A new report out today from security rating firm SecurityScorecard Inc. details a surge in vendor-driven attacks as threat actors increasingly exploit third-party relationships to gain access to their targets.

The findings come from SecurityScorecard’s 2025 Global Third-Party Breach Report, based on analysis by the company’s Threat Intelligence Unit of 1,000 breaches across industries and regions to uncover key attack patterns, measure the impact of third-party security failures and identify the most commonly exploited vendor relationships.

Leading the findings were that 36% of all breaches in 2024 were third-party related, though the report noted that the figure is likely conservative because of underreporting and misclassification.

Of the third-party breaches, 47% involved technology products and services, a drop from last year’s 75%, signaling a diversification of attack surfaces. By industry, retail and hospitality saw the highest third-party breach rate at 52%, followed by the technology industry at 47% and the energy and utilities industry at 47%. The healthcare sector had the most third-party breaches — 78 — but a below-average rate of 32%.

The U.S. doesn’t lead the pack when it comes to third-party breaches, coming in at 31%, less than 5% below the global average. The dubious honor goes to Singapore, where 71% of breaches involved third parties, followed by the Netherlands at 70% and Japan at 60%.

“Threat actors are prioritizing third-party access for its scalability,” said Ryan Sherstobitoff, senior vice president of SecurityScorecard’s STRIKE Threat Research and Intelligence. “Our research shows ransomware groups and state-sponsored attackers increasingly leveraging supply chains as entry points. To stay ahead of these threats, security leaders must move from periodic vendor reviews to real-time monitoring to contain these risks before they escalate throughout their supply chain.”

To counter third-party breaches, SecurityScorecard recommends that organizations align their risk management strategies with specific risk profiles. Factors such as industry, geography, technology stack and organizational structure should guide how third-party risks are assessed and mitigated.

Vendors are advised to maintain strong third-party risk management programs to help reduce exposure to fourth-party risks. Contracts should clearly outline these expectations, recognizing that vendor vulnerabilities can cascade into broader security issues.

Organizations are also urged to demand “secure by design” technologies and prioritize protections for high-risk infrastructure such as file transfer tools and virtual private networks. Strengthening procurement standards, enforcing multifactor authentication and refusing to pay ransoms are noted as all being essential to disrupting the ransomware supply chain.

Image: SiliconANGLE/Reve