{"id":4757,"date":"2026-03-08T07:36:40","date_gmt":"2026-03-08T07:36:40","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/08\/huge-shadow-layer-of-organizations-hit-by-supply-chain-attacks\/"},"modified":"2026-03-08T07:36:40","modified_gmt":"2026-03-08T07:36:40","slug":"huge-shadow-layer-of-organizations-hit-by-supply-chain-attacks","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/08\/huge-shadow-layer-of-organizations-hit-by-supply-chain-attacks\/","title":{"rendered":"Huge \u201cShadow Layer\u201d of Organizations Hit by Supply Chain Attacks"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Security experts have claimed that the blast radius of third-party data breach incidents is far larger than at first thought, with more than 433 million individuals impacted by 136 events last year.<\/p>\n

Black Kite compiled its seventh annual Third-Party Breach Report <\/em>from analysis of verified public breach disclosures in 2025, external cyber risk telemetry and supply chain intelligence.<\/p>\n

It said 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers.<\/p>\n

However Black Kite said affected vendors also reported an additional 26,000 corporate victims without naming them. That could mean the total number of downstream individuals impacted is even greater. \u00a0\u00a0<\/p>\n

Read more on third-party breaches: SecurityScorecard Observes Surge in Third-Party Breaches.<\/em><\/p>\n

The ground zero for these events tended to be software services vendors, which accounted for 38 (28%) of the 136 verified breaches, followed by professional and technical services (14) and healthcare services providers (10).<\/p>\n

In terms of downstream corporate victims, most appear to be in healthcare (258), education (140) and financial services (101).<\/p>\n

\u201cThese sectors tend to combine high data sensitivity with heavy reliance on external platforms, placing them downstream in complex dependency chains,\u201d the report noted. \u201cThe pattern is consistent. Breach impact accumulates in data-rich sectors at the edges of the supply chain, while risk originates upstream, within a smaller set of centralized service providers.\u201d<\/p>\n

Less Visibility, More Risk<\/strong><\/h2>\n

The report also highlighted delays in breach discovery and public disclosure. The median time for vendors to detect an intrusion was 10 days, while the average was 68 days.<\/p>\n

While this indicates a problem with threat detection, delays in notification potentially reveal forensics and incident response issues. The report claimed that time to notify customers hit a median of 73 days and an average of 117 days.<\/p>\n

\u201cLet\u2019s be clear: 73 days is not an \u2018investigation period.’\u00a0In the context of active exploitation it is an eternity,\u201d the report noted. \u201cThis delay denies downstream customers the chance to revoke access, reset credentials or lock down their own systems. Transparency delayed is risk transferred.\u201d<\/p>\n

The chances of future breaches remain high. Of the 200,000 organizations monitored by Black Kite, over half (54%) had at least one critical vulnerability and 23% were found to have corporate credentials circulating on the dark web.<\/p>\n

An analysis of the top 50 \u201cmost shared\u201d vendors among Forbes Global 2000 customers found that:<\/p>\n