How do I handle a data breach at one of my vendors?
30% of breaches now involve third parties. Learn what to do when a vendor gets breached, how to assess your exposure, and how to prevent it next time.
Key Takeaways
- 30% of data breaches in 2025 involved a third party - double the rate from the previous year
- Third-party breaches cost an average of $4.91 million and take 267 days to identify and contain
- Your first action should be determining exactly what data the vendor had access to and whether it was affected
- You may have legal notification obligations even when the breach happened at someone else's company
- Vendor risk management isn't optional anymore - continuous monitoring and contractual protections are essential
You get an email from a software vendor: “We are writing to inform you of a security incident that may have affected your data…”
Your stomach drops. You didn’t get breached - but one of your vendors did. And your data was in their hands.
This scenario is increasingly common and increasingly costly. Here’s exactly what to do when it happens and how to prevent it from happening again.
Third-Party Breaches Are Exploding
The 2025 Verizon Data Breach Investigations Report found that 30% of data breaches involved a third party - double the rate from the previous year. This isn’t a trend; it’s a fundamental shift in how attackers operate.
Why? Because compromising one vendor can give an attacker access to hundreds of that vendor’s customers simultaneously. It’s more efficient than attacking companies one at a time.
The impact is severe:
| Metric | Data |
|---|---|
| Breaches involving third parties | 30% (doubled year-over-year) |
| Average cost of third-party breach | $4.91 million |
| Average time to identify and contain | 267 days |
| Supply chain attacks among top attack vectors | #2 (after phishing) |
| Percent of affected individuals from supply chain attacks | 47% of all breach victims |
Third-party breach is now the second most prevalent attack vector and second costliest breach type.
What to Do When a Vendor Gets Breached
Hour 1-4: Initial Assessment
Determine Your Exposure
The first question isn’t “how did it happen?” It’s “what data of ours did this vendor have?”
Pull together information on:
- What data did you share with or store at this vendor?
- What systems did they have access to?
- What credentials or integrations connect your environment to theirs?
- How sensitive is the data involved? (PII, PHI, financial data, trade secrets)
- How many of your customers, employees, or partners could be affected?
Isolate the Connection
If the vendor has active connections to your systems:
- Disable or restrict API integrations with the breached vendor
- Revoke any credentials the vendor uses to access your systems
- Block network connections to/from the vendor’s infrastructure
- Change any shared passwords or access tokens
- Monitor for unusual activity from the vendor’s IP ranges
Don’t wait for complete information to take these protective steps. You can always re-enable access once you’ve confirmed your environment is clean.
Hours 4-24: Deeper Investigation
Contact the Vendor Directly
Go beyond the generic breach notification email:
- Request a detailed incident report
- Ask specifically whether your data was accessed, exfiltrated, or exposed
- Demand a timeline of the breach (when it started, when it was discovered, when it was contained)
- Ask what forensic investigation is underway and who is conducting it
- Request ongoing updates as the investigation progresses
Engage Your Own Teams
- Legal counsel - assess notification obligations, liability exposure, and contractual remedies
- IT/Security - investigate your own environment for signs of compromise through the vendor connection
- Compliance - determine regulatory reporting requirements
- Communications - prepare messaging for affected stakeholders
- Insurance - notify your cyber insurance carrier
Check Your Contracts
Review your agreement with the breached vendor for:
- Breach notification requirements - were they met? Most contracts require notification within 24-72 hours
- Data handling obligations - was the vendor handling data according to the contract?
- Liability and indemnification clauses - what financial responsibility does the vendor carry?
- Cyber insurance requirements - was the vendor required to carry insurance?
- Audit rights - can you demand an independent assessment of the vendor’s security?
Days 2-7: Notification and Response
Determine Your Notification Obligations
Even though the breach happened at the vendor’s environment, you may be legally required to notify affected individuals and regulators if their personal data was compromised.
Notification triggers vary by jurisdiction:
- HIPAA - if PHI was involved, you likely have notification obligations as the covered entity
- State breach notification laws - most states require notification to residents whose personal information was exposed
- GDPR - 72-hour notification to authorities if EU data subjects are affected
- PCI DSS - immediate notification to card brands if payment card data was involved
- Contractual obligations - your own customer contracts may require you to notify them
Legal counsel should guide the notification process and timeline.
Communicate with Affected Stakeholders
Depending on the severity:
- Customers whose data may have been exposed (legally reviewed notification)
- Employees whose personal information was involved
- Partners and vendors who need to know about the supply chain risk
- Board/leadership with impact assessment and response plan
Days 7-30: Recovery and Remediation
Evaluate the Vendor Relationship
Based on the severity of the breach and the vendor’s response:
- Continue with conditions - require specific security improvements, additional audits, and enhanced contractual protections
- Transition to alternative vendor - begin planning a migration if the vendor’s security posture is fundamentally inadequate
- Enhanced monitoring - increase oversight of the vendor’s access and data handling going forward
Strengthen Your Vendor Risk Program
Use this incident as a catalyst for broader improvement (see below).
Building a Vendor Risk Management Program
Prevention is significantly less expensive than response. A vendor risk management program should include:
Vendor Assessment Before Engagement
Before sharing data with any vendor, evaluate their security:
| Assessment Area | What to Look For |
|---|---|
| Security certifications | SOC 2 Type II, ISO 27001, HITRUST (industry-specific) |
| Data handling practices | Encryption at rest and in transit, access controls, retention policies |
| Incident response capability | Documented IR plan, notification timeline, forensic capability |
| Insurance coverage | Cyber insurance with adequate limits |
| Compliance alignment | Framework alignment matching your regulatory requirements |
| Financial stability | Can they survive a major incident without going bankrupt? |
Contractual Protections
Your vendor agreements should include:
- Breach notification requirements - specify timeline (24-72 hours)
- Data handling standards - encryption, access controls, retention limits
- Right to audit - ability to assess their security posture
- Subcontractor restrictions - control over who else handles your data
- Indemnification clauses - financial responsibility for breach costs
- Cyber insurance requirements - minimum coverage levels
- Data return/destruction - what happens to your data when the relationship ends
Continuous Monitoring
Security assessments at the start of a relationship aren’t enough. Vendor risk changes over time:
- Annual security reviews for critical vendors
- Continuous monitoring through security rating services
- Incident tracking - are they appearing in breach databases?
- Financial monitoring - financial distress can lead to security cuts
- Re-assessment triggers - after any vendor security incident, acquisition, or major change
Vendor Tiering
Not all vendors require the same level of scrutiny. Tier your vendors by risk:
- Tier 1 (Critical) - access to sensitive data, critical to operations (full assessment, annual review, continuous monitoring)
- Tier 2 (Important) - some data access, supports business functions (assessment at onboarding, periodic review)
- Tier 3 (Standard) - limited data access, easily replaceable (standard questionnaire, review at renewal)
The Bottom Line
You can’t outsource accountability. When a vendor breaches and your customer data is exposed, your customers look to you - not to the vendor they’ve never heard of.
Third-party breaches have doubled year-over-year and now represent the second most costly breach type. The combination of incident response readiness and proactive vendor risk management is no longer a best practice for mature organizations - it’s a baseline requirement for any business that shares data with outside parties.
Need help building a vendor risk management program or responding to a third-party breach? Contact us for compliance and risk assessment support.
Have More Questions?
Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.