Written by: Ferhat Dikbiyik

Key Takeaways From the 2024 Third-Party Breach Report

Every year, Black Kite carefully sorts through data from various sources — including cybersecurity news platforms, the dark web, Telegram channels, and resources exclusive to Black Kite — to identify and analyze all third-party data breaches from the previous year. 

Our goal? To study the evolving strategies of cyber attacks, the profiles of threat actors involved, the sectors most affected, and offer a comprehensive review of the most significant breaches of the year. Through this annual review, we can collectively take stock of our cyber ecosystems and have important discussions around areas for growth and improvement. 

This year’s Third-Party Breach Report reveals a complex interplay of risks, responses, and resilience in 2023. In total, 81 third-party data breaches were disclosed, impacting 251 companies.

As Black Kite’s Chief Research & Intelligence Officer, I lead the research and development of this report. Read on for my biggest takeaways from this year’s findings. 

Takeaway 1: Don’t Let Ransomware in Your Cyber Ecosystem Fly Under the Radar

Unauthorized network access continues to top the charts as the leading cause of third-party attacks, responsible for more than 53% of analyzed third-party incidents. However, we shouldn’t let unauthorized network access overshadow other threats — specifically the growing ripple-effect impact of ransomware attacks on cyber ecosystems.

Consider this: While unauthorized network access was the most commonly reported entry point for breaches, ransomware was the most frequently used attack vector. In other words, many threat actors leverage existing vulnerabilities to deploy effective ransomware attacks. 

The ransomware group CL0P is a great example of this trend. In 2023, 40% of companies that suffered a vendor-caused data breach were indirectly affected by CL0P’s mass exploitation of vulnerabilities in MOVEit and GoAnywhere. The average annual revenue of these affected companies is approximately $10 billion.

The impacts of ransomware attacks down the supply chain are highly evident — and companies can do something about it. I recommend that security teams shift their mindset around ransomware mitigation: Instead of primarily focusing on the risk of your own company experiencing a ransomware attack, you need to be vigilant around your entire supply chain. This way, you can proactively collaborate with vendors on vulnerabilities before the ecosystem is compromised.

Takeaway 2: The Healthcare Industry Remains Critically Vulnerable

As in previous years, the healthcare sector was the most common victim of third-party data breaches, accounting for 33% of cases in 2023. Black Kite identified at least 141 hospitals directly affected as a result of ransomware attacks on 46 hospital systems.

Healthcare institutions are highly regulated and chock-full of personal health information (PHI) and personally identifiable information (PII), making them prime targets for bad actors. Despite this, cybersecurity teams have often struggled to garner the budget and resources needed to keep these institutions secure. In fact, many healthcare institutions outsource their security strategies.

Keeping healthcare institutions and patients safe from cyberattacks is urgent, as compromised facilities and services can put patient health and well-being at risk. For example, attacks on healthcare facilities in 2023 also caused loss of access to hospitals’ IT systems and patient data, diverted emergency services to other facilities, and delays in diagnosis and treatment.

Patient data is highly valuable on the dark web, and it’s unlikely that bad actors will lose interest in the healthcare sector anytime soon. Therefore, it’s imperative that healthcare organizations be vigilant about their third-party risk management to protect themselves and their patients.

Takeaway 3: Cyber Hygiene Improved — But There’s More Work To Do

There were some silver linings in the 2024 Third-Party Breach Report as well. Specifically, 2023 saw notable improvements in overall cyber hygiene:

  • In 2023, the breach disclosure period decreased to 76 days from 108 days in 2022.
  • Many organizations improved their cyber ratings post-breach. On average, vendors in technical services improved their cyber ratings by more than 11 points. 

This points to a positive shift toward transparency and urgency in addressing cyber threats. The shorter disclosure period could also indicate that companies are identifying and taking action to mitigate breaches sooner.

However, this is no time for complacency. Security teams should consider these improvements as good progress in an ongoing journey. Just as the threat landscape continues to evolve, so must security teams and strategies. Companies should keep their guard up against new threats and vulnerabilities.

Illuminate and Mitigate Cyber Ecosystem Risk with Black Kite

Risk is dynamic. What poses the greatest threat to your company one year might not be even a blip on the radar the next. 

Black Kite automates the process of providing real-time and accurate risk intelligence so that you don’t experience any blind spots. Make informed risk decisions and build a more resilient supply chain as the threat landscape evolves.

To dive deeper into last year’s third-party security trends, check out our full report.