The major cyber incidents of 2024 shared a common pattern. The initial target was rarely the organization that ended up suffering the most. Attackers found their way in through trusted third-party vendors, exploiting interconnections that most organizations couldn't see and didn't know to monitor. The $75M Cencora ransom, the largest on record, was just one data point. The Cleo file transfer attack cascaded across retail and logistics supply chains, and the damage spread far beyond the breached entity. These were not isolated incidents. They were a systematic exploitation of vendor ecosystem blind spots.
As the 6th annual installment in Black Kite's Third-Party Breach Research series, the Black Kite Third-Party Breach Report 2025 analyzes the most significant third-party cyber incidents of 2024 in depth. The research draws on public breach disclosures and regulatory filings, FocusTags® intelligence data, and Supply Chain Module findings to reconstruct how each incident unfolded, which vendor relationships were exploited, and which industries bore the heaviest downstream consequences.
Ransomware accounted for 51.7% of known attack methods against third parties in 2024. Unauthorized network access drove a further share of incidents. The term is frequently used as a catch-all when organizations lack clarity on root cause, masking misconfigurations, credential misuse, or unpatched systems. Healthcare, retail and logistics, manufacturing, and finance faced the most severe cross-industry impact. Across all these sectors, the pattern repeated: a weakness in one supplier rippled through entire ecosystems before most organizations knew a breach had occurred.
This report is your blueprint for understanding how 2024's most damaging third-party breaches unfolded, which defenses failed, and how proactive third-party risk management programs can break the cycle before the next incident.
(No download required)
Key Findings From the Black Kite Third-Party Breach Report 2025
Ransomware Drove 51.7% of Known Third-Party Attack Methods in 2024
Ransomware remained the dominant threat vector across third-party incidents in 2024. Ransomware groups targeted third-party vendors specifically because a single compromise in a shared digital supplier creates cascading leverage across every downstream customer. The ClOp group's exploitation of Cleo file transfer software illustrated this playbook at scale, disrupting retail giants and logistics providers simultaneously through one unpatched vendor.
$75M Ransom Paid in the Cencora Breach, the Largest on Record
The Cencora breach set a new benchmark for ransomware financial impact against a healthcare supply chain operator. The $75M payment underscored how concentrated risk in pharmaceutical distribution creates outsized leverage for attackers. A single compromise at a critical supplier translates directly into existential financial pressure on the organizations that depend on it.
CrowdStrike Outage Reached 8.5 Million Devices and $5B in Estimated Damages
The CrowdStrike incident demonstrated that third-party breaches don't require malicious intent to produce catastrophic downstream impact. A software update failure in a widely deployed security tool caused one of the largest simultaneous operational disruptions in recorded history. For TPRM teams, it confirmed that concentration risk in widely shared technology vendors is as dangerous as any adversarial attack.
HealthEC LLC Exposed Sensitive Data for 45 Million Patients
The HealthEC breach illustrated how healthcare vendor ecosystems amplify breach impact. A compromise at a single healthcare IT vendor cascaded to patient records across dozens of downstream hospital systems and health networks. Healthcare remained the most frequently impacted industry in the 2024 dataset, consistent with prior years in the series.
Unauthorized Network Access Accounted for 51.7% of Publicly Disclosed Third-Party Breaches
Unauthorized network access was the most commonly cited attack method across the 2024 dataset. The figure reflects a genuine measurement challenge: organizations frequently disclose a breach without confirming or revealing the root cause. Behind many of these incidents lie unpatched systems, compromised credentials, and misconfigured access controls that continuous monitoring would surface before attackers exploit them.
8 Major Incidents Documented in Depth: Cencora, Change Healthcare, Snowflake, CrowdStrike, CDK Global, HealthEC, BlueYonder, and Cleo
The report documents eight incidents that defined the 2024 third-party breach landscape. Each analysis covers how the attack entered through a vendor relationship, which downstream organizations were affected, and what threat actor behavior or tool was responsible. Together they form a playbook for understanding how systemic third-party risk materializes in practice.
0.0%
of known third-party attack methods in 2024 were ransomware — the dominant threat vector across every industry analyzed
$75M
Cencora ransom payment — the largest ever recorded in a third-party breach
$5B
estimated damages from the CrowdStrike software outage
0.0M
devices affected by the CrowdStrike failure — one of the largest simultaneous disruptions on record
0M
patients exposed in the HealthEC LLC breach via cascading downstream impact
0
major incidents analyzed in depth: Cencora, Change Healthcare, Snowflake, CrowdStrike, CDK Global, HealthEC, BlueYonder, Cleo
The 8 Incidents That Defined Third-Party Cyber Risk in 2024
Eight incidents defined third-party cyber risk in 2024. Each followed the same structural pattern: a weakness in one vendor cascaded across the organizations that depended on it. Four are profiled below. The full report documents all eight in depth: attack vector, downstream impact, and what proactive TPCRM programs would have surfaced before the breach began.
Cencora: $75M Ransom and the Systemic Risk of Pharmaceutical Distribution
The Cencora breach exposed how concentration in pharmaceutical supply chains creates disproportionate leverage for ransomware actors. As a critical distributor to hospitals and pharmacies across the United States, Cencora's compromise gave attackers the ability to demand a historically large payment, and they received it. The incident reinforced that vendor risk tiering must account for systemic criticality, not just data sensitivity.
Cleo and BlueYonder: File Transfer Software as a Supply Chain Attack Vector
The Cleo exploitation followed the same playbook that made MOVEit destructive in 2023. Widely deployed file transfer software became a single point of failure across retail and logistics supply chains. BlueYonder's ransomware compromise ran concurrently, compounding disruption for organizations that depended on both platforms. These incidents confirmed that supply chain attacks targeting shared software infrastructure can reach dozens of enterprises through one unpatched vendor.
Change Healthcare: Ransomware Paralysis Across the US Healthcare System
The Change Healthcare attack, carried out by the ALPHV/BlackCat ransomware group, disabled billing and claims processing systems relied upon by thousands of healthcare providers nationwide. The disruption lasted weeks and forced manual workarounds across a sector with no tolerance for operational downtime. It set the stage for more aggressive targeting of healthcare infrastructure throughout the remainder of 2024.
Snowflake and CDK Global: Credential Theft and the Limits of Perimeter Security
The Snowflake incident demonstrated how credential misuse, not direct system compromise, enables large-scale data breaches across a shared cloud platform. CDK Global's $25M ransom and widespread disruption to car dealership operations showed the same pattern in automotive retail. In both cases, attackers found a path through trusted access rather than technical exploits, highlighting the importance of dark web monitoring for leaked credentials across vendor networks.
Why 2024's Breaches Keep Repeating Across Industries
Silent Breaches Persist Because Third-Party Visibility Is Still Reactive
The "silent breach" pattern that runs through 2024's major incidents shares one root cause: organizations discover third-party compromises after cascading damage has already begun. Vendors don't always disclose immediately. Downstream impact accumulates before anyone triggers a response. Cyber risk intelligence that monitors vendor posture continuously is the only structural fix. Annual reviews and onboarding checks don't close the gap.
GDPR, HIPAA, and DORA drove measurable improvements in incident response times among regulated organizations in 2024. Organizations subject to stringent notification requirements disclosed and responded faster than their non-compliant counterparts. But regulatory frameworks establish floors, not ceilings. Healthcare improved its incident response posture under HIPAA pressure while remaining the most breached industry in the dataset. Compliance is the baseline. Vendor risk monitoring that goes beyond what regulators require is what actually reduces exposure.
Fourth-Party Exposure Amplified Damage in the Cleo, Snowflake, and CrowdStrike Incidents
In each of these three incidents, the organizations most severely affected had no direct relationship with the compromised vendor. They were customers of customers, exposed through nth-party visibility gaps that traditional TPRM programs don't cover. The 2024 data makes clear that organizations managing only their direct vendor tier are leaving their most systemic risks unaddressed.
How TPRM Programs Must Respond to the 2024 Breach Landscape
Enforce Continuous Monitoring Across Every Vendor Tier, Not Just Tier-1 Suppliers
The incidents of 2024 consistently originated two and three tiers into the supply chain. Annual assessments and onboarding reviews don't surface risks that emerge between cycles. Vendor evaluation needs to be paired with always-on monitoring so that a new ransomware campaign, leaked credential set, or unpatched vulnerability registers before it becomes a breach notification.
Replace Questionnaire-Based Evidence With Intelligence-Driven Vendor Engagement
Self-reported vendor security questionnaires produced no useful signal in the Cencora, Cleo, or HealthEC incidents. The compromised vendors were trusted partners. What would have surfaced the risk earlier is real-time intelligence showing rising RSI scores, dark web credential exposure, or known exploits in their technology stack. Vendor risk response needs to start from verified intelligence, not completed forms, and be delivered through a collaborative channel like The Bridge™ where remediation can be tracked directly.
Map Concentration Risk Before Attackers Exploit It
Cleo, BlueYonder, CrowdStrike, and Snowflake are all platforms with enormous customer bases. A single compromise at any of them reaches every organization that depends on them simultaneously. The Ransomware Susceptibility Index® (RSI™) provides a leading indicator of vendor vulnerability before an attack campaign begins. Organizations that mapped their concentration risk ahead of the 2024 incidents were positioned to isolate, contain, and respond faster than those discovering the dependency after the fact.
Build Incident Response Protocols That Account for Vendor-Originated Disruption
The Change Healthcare and CDK Global incidents forced manual operational workarounds across entire industries for weeks. Neither was primarily a data breach. Both were operational outages triggered by vendor compromise. TPRM programs that treat third-party incidents as data governance events miss the business continuity dimension entirely. Financial impact modeling that quantifies operational exposure, not just regulatory fine risk, gives leadership the full picture before a vendor compromise forces improvised decisions.
How Black Kite Built the Third-Party Breach Report 2025
Six Years of Annual Third-Party Breach Research
The 2025 report is the sixth installment in Black Kite's annual breach research series, which has tracked the evolution of third-party cyber incidents since 2020. Year-over-year continuity in methodology enables direct comparison of breach patterns, industry targeting trends, and attacker behavior across the full period. No other research series applies the same vendor-ecosystem lens consistently over this time horizon.
Analysis of Public Breach Disclosures and Regulatory Filings
The Black Kite Research Group™ built the 2025 dataset from public breach disclosures, regulatory filings, and confirmed incident reports from across 2024. Data based on publicly disclosed incidents represents a lower bound. Many organizations choose not to disclose breaches, meaning the actual scale of third-party compromise is larger than the dataset reflects.
FocusTags® Intelligence and Supply Chain Module Data
In addition to public sources, the analysis incorporates intelligence surfaced by FocusTags®, Black Kite's proprietary risk-tagging system that flags high-priority vendor vulnerabilities, active ransomware campaigns, and dark web exposure in real time. Supply Chain Module data provided visibility into fourth-party exposure patterns across the eight major incidents analyzed in depth.
Validated Against Industry Research and Threat Intelligence Sources
Findings are cross-referenced against industry research and threat intelligence sources including Google's Threat Analysis Group reporting, which tracked 97 zero-day vulnerabilities exploited in 2023, a 56% increase over the prior year, establishing the vulnerability backdrop against which 2024's incidents unfolded.
