Third-Party Vendor Breaches Now Hit 5 Companies at Once

Your company’s cybersecurity doesn’t stop at your own network. Every vendor with access to your data, your systems, or your employees’ credentials extends your attack surface in ways you don’t directly control. When one of those vendors gets breached, you become a victim without anyone attacking you directly.

The 2026 Black Kite Third-Party Breach Report puts hard numbers on the problem: every vendor breach now affects an average of 5.28 downstream companies, up from 2.46 in 2021. The average disclosure delay is 117 days. That means your business could be exposed for nearly four months before the vendor even tells you something happened.

The Scale of the Problem in 2026

Third-party breaches aren’t a theoretical risk. They’re happening at an accelerating rate, and the real-world examples from April 2026 alone illustrate the pattern.

Citizens Bank lost 3.5 million customer records through a third-party compromise in April 2026. The breach didn’t happen because Citizens Bank’s own security failed. It happened because a vendor they trusted with customer data was compromised. Every downstream customer whose records were exposed had no say in which vendors Citizens Bank used or how those vendors protected their data.

Vercel, a major cloud platform used by thousands of development teams, was breached through a compromised vendor tool called Context.ai. Attackers gained access through the vendor’s integration, not through Vercel’s own infrastructure. Any company running applications on Vercel during the exposure window was potentially affected, regardless of how well they secured their own code.

These aren’t isolated incidents. The Verizon 2025 Data Breach Investigations Report found that third-party involvement in breaches doubled from 15% to 30% in a single year. That’s the fastest year-over-year increase for any breach category in the report’s history.

The Black Kite data adds another dimension: beyond the 719 vendors publicly named in breach disclosures last year, an estimated 26,000 additional companies were affected as downstream victims. Most of those companies never appeared in any headline or notification. They were “shadow victims,” exposed through their vendors’ failures but never officially informed.

Why SMBs Are Disproportionately Exposed

Large enterprises often have vendor risk management programs, dedicated compliance teams, and enough contractual weight to demand security audits from their suppliers. Most SMBs have none of those things.

A typical 100-person company uses dozens of third-party services: payroll processing, cloud storage, CRM, accounting software, HR platforms, email filtering, VoIP, and more. Each of those vendors has their own security posture, their own patch management cadence, and their own vulnerability to attack. You’re effectively inheriting the security weaknesses of every vendor in your stack, and you probably haven’t evaluated most of them.

The Black Kite report found that 70% of the top vendors involved in breaches carried unpatched known exploited vulnerabilities at the time of the incident. Even more concerning, 62% of those vendors had corporate credentials circulating in stealer logs, meaning stolen login credentials for their systems were already available to attackers before the breach occurred. These are vendors that passed procurement reviews and signed contracts. Their security failures didn’t show up in a sales pitch or a checkbox compliance exercise.

The 117-day average disclosure delay compounds the problem for SMBs specifically. A large enterprise with a security operations center monitoring for anomalous behavior might detect unusual activity originating from a compromised vendor connection before the vendor discloses the breach. An SMB without continuous monitoring is unlikely to notice anything until the notification arrives, by which point attackers have had months of access.

What You Can’t Control (and What You Can)

You can’t audit your vendors’ source code. You can’t force them to patch faster. You can’t prevent every breach in your supply chain. Accepting this is the starting point for a realistic vendor risk strategy.

What you can control is which vendors you choose, how much access you give them, and how quickly you can respond when something goes wrong. Here’s a practical checklist that doesn’t require a dedicated compliance team to implement.

1. Build a vendor inventory. List every third-party service that touches your business data, your employee credentials, or your network. Include the obvious ones (Microsoft 365, your payroll provider, your CRM) and the less obvious ones (the plugin your marketing team installed, the analytics tool on your website, the remote access software your previous IT provider left running). You can’t manage risk for vendors you don’t know about.

2. Classify vendors by data access. Not every vendor represents the same level of risk. Your payroll provider has Social Security numbers and bank account details. Your office supply vendor has a billing address. Categorize each vendor as high, medium, or low risk based on what data they can access and what systems they connect to. Focus your due diligence on the high-risk tier.

3. Ask for security documentation. For high-risk vendors, request a SOC 2 Type II report, ISO 27001 certification, or equivalent evidence that they undergo independent security audits. A vendor that can’t produce any third-party validation of their security controls is asking you to take their word for it. That’s not sufficient for a vendor handling your employee or customer data.

4. Review vendor access quarterly. Vendors accumulate access over time. The CRM consultant who needed admin access for a migration project six months ago may still have those credentials. The former IT provider’s remote monitoring agent may still be installed on your servers. A quarterly access review identifies and revokes permissions that are no longer needed. Your managed IT provider should be running these reviews as part of their standard service.

5. Require breach notification SLAs in contracts. The 117-day average disclosure delay exists partly because many vendor contracts don’t specify notification timelines. When you sign or renew a vendor agreement, require written notification within 48 to 72 hours of a confirmed breach affecting your data. If a vendor won’t agree to a reasonable notification window, that tells you something about how they handle incidents.

6. Implement least-privilege access for vendor connections. When a vendor needs access to your environment, give them the minimum permissions required to do their job. A payroll integration doesn’t need access to your file server. A marketing analytics tool doesn’t need admin credentials. Every unnecessary permission is a potential path for an attacker who compromises that vendor.

7. Monitor for credential exposure. Services like Have I Been Pwned and commercial dark web monitoring tools can alert you when credentials associated with your domain appear in data breaches. If your company’s email addresses are showing up in stealer logs, you need to force password resets and review which systems those credentials could access. A cybersecurity risk assessment includes this type of exposure analysis.

The Insurance and Legal Angle

Cyber insurance policies increasingly include questions about vendor risk management. If you file a claim related to a third-party breach and your insurer asks how you vetted the vendor, “we didn’t” is an answer that can reduce or eliminate your coverage.

Review your cyber insurance policy for third-party breach coverage. Some policies cover losses from vendor breaches explicitly; others exclude them or require you to demonstrate that you conducted due diligence on the vendor. If your policy is ambiguous on this point, ask your broker to clarify before you need to file a claim.

On the legal side, regulations like HIPAA, PCI DSS, CMMC, and Texas’s HB 4 privacy law all include requirements around vendor management. HIPAA requires business associate agreements with any vendor handling protected health information. CMMC requires flow-down of security requirements to subcontractors handling controlled unclassified information. Meeting these requirements isn’t just about compliance checkboxes. It’s about having a documented, defensible process for evaluating the companies you trust with sensitive data.

Start With Your Most Critical Vendors

You don’t need to evaluate all 30 or 40 vendors in your stack this week. Start with the five that have the most access to sensitive data. Pull their contracts and check whether breach notification timelines are specified. Ask them for their most recent SOC 2 report or security certification. Review what access they currently have to your systems and whether that access is still necessary.

If you discover that a critical vendor can’t produce security documentation, won’t agree to notification timelines, or has broader access than they need, those are actionable findings you can address immediately. The vendor fraud prevention measures that protect against financial fraud apply equally to data security: verify before you trust, limit what you share, and have a plan for when things go wrong.

The reality of third-party risk is uncomfortable but straightforward. Your business depends on vendors, and some of those vendors will get breached. The question isn’t whether it will happen. It’s whether you’ll find out in 48 hours or 117 days, and whether you’ve limited the blast radius enough to survive it.