A growing number of cyber actors are targeting retailers, suppliers, and software companies, exploiting vulnerabilities to gain access to their systems. According to the latest SecurityScorecard report, about 35.5% of the 2024 data breaches were due to third-party breaches, up 6.5% from 2023. The number of data breaches brought on by third parties is probably higher, considering that third-party data breaches are not always reported.
The Global Third-Party Breach Report obtained information from a study by SecurityScorecard’s STRIKE Threat Intelligence Unit involving companies in several industries. Third-party data breaches are categorized as breaches that started at a retailer, supplier, or business associate. Attackers infiltrate the sites of business-to-business clients, compromising data from one organization that is being kept by a third party.
Entities in North America submitted most of the breach reports, comprising 59% of data breaches and 53% of third-party data breaches. Healthcare, biotechnology, and pharmaceutical companies had the biggest number of third-party breaches, or 22%. 242 of the 1,000 data breaches in the report involved healthcare, biotechnology, and pharmaceutical companies. This number is about twice the number of breaches in the government, aerospace, and defense sectors.
In the healthcare industry, 32.2% of the data breaches involved third-party compromises. This statistic shows that healthcare companies are attacked more often because they are seen as easy targets. They are thought of as having weaker security compared to other industries, lower downtime threshold, and they keep substantial volumes of sensitive information or PHI. The high number of direct attacks shows hackers need not execute more complicated attacks on providers, because there are plenty of opportunities to target these companies.
Ransomware threat groups are attacking more supply chains. 41.4% of ransomware attacks involve third parties. The most popular threat actor of this type is Cl0p because of its mass exploitation of third-party file transfer solutions vulnerabilities. Another highly active threat group in 2024 was RansomHub. It became the most prominent ransomware group after the AlphV/BlackCat ransomware group shutdown and the LockBit ransomware group disruption by law enforcement operations.
In 2023, technology products had been involved in 75% of third-party breaches; but in 2024, threat actors shifted, resulting in only 46.75% of breaches affecting technology products. The number one breach enabler was file transfer software (14% of incidents), as the Cl0p group exploited vulnerabilities in Cleo software, followed by cloud products and services (8.35% of incidents). Although the technology employed by multiple industries was targeted, 27.5% of third-party breaches involved products and services particular to healthcare and financial services, just like in 2023. In healthcare, pharmaceutical distribution and clinical trial support vendors account for 7% of industry-specific attack vectors, healthcare administrative and management services account for 4.25%, and mobile applications, healthcare software, and telehealth services account for 2%.
SecurityScorecard remarks that supply chain security must be prioritized by requiring secure-by-design technology and strengthening high-risk infrastructure, particularly file transfer software, VPN solutions, cloud infrastructure, and healthcare-specific services.