exposed over 77,000 employee records, including internal system identifiers and configuration details.

IT and HR vendors often have deep internal access. Although some teams may not treat a vendor breach as urgently as a customer data leak, attackers usually use it for privilege escalation and future attacks.

How to Protect Against Third-Party Data Breaches: Best Practices

You can’t protect every vendor from breaches, but you can control the damage they cause. These best practices help you shrink your attack surface and avoid threats that don’t originate in your environment.

Conduct Continuous Monitoring of Third Parties

A one-time audit isn’t enough. As vendor environments evolve, risk levels do too. Real-time monitoring gives you a live feed into your third parties’ security posture, flagging issues like expired certificates, exposed ports, or compromised credentials before they escalate. When vendors handle sensitive data or plug into core systems, continuous monitoring gives you the only real-time view into their shifting risk.

Keep an Accurate Inventory of Vendors

You can’t secure what you can’t see. A surprising number of organizations don’t have a complete record of their third-party vendors, making it nearly impossible to track or manage risks. 

A centralized inventory with access levels, systems touched, and shared data prepares you for applying broader data security practices and protection techniques across your environment and is foundational to any effective third-party risk management (TPRM).

Minimize the Data You Share

Even with trusted partners, limit what information they can access. Vendors should only receive the data they need to perform their services—nothing more. This reduces exposure if a breach happens and aligns your organization with least-privilege principles

Sensitive tokens and credentials deserve extra scrutiny here, especially those stored in repos or config files. Addressing this risk starts with understanding how exposed secrets often slip through during development.

Build Security Requirements Into Every Contract

It’s not enough to assume your vendors follow best practices. Make those expectations explicit in your agreements. Contracts should define minimum security standards, including multi-factor authentication, patching timelines, breach notification requirements, and adherence to frameworks like ISO 27001 or SOC 2. Clear language gives you leverage if standards slip and ensures everyone operates from the same playbook.

Assess Vendors After Onboarding

Security vetting must be ongoing, not just a box you tick during onboarding. Reevaluate vendors regularly to account for scope changes, service updates, or incidents. If the vendor relies heavily on cloud services, their posture may shift depending on how well they follow cloud application security best practices, especially in multi-tenant environments where isolation and configuration matter.

Include Incident Response in Your Vendor Playbook

Vendors should be ready to act when something goes wrong. That means having an incident response plan that fits into your own, including timelines for communication, defined points of contact, and access limitations during investigations. The faster you coordinate across teams, the better your chance of containing a breach before it spreads.

How Legit Security Helps You Prevent Third-Party Data Breaches

Legit Security helps you avoid third-party data breaches by securing every layer of your software supply chain—from the code you write to the third-party components you rely on. It monitors vulnerabilities, misconfigurations, and exposed secrets across your development pipelines, including those introduced by external tools or dependencies. 

With real-time visibility into third-party risks and automated policy enforcement, Legit lets you detect and remediate issues before they become incidents. Instead of reacting after a breach, you gain the context and control to prevent one. Request a demo today.
Legit Security

Share this guide

Published on
June 20, 2025

Related ASPM Knowledge Posts

See More

Blog

A Foundation You Can Trust

Get a stronger AppSec foundation you can trust and prove it’s doing the job right.

Request a Demo