NEW YORK – Feb. 28, 2024 – SecurityScorecard today released its Global Third-Party Cybersecurity Breach Report. Using the world’s largest proprietary risk and threat data set, SecurityScorecard STRIKE threat hunters analyzed threat groups’ mass exploitation of supply chain vulnerabilities.
Key findings include:
75% of third-party breaches targeted the software and technology supply chain
Technology supply chain vulnerabilities enable threat actors to scale their operations with minimal effort. With 75% of organizations at the highest levels of maturity saying their third-party risk program is manual as of 2021,1 companies must work toward automating vendor identification and cyber risk management across their entire digital ecosystem.
64% of third-party breaches linked to C10p
Notorious cybercrime group C10p was responsible for 64% of attributable third-party breaches in 2023, followed only by LockBit at a mere 7%. C10p’s dominance was fueled by extensive attacks exploiting a critical zero-day vulnerability in MOVEit software.
61% of third-party breaches attributed to MOVEit (CVE-2023-34362)
The three most widely exploited vulnerabilities (MOVEit, CitrixBleed, and Proself) were involved in 77% of all third-party breaches involving a specified vulnerability. One reason for the widespread impact of the MOVEit zero-day was that it enabled third-party, fourth-party, and even fifth-party compromises.
At least 29% of breaches have third-party attack vectors
STRIKE found that approximately 29% of all breaches in 2023 were attributable to a third-party attack vector. This number likely underestimates the actual percentage, as many reports on breaches do not specify an attack vector.
35% of third-party breaches affected healthcare organizations
Healthcare and financial services emerged as the sectors most heavily impacted by third-party breaches, with healthcare accounting for 35% of total breaches and financial services accounting for 16%.
64% of all third-party breaches occurred in North America
The U.S. alone represents 63%. However, geographic variations may be harder to detect due to the overwhelming focus of news media and security vendors on breaches in the U.S. and other English-speaking countries.
48% of all breaches in Japan involved a third-party attack vector
While third-party breaches are common globally, Japan stood out with a significantly higher rate. As a hub for automotive, manufacturing, technology, and financial services, Japanese companies face significant supply chain cyber risk due to international dependencies.
