When Cyber Providers Become the Threat: Protecting Your Supply Chain

The Biggest Cyber Breaches That Exposed Supply Chain Vulnerabilities

Cyberattacks in 2025 continue to evolve at an unprecedented pace, with cybercriminals leveraging AI-driven automation, supply chain compromises and sophisticated ransomware to target IT service providers, cloud platforms and cyber security software vendors.

Recent high-profile breaches underscore the growing risks associated with supply chain vulnerabilities. If your cyber security provider or third-party vendor is compromised, how confident are you that your data, systems and customers remain secure?

Many organisations trust large consultancies for cyber security, assuming size equates to security. However, bigger isn’t always better—what truly matters is being big enough to be proactive and reactive during incidents. Providers must have the scale to detect and respond to threats swiftly and the agility to adapt to an ever-changing cyber landscape.

With 20 years in the industry, CyberOne has the agility of a start-up combined with the expertise and reliability of a seasoned cyber security provider. This balance is critical in ensuring resilience against supply chain threats, where reaction speed and strategic foresight make all the difference.

Here, we analyse the most significant cyber breaches that have affected supply chains in recent years, their impact and the key lessons we can learn from them.

The Role of Cyber Security Providers in Supply Chain Risk

Cyber security providers should be the first line of defence, yet some of the most significant breaches in recent years have involved IT service companies and security vendors. These incidents reinforce a crucial point—your cyber security provider is part of your supply chain and your business is directly exposed if they are breached.

Recent attacks on Orange, Tata and CDW breaches demonstrate how threat actors exploit vulnerabilities in widely used IT services to infiltrate numerous organisations simultaneously. These incidents serve as a wake-up call that even security companies are not immune to sophisticated cyber threats.

Most Notable Cyber Supply Chain Attacks

A hacker associated with the HellCat ransomware group claims to have stolen thousands of internal Orange Group documents, including customer and employee records, invoices, contracts and partial payment card details- this breach primarily affected Orange, Romania. It was made public after an unsuccessful extortion attempt. 

The attacker exploited compromised credentials and vulnerabilities in Orange’s Jira software and internal portals, maintaining undetected access for over a month. During a three-hour data exfiltration process, the company failed to detect the attack, exposing 6.5GB of sensitive information. 

Orange confirmed the breach, stating that it occurred on a non-critical back-office application and is currently investigating to assess the full impact. 

Cyber Security Issues Identified 

• Compromised Credentials — The hacker used stolen credentials, highlighting poor identity protection measures. 

• Unpatched Software Vulnerabilities — The attacker exploited security flaws in Jira and internal portals, suggesting a lack of regular patching. 

• Extended Dwell Time (over a Month) — The breach went undetected, indicating weak threat detection and response capabilities. 

• Mass Data Exfiltration Without Detection —The hacker exfiltrated 12,000 files (6.5GB) in three hours,  demonstrating inadequate data loss prevention (DLP) and monitoring. 

• Exposure of Sensitive Data — Employee emails,  customer records and payment card details (even expired ones) were compromised,  raising compliance and data protection concerns. 

Key Security Learnings 

Preventing breaches like this requires a strong identity security framework and proactive threat monitoring, ensuring multi-factor authentication (MFA) enforcement, role-based access controls and continuous identity monitoring to detect and mitigate credential-based attacks. 

Security Challenge 

If an attacker gained access to your internal systems today, how long would it take for you to detect and respond? 

The Hunters International ransomware group targeted Tata Technologies, a Tata Consultancy Services (TCS) subsidiary. This attack resulted in the exfiltration of confidential company data. The attackers later listed stolen information on their dark web portal, indicating a failed ransom negotiation. 

The ransomware attack compromised internal systems, disrupting operations across multiple business units. While Tata Technologies has not disclosed the full scope of the breach, cyber security analysts suspect the group has stolen significant corporate data, project details and intellectual property. 

Cyber Security Issues Identified 

• Initial Intrusion via Phishing or Credential Theft — The attack likely began with a phishing email or stolen employee credentials, allowing hackers to access internal systems.

• Lack of Network Segmentation — Once inside, attackers moved laterally across multiple systems, suggesting a lack of network segmentation controls. 

• Delayed Detection and Response — The ransomware payload was deployed undetected, highlighting insufficient endpoint and SIEM monitoring. 

• Exfiltration of Critical Business Data — Hackers stole sensitive corporate information, financial records and intellectual property, increasing legal and compliance risks. 

• Dark Web Exposure – Stolen data was found on underground forums, increasing the risk of further exploitation.

Key Security Learnings 

To combat ransomware, businesses must deploy proactive threat monitoring,  endpoint detection and rapid incident response to ensure 24x7 threat detection, AI-driven anomaly detection and automated response playbooks to mitigate ransomware risks.

Additionally, Dark Web Monitoring should be fully integrated into 24x7 Managed Detection and Response (MDR) capabilities to detect leaked credentials, stolen company data and emerging threats before they are used in further attacks.

Security Challenge 

Could your business continue operating if ransomware locked your critical systems?

In March 2025, TalkTalk, a major UK telecom provider, launched an urgent investigation after customer data appeared for sale on the dark web. The breach was traced back to a third-party supplier, making it yet another example of supply chain risks leading to customer exposure.

Reports indicate that the stolen data includes customer names, email addresses, account numbers and possibly financial details. If confirmed, this breach could lead to phishing attacks,  identity theft, and regulatory penalties under GDPR.

Cyber Security Issues Identified 

• Third-party provider vulnerability – The breach originated outside TalkTalk’s direct control, demonstrating how supplier security gaps can compromise a business.

• Delayed detection – TalkTalk only discovered the breach after stolen data was found online, suggesting weaknesses in real-time threat intelligence.

• Customer data at risk – Exposure to personal data increases the risk of fraud, phishing attacks and regulatory fines.

• Dark Web Exposure—The stolen data was actively traded in underground marketplaces,  increasing the risk of further exploitation,  fraud and targeted attacks.

Key Security Learnings

Companies must conduct ongoing security assessments of their vendors, enforce Data Loss Prevention (DLP) policies and integrate Dark Web Monitoring into their Managed Detection and Response. By continuously scanning underground forums, marketplaces and hacker channels, businesses can detect leaked credentials and stolen customer data faster, enabling proactive mitigation efforts before they are exploited.

Security Challenge

Would you know if your customer data was being sold on the dark web?

In 2024, Rackspace, a leading cloud computing and cyber security services provider, suffered a data breach after attackers exploited a zero-day vulnerability in ScienceLogic, a widely used IT monitoring platform. This breach underscored the growing risks associated with third-party software dependencies, even for organisations specialising in cloud security and infrastructure management.

Hackers successfully accessed Rackspace’s internal monitoring systems, exfiltrating sensitive operational data. While customer data was not directly affected, the breach highlighted vulnerabilities in supply chain security, demonstrating how attackers can leverage flaws in trusted third-party tools to infiltrate high-value targets.

Cyber Security Issues Identified:

• Zero-day exploitation in a third-party platform – Attackers took advantage of an unpatched vulnerability in ScienceLogic, a tool trusted for monitoring IT environments.

• Indirect supply chain compromise – Rackspace was not the primary target, but its reliance on a vulnerable external service made it susceptible.

• Exposure of internal monitoring data – The breach gave attackers visibility into Rackspace’s IT infrastructure, which could facilitate future targeted attacks.

Key Security Learning

Organisations must continuously assess the security of third-party tools integrated into their environments. Proactive zero-day threat intelligence, continuous monitoring and rapid patch management are critical to mitigating risks from third-party software dependencies.

Security Challenge

How well do you monitor the security of third-party tools in your environment—and could an unpatched vulnerability expose your organisation?

In mid-2024, NTT, a Japanese telecom and IT giant, suffered a massive data breach that affected up to 18,000 corporate clients. Attackers accessed internal systems and exfiltrated sensitive business data, raising concerns about NTT’s supply chain security.

As a service provider to banks, government agencies and enterprises worldwide, NTT’s breach put thousands of organisations at indirect risk. The attack went undetected for an extended period, allowing hackers to move laterally across NTT’s systems before exfiltrating data.

Cyber Security Issues Identified 

• Large-scale third-party risk – A breach at NTT exposed sensitive data across its entire client network.

• Extended attack dwell time – Attackers remained undetected, highlighting weaknesses in proactive threat hunting.

• Potential supply chain compromise – If attackers planted backdoors, NTT’s clients could face secondary attacks.

Key Security Learnings 

Enterprises must invest in continuous security monitoring, endpoint detection and proactive threat intelligence to detect lateral movement early, map security risks, implement Zero Trust models and strengthen defences against supply chain attacks.

Security Challenge

If an attacker were inside your network for months,  would you detect them before they reached critical data?

In early 2023, CDW, a Fortune 500 IT services provider, fell victim to the LockBit ransomware gang. LockBit, one of the most active ransomware groups globally, claimed to have stolen sensitive corporate data from CDW’s internal systems and threatened to leak it unless a ransom was paid.

CDW provides thousands of enterprises with IT infrastructure and cyber security solutions, making this breach particularly concerning. Organisations that rely on CDW may now be at risk if their credentials, system configurations or contracts were exposed.

Cyber Security Issues Identified 

• Third-party risk exposure – Attackers targeted CDW,  which has privileged access to thousands of client environments.

• Data exfiltration before detection – Attackers stole sensitive data before CDW became aware,  a common trend in ransomware attacks.

• Double extortion tactics – LockBit encrypts data and threatens public leaks,  pressuring victims into payment.

Key Security Learnings

Companies must enforce continuous vendor security monitoring, zero-trust access controls and proactive ransomware defences through real-time tracking,  AI-driven anomaly detection and automated response,  ensuring threats are contained before data is stolen.

Security Challenge

If your IT provider were compromised today, could you ensure your systems and data remain untouched?

Rethinking Supply Chain Security

The cyber security landscape is evolving and these breaches are a stark reminder that no provider is immune to attack. IT service providers, security vendors and software platforms are deeply embedded in your supply chain and their security posture directly impacts your risk exposure.

Key Risks to Consider

1. The Larger the Provider, the Greater the Risk Exposure

• The bigger the organisation, the larger the attack surface it must protect.

• Large providers offering connectivity, cloud and customer hosting must keep their infrastructure open for customer access,  which makes it harder to secure.

• Attackers exploit these open environments, increasing the risk of supply chain breaches.

2. The Poacher/Gamekeeper Problem

• If your IT service, cloud, or hosting provider also delivers cyber security, they are marking their homework.

• Security assessments may lack impartiality, leading to overlooked vulnerabilities.

• Concentrating all IT functions under one vendor increases risk—a single breach could compromise your entire infrastructure.

3. Lack of Visibility Into Third-Party Security

• Many organisations assume their providers are secure without independent validation.

• Limited transparency into a vendor’s security controls makes it difficult to assess real risks.

• Businesses must demand full security accountability from their IT and cloud suppliers.

Some Recommendations to Strengthen Your Supply Chain Security

• Implement Zero Trust Security Models – Assume no user or system is inherently trusted and enforce strict access controls.

• Continuously Monitor Third-Party Risk – Regularly assess your providers’ security controls, patching practices and compliance status.

• Use Independent Security Providers – Avoid relying on your IT, cloud or hosting provider to secure their environments.

• Deploy Dark Web Monitoring – Track stolen credentials and leaked data to detect potential supply chain threats early.

• Invest in 24x7 Managed Extended Detection and Response (MXDR) – Ensure proactive threat detection and rapid response to security incidents.

At CyberOne, we provide independent cyber security expertise to help businesses assess, monitor and secure their supply chains. With 20 years of experience, we offer the agility of a start-up and the expertise of a seasoned cyber security provider, ensuring impartial security assessments and proactive risk management.

Strengthening Your Supply Chain Cyber Security with CyberOne

Would you like an initial security assessment to evaluate your supply chain risk? Book a Free 1:1 Consultation Session with CyberOne.