Did you know that Verizon reported nearly 30% of data breaches in 2025 involved third-party suppliers?
Yes, that’s right.
Third-party breaches are becoming a “new normal”. They break customer trust, damage brands, and cost companies millions of dollars.
Even the third-party breaches in 2024 cost businesses millions of dollars. And 2025 is no exception.
Let’s discuss the various third-party breaches that have happened so far in 2025 and steps you can take in your third-party risk management program.
Why Third-Party Data Breaches Are Surging?
Companies today use dozens, sometimes hundreds, of vendors. And that’s where the problem begins.
That means the chances of being exposed through someone else’s system are extremely high.
The financial damage is also growing. Reports in 2025 indicate that when a breach originates from a third-party system, the average cost to remediate it is now nearly $4.8 million. It is higher than the breaches caused by internal systems alone.
In simple terms, our growing dependence on external technology is accelerating the pace of change. But it’s also giving cybercriminals more doors to try.
14 Major 2025 Breaches via Third Parties
Even though it’s only July, 2025 is already filled with data breaches that have cost companies millions of dollars in losses. Let’s take a look at thirteen of them that you might not even know about yet.
1. USB / Chain IQ Group AG (June 2025)
On June 12, 2025, procurement vendor Chain IQ Group AG suffered a sophisticated cyberattack. Hackers accessed data from Chain IQ and at least 19 of its clients, uploading files to the dark web shortly afterward.
The breach involved a ransomware group using previously unseen tools and tactics to infiltrate secure procurement systems.
Impact:
Over 130,000 employee records, including names, emails, phone numbers, and workplace location codes, from firms such as UBS and Pictet, were exposed. Even UBS CEO Sergio Ermotti’s direct phone number appeared in the leaked data.
Fortunately, no client financial info was affected, but internal organizational intelligence was compromised.
2. Toronto District School Board / PowerSchool (May – June 2025)
PowerSchool, the student information platform used by the Toronto District School Board (TDSB), was breached between December 22 and 28, 2024. The breach was publicly disclosed early in 2025.
Even after paying the ransom, the attackers continued to contact school districts for further extortion attempts.
Impact:
Data from students and staff dating back to 1985 was exposed, including birthdates, contact details, medical alerts, and Social Security numbers in some cases.
The breach affected millions of records across school districts. And despite the payment, the hackers are still trying to extort them.
3. Kellogg’s and Adidas / Cleo Vendor (May 2025)
The Cleo managed file-transfer platform, used by organizations such as Kellogg’s and Adidas, was compromised in December 2024.
The Clop ransomware group exploited two zero‑day flaws in the software, enabling unauthorized access to HR and employee files.
Impact:
At least one employee’s name and Social Security number were confirmed to have been leaked. However, broader investigations suggest sensitive data from numerous staff could have been exposed.
Cleo later disclosed that over 66 companies experienced breaches via the same vulnerabilities.
4. Qantas / Offshore Contact-Centre Platform (June 2025)
On June 30, 2025, Qantas detected suspicious activity in a third‑party platform used by one of its offshore call centers (reportedly in Manila).
Hackers accessed up to 5.7–6 million customer records, including personal and loyalty data.
Impact:
Compromised data included names, emails, phone numbers, birth dates, and frequent flyer details. Although passwords and payment information were unaffected, over 1.7 million records contained higher-risk identifiers, such as addresses and birth dates.
Qantas is now facing legal and reputational fallout, including class-action claims and an ongoing criminal investigation.
5. Episource Healthcare Billing (Feb–Jun 2025)
Episource, a U.S. medical billing and risk‑adjustment firm owned by Optum, detected unauthorized network access between January 27 and February 6, 2025.
The company serves multiple health systems across the country. This data breach was publicly disclosed in June and affected over 5.4 million individuals.
Impact:
Patient and provider records, including medical coding data and personal identifiers, were stolen.
Episource engaged forensic experts, notified regulators, and began offering credit monitoring to those affected. Fear and legal risk rose sharply for health providers sharing data via Episource.
6. Hy‑Vee Grocery Store / Atlassian (June 2025)
On June 23, 2025, the Stormous hacker group confirmed a breach of Hy-Vee’s Atlassian-based systems (Confluence and Jira) by using stolen credentials with infostealer malware.
Approximately 53 GB of internal documents were extracted, including operational records, infrastructure diagrams, and HR policies.
Impact:
Exposure of operational blueprints, staff data, and IT architecture poses long-term security risks. Hy‑Vee faces reputational damage and may incur costs for system audits, policy reviews, and lockdown updates.
7. Insight Partners (Jan 2025)
On January 16, 2025, venture capital firm Insight Partners was compromised via a social engineering attack affecting its third-party cloud CRM system.
Sensitive fund, portfolio, limited partner, banking, and personal employee information was likely accessed. The firm has more than $90 billion in assets under management.
Impact:
While operational impact was minimal, exposed client data puts both investors and individuals at risk for targeted phishing, identity theft, or financial manipulation. Insight notified the authorities and began promptly alerting stakeholders.
8. UK Co‑op & Marks & Spencer via Delivery Partner (April–May 2025)
In early 2025, both Co‑op and Marks & Spencer suffered breaches linked to a shared third-party delivery provider.
Attackers exploited phishing on vendor employees to gain access to contact and order data (names, emails, phone numbers, delivery addresses). M&S acknowledged a ransomware link via Scattered Spider using DragonForce tools.
Impact:
Combined, over 6.5 million customer and member records were compromised. M&S temporarily took its online operations offline, and Co‑op stores already experienced checkout disruptions. Legal fallout and fraud risks surged, prompting law enforcement investigations.
9. Community Health Center (Feb 2025)
In February 2025, a community health provider experienced a third-party breach affecting patient data; however, the exact vendor involved was not publicly disclosed.
Records, including contact information, medical identifiers, and billing details, were impacted.
Impact:
Even small clinics received regulatory scrutiny due to the breach. Patients were offered credit monitoring.
The incident underscored how healthcare vendors, even at local levels, carry significant risk when sharing PHI without strong safeguards.
10. Change Healthcare / UnitedHealth through Optum (February 2024 – 2025)
In February 2024, a ransomware attack hit Change Healthcare, part of UnitedHealth’s Optum division.
The breach exposed protected health and personal data belonging to approximately 190 million individuals. This made it the largest healthcare data breach ever recorded.
Impact:
The hack disrupted claim processing nationwide, resulting in delayed prescriptions and payments to providers.
UnitedHealth spent over $2–2.45 billion responding and reimbursed providers more than $4.7 billion. However, long-term litigation continued into 2025, and regulatory scrutiny under HIPAA has been intense.
11. Sam’s Club / Cleo Communications File Transfer Platform (March–April 2025)
The Clop ransomware group publicly claimed Sam’s Club as a victim after exploiting a zero-day flaw (CVE‑2024‑50623) in Cleo’s file transfer software.
Although the data wasn’t officially confirmed to have been breached, the retail giant and the vendor are under investigation for potential data exposure. This potentially affected both customer and employee records.
Impact:
A class-action lawsuit alleged that both parties failed to secure personally identifiable information.
While the lead plaintiff later dropped the case, legal scrutiny remains over whether adequate encryption or deletion policies were in place. The operational impact remains unclear, although the reputational risk is high.
12. Harrods via Supplier Portal Compromise (May 2025)
In May 2025, the luxury retailer Harrods faced a data breach after attackers exploited a flaw in a third-party supplier portal.
The compromised system, managed by an external vendor, gave hackers access to sensitive supplier records and internal communications.
Impact:
While no direct customer data was confirmed to have been leaked, business documents and supplier contact information were reportedly accessed. Investigators believe outdated access controls and a lack of real-time monitoring made the attack possible.
13. Ascension via Vendor (May 2025)
In mid‑2025, Ascension Health disclosed a third-party breach linked to a former business partner. The root cause was linked to a security vulnerability in the MOVEit Transfer software used by a now-former vendor partner.
The stolen information included patient names, Social Security numbers, medical diagnoses, billing information, and clinical details.
Impact:
The vulnerability affected 437,329 patients, exposing names, SSNs, diagnoses, insurance, and clinical data. All of this happened without any fault in Ascension’s own networks.
The exposed data posed significant risks of medical identity theft. Overnight, Ascension had to notify regulators, offer two years of credit monitoring, and conduct reviews across multiple states (TX, MI, TN, IN, AL).
14. Multiple Enterprises via Salesforce (August 2025)
Allianz Life, Adidas, Google, Cartier, Louis Vuitton, Dior, Chanel, Tiffany, Pandora, Qantas, Air France–KLM, Cisco, Workday, and now Farmers Life Insurance.
This breach wasn’t caused by a technical flaw—it was the exploitation of trust. Attackers tricked employees into approving malicious OAuth apps disguised as Salesforce tools. Once authorized, those apps functioned like legitimate integrations, but under the control of adversaries.
Impact:
Mass exposure of PII for one, credential harvesting second. The breach to Alliance Life alone was 1.1 billion personal records of consumers, that’s just one of the companies that are continuing to come forward. Additionally, it’s reported that over 700 organizations were targeted in the Salesforce campaign led by UNC6395. Attackers exfiltrated AWS access keys, passwords, and Snowflake tokens, posing serious downstream security risks
Four Tips to Reduce Third‑Party Breach Risk
Third-party data breaches are no longer rare. They’re becoming the new normal. Threat actors have various motives or incentives, from smash-and-grab to get a quick payday to those pilfering data in preparation for for a post quantum “harvest now, decrypt later” world. Where the data exfiltrated may be encrypted today, but in a few years the threat actors would have access to post quantum cryptography tools to then gain access to data stolen today. That’s why protecting your organization isn’t just about strengthening your own systems.
Here are four simple but powerful ways to reduce the risk of third-party breaches:
1. Continuous Auditing
Most companies conduct vendor reviews only once a year, which is not enough. Technology changes fast, and so do threats.
Continuous auditing means regularly checking how your third-party tools, platforms, and partners are managing your data. This includes reviewing access logs, testing for vulnerabilities, and checking if vendors are following the latest security practices.
Why it matters: Hackers often target small vendors with weaker defenses. Continuous audits help you identify weak links early, before attackers can exploit them.
2. API / SaaS Security Controls
APIs and cloud-based SaaS apps are essential in modern workflows. But they can also become backdoors if not adequately secured.
To lower risk, use API gateways, data encryption, and rate limiting. Set strict permission controls so apps only access the data they truly need. Also, always turn off unused API endpoints and monitor for unusual behavior.
Why it matters: APIs are now a top target for attacks. Poor API controls allowed attackers to access millions of records in recent breaches. A few smart settings can quickly close that door.
3. Employee and Vendor Training
Many breaches occur because someone clicked on a malicious link or reused a weak password. Training can fix that.
Ensure that your team and vendors understand the basics of cybersecurity. This includes recognizing phishing, setting strong passwords, and knowing what data they’re allowed to share. Training should be brief, concise, and conducted regularly, not just once a year.
Why it matters: Trained teams make fewer mistakes. In fact, depending on which report you reference human error is responsible for anywhere between 44% (Verizon) to 95% of security incidents (Mimecast) from misconfigurations, providing too much role based access and authorization than needed, unwitting social engineering participation. Keeping that in mind, a well-informed team is your best defense.
4. Strong TPRM Processes
TPRM stands for Third-Party Risk Management. It’s the backbone of preventing vendor-related attacks.
A strong TPRM process involves vetting every vendor before signing a contract. It includes security questionnaires, risk scoring, data handling agreements, and setting exit plans that many third-party risk management tools can help automate to reduce the time (and costs) your personnel spend on vendor due diligence and check-ups via annual assessments. You should also have a tiered approach.
Why it matters: Without proper TPRM, companies often trust vendors without proper oversight. But with it, you can stay in control of your ecosystem and act fast when problems arise.
Save Yourself from Third-Party Breaches with FortifyData
Third-party cyberattacks are rising rapidly, and 2025 has proven just how damaging they can be. No business is too big or small to fall victim. The question is, do you want to be the next headline?
If not, then FortifyData is here to help you stay ahead.
Our platform provides continuous third-party risk monitoring, automated security assessments, and real-time alerts to detect threats before they occur.
Don’t wait for a breach to expose your business. Try FortifyData today and protect what matters.
FAQs
1. How do I audit vendor security?
You can audit vendor security by reviewing their certifications (like ISO 27001), sending security questionnaires, assessing their external attack surface for vulnerabilities and other threat exposures, and checking for strong encryption and access controls. Regular monitoring, reviewing API access, and asking for recent security assessments or audits also help. Always document everything and include clear security terms in your vendor contracts.
2. What legal liability do companies have?
Even if a third party causes the breach, your company may still be held liable. You may face fines, lawsuits, or regulatory action under laws such as GDPR or HIPAA. To protect yourself, include data protection clauses in contracts and maintain a strong vendor risk management process with clear documentation and review steps.
3. What to do if my data is compromised in a third-party breach?
First, confirm the breach and contact your legal team. Notify affected users and regulators if required. Offer support, such as credit monitoring, and update your security measures. Review what went wrong, strengthen vendor monitoring, and adjust your contracts or access controls to prevent it from happening again in the future.
