Plaintext: Diving into Third-Party Breach Data
Welcome to Dark Reading in Plaintext, brought to your inbox this week by SentinelOne. In this issue of Plaintext, we dig deep into the Data Breach Investigations Report for insights into where the industry is headed. We also wonder what's happening with US federal government's cybersecurity programs. If you enjoy Plaintext, please share with friends and colleagues!
Third-Party Breaches Doubled. Verizon Business released its 2025 Data Breach Investigations Report (DBIR) this week, and we've all been heads down reading the massive report. If it seemed like there have been many more incidents lately where an organization gets breached because a platform they use or a service provider they work with was compromised, it's not just you. According to the DBIR, the percentage of breaches involving a third party has doubled to 30% compared to last year's report. Recall banking giant Santander, which suffered a data breach after attackers accessed a database hosted by a third-party provider last year. Then there was the attacker who stole data belonging to Fortinet from an Azure SharePoint site. Or when attackers exploited a vulnerability in the software-as-a-service instance of BeyondTrust Remote Support to breach the US Department of the Treasury. And the list goes on. (Like Change Healthcare, CDK Global, and PowerSchool!)
These third-party breaches are tied to credential reuse in third-party environments and an increase in vulnerabilities exploited in third-party products. Exploitation of vulnerabilities for initial access grew by 34% and accounted for 20% of breaches.
Other reports have noted the rise in third-party breaches in recent months. An analysis of cyber insurance claims data found that third-party breaches and outages — including service providers and vendors — accounted for 31% of cyber-related claims in 2024, according to Resilience Cyber Insurance Solutions. Third-party risks also led to material losses, making up 23% of claims.
Third-party vulnerabilities increasingly cost companies money. Damages due to ransomware attacks targeting a third party — and not the policyholder — resulted in an average claim per incident of $241,000, an increase of 72% since 2023, according to cyber insurance provider At-Bay's 2025 InsurSec Report.
"And so [companies] become the victims of fraud, but it's not because [they] had any sort of security failure. It's because somebody somewhere else in the value chain did." — Adam Tyra, CISO for customers, At-Bay
Dark Reading in Plaintext is brought to you by SentinelOne
The Next Evolution of AI-powered CNAPP from SentinelOne
Discover a new approach to cloud security leveraging AI and automation to effectively detect, investigate, and respond to threats. Join our live demo to learn more.
What Happens to the Secure by Design Initiative Now? It's like every week there is a question about the fate of some cybersecurity program or resource tied to the US government. Last week, it was about CVE. This week, all eyes are on the Secure by Design Initiative. Created by the Cybersecurity and Infrastructure Security Agency in April 2023, the Secure by Design project encourages software makers to weave cybersecurity protections more deeply into their products, starting from the design stage. Just last year around this time, companies lined up to sign a seven-part pledge to improve in areas such as multifactor authentication, default passwords and security patching. Over 250 technology companies have signed, to date.
But there was also industry pushback, and with the departures of CISA senior advisers Bob Lord and Lauren Zabierek this week and Jack Cable earlier this year, the program's future is currently unclear. Some companies worried that CISA was trying to regulate software security and pushed back on attempts to make them do more. The original vision for the pledge involved firmer commitments than the current version. CISA gave the following statement—note the use of the word evolve in reference to Secure by Design:
CISA remains laser-focused on working across the public and private sectors to improve the nation's cybersecurity, a critical element of which is ensuring that technology companies do their part. This is why we continue to urge companies to develop products that are secure by design, instead of passing the cost of poorly designed products on to consumers. While CISA's approaches to Secure by Design evolve, our commitment to the principles remain steadfast. I thank Bob Lord and Lauren Zabierek for helping to lay the foundation on which future work in this space can be built.
What We Are Reading
Enjoy these links? Subscribe to receive Dark Reading Daily every morning!
Recommended by LinkedIn
What We Heard On-Air
Tune in to our on-demand webinar Tips on Managing Cloud Security in a Hybrid Environment.
"...the 'one key to rule them all' problem..." —Jake Williams, Hunter Strategy
From Our Library
Check out some of the latest reports from our Dark Reading Library!
Dark Reading Reports: State of Enterprise Incident Response
Dark Reading Reports: State of Enterprise Application Security
On That Note
Next week, the RSA Conference (#rsac) is in San Francisco. The Dark Reading team will attend, along with sister publications Cybersecurity Dive and SearchSecurity. If you are already subscribed to the Dark Reading Daily newsletter, you will see all the previews and dedicated show coverage. We will attend sessions, meet security practitioners, and learn about the latest industry trends. Stay tuned!
Dark Reading in Plaintext is brought to you by SentinelOne
Insightful! Thanks for sharing interesting topics
Hot off the presses!