Supply Chain Attacks Surge In 2025: Double the Usual Rate
Attackers know the weakest link is often outside your walls
Supply chain attacks are no longer a distant threat; they’ve surged in 2025 at nearly double the usual rate. Even the strongest cybersecurity infrastructure can be undone by a weak link in your vendor ecosystem. Every partner, supplier, or third-party provider that touches your data extends your attack surface, and their vulnerabilities can quickly become your liabilities. The reality is stark: you can’t fully control a third party’s IT environment, and blind spots in their workflows can expose your most sensitive assets.
For example, suppose you use a third-party service for accounting. Accounting involves handling sensitive data like customer names and payment information to process customer payments. Social engineering criminals target accounting agencies for the valuable data they store, so your corporate data is in the hands of another organization, which can detect these attacks. Your accounting firm may have robust cybersecurity policies, but even the best data protection comes with some risks associated with maintaining an online presence. With a single successful phishing or social engineering attack, an accounting agency could expose your customer records to a third party. These types of supply chain attacks are on the rise.
Supply chain attacks are nothing new, especially in the software development industry, but dark web researchers report that there has been an uptick in these types of attacks since April 2025. Ransomware has been widespread in recent attacks, but zero-day threats and intellectual property theft from data breaches are also common. Corporate victims of ransomware face a double-edged threat between paying a ransom to get their data back and threats of data being exposed publicly to blackmail the victim into paying more.
Over the years, supply chain attacks have become more popular. The trend typically targets small businesses, as SMBs often lack the resources to protect their data from advanced threats. Social engineering and phishing attacks targeting employees are common and usually successful when organizations fail to implement security awareness training.
Here’s a collection of a few recent data breaches from supply chain attacks. These examples illustrate the importance of risk management, data protection, and carefully choosing third-party vendors.
Hertz Vendor Breach via CleoCommunications
Hertz uses Cleo Communications for file sharing. As with any file-sharing platform, it’s an excellent target for attackers. Hertz, along with Kellogg, Sam’s Club, Thrifty, and Dollar brands, suffered from a data breach when the Cl0p ransomware group exploited vulnerabilities in Cleo’s management application. Cybercriminals hid their activities for several months until they were discovered in February 2025, giving them ample time to exfiltrate customer data.
Cl0p didn’t exploit Cleo itself, but the cybercriminals took advantage of vulnerabilities in integrated software. Vulnerabilities CVE-2024-50623 and CVE-2024-55956 are responsible for the Cleo data breach. To sum up both vulnerabilities, the first one allowed an attacker to upload files without authorization. The second vulnerability allowed an attacker to run arbitrary shell commands on the remote system and add commands to the operating system's autorun feature. As you can infer, these two vulnerabilities provided remote code execution access to attackers, which was subsequently used to deploy ransomware.
CDK Global Cyberattacks on AutoDealerships
Auto dealerships use third-party software to manage customers and deals made with customers. CDK Global stores every customer detail, including their payment methods, social security numbers, auto information, and license data. It also stores information about the dealer and the manufacturer.
The Russian-backed group Blacksuit performed multi-step attacks to gain access to auto customers' data. First, it acquired credentials for a VPN account using a downloaded list of compromised passwords, likely from the dark web. VPN access did not have multi-factor enabled, so Blacksuit was able to access the CDK environment. From the initial breach, Blacksuit used a tool named PsExec to move across the network and deploy ransomware laterally.
BlackSuit deployed ransomware that shutdown auto dealerships' ability to use the CDK software, so deals were conducted by hand. Researchers estimate that the cost of the data breach could be over $1 billion, including the loss of data and the $25 million ransom demand. Future reputational damage will also increase CDK's financial loss.
HealthEquity Data Breach via Third-PartyCloud Provider
Attackers gained access to 4.5 million personally identifiable information (PII) records from HealthEquity when they breached a third-party cloud provider hosting HealthEquity’s data repository. The initial breach stems from stolen credentials. Using the third-party cloud vendor’s stolen credentials, cybercriminals were then able to access HealthEquity’s data repository.
This example is the second incident on the list of supply chain attacks involving stolen credentials. Social engineering and phishing are the two most common factors in data breaches. Verizon’s DataBreach Investigations Report lists human error as the root cause of 60% of yearly cyber incidents. Although you can do as much as possible for your own organization’s credential safety, theHealthEquity data breach is another example of the open risks when using third-party platforms.
Retail and Hospitality Sectors Hit Hard by Vendor Breaches
Retail and hospitality sectors are worth almost $10 trillion, so it’s no surprise that they are also favorable targets for cybercriminals. Stolen credentials from retail sites expose potential victims to vulnerabilities, allowing attackers to use their accounts to order products, steal financial data, or collect sensitive information.
In June 2025, the distributor for WholeFoods, United Natural Foods Inc., suffered a cyberattack. The attack is linked to a large global cybercrime group named Scattered Spider. They mostly rely on phishing and social engineering, but members are scattered around the globe and use numerous exploits to prove themselves to the larger collective. After breaching an environment, they deploy ransomware and extort businesses for money. Some companies are blackmailed for eight figures, totaling $66 million so far, before they are given access to their data files.
United Natural Foods distributes products to several national food and hospitality organizations, but it was forced to stop digital workflows in exchange for manually processing orders. This left customers with bare shelves, leaving consumers with few options and sometimes no options for necessary items. Ransomware attacks highlight the importance of disaster recovery due to the destructive nature of their payload. Hitting the supply chain in retail has a domino effect that spreads to several other individual stores, affecting multiple locations and potentially thousands of consumers.
What Can You Do to Avoid Being a Victim?
To avoid being a victim, organizations must improve their own resiliency. Risk management agencies ask vendors for their disaster recovery procedures to mitigate possible productivity interruptions or data breaches in their own environment, but it still doesn’t protect an organization entirely. Supply chain attacks can originate from one vendor above the end retailer or stem from several layers up the chain.
For vendors to lower their risk of productivity and data loss, they must have cyber resilience in place. This means having backups and disaster recovery solutions that quickly restore data after an incident. Distributors must have a way to regain productivity to avoid affecting their customers, which could result in long-term revenue loss and permanent damage to their reputation.
While no solution or cybersecurity vendor can guarantee immunity from cyberattacks, CyberSentriq ensures full recovery. Our backup and recovery solution is a scalable, multi-tenant cloud-first platform; features include:
InstantData™: Recovery from backup is instant, ensuring that ransomware does not impact operations. CyberSentriq ensures rapid, ransomware-resilient recovery across all environments.
Malware-prevention: The platform features built-in malware detection to ensure that your recovered data does not infect your network.
Scalability: Our cloud-first solution grows with your data as it expands.
Easy to use. A single-pane-of-glass approach provides a user-friendly interface.
Untouchable backups: Air-gapped and immutable, these backups are isolated from the organization’s live environment, ensuring that ransomware can’t corrupt or delete them.
