Supply Chain Breaches Up 68% Year Over Year, According to DBIR

As Verizon Business redefines supply chain breach, it could either help organizations address third-party risk holistically or just conflate and confuse.

Breaches resulting from a third party were up 68% last year, primarily due to software vulnerabilities exploited in ransomware and extortion attacks.
Supply chain breaches have been
on the rise for some time now
. According to Verizons latest
Data Breach Investigations Report (DBIR)
, that rise has been extra steep in recent months. Some 15% of all breaches in 2023 involved a third party, a marked increase from 9% in 2022. Those figures have as much to do with accounting as attacking, though.
In this years DBIR, Verizon Business expanded its definition of supply chain breach to include not just compromises through vendors (e.g., Target in 2013), data custodians (MOVEit), and software updates (SolarWinds), but also vulnerabilities in third-party software.
Exploited vulnerabilities were, in fact, the most common Vocabulary for Event Recording and Incident Sharing (VERIS) action tracked as part of DBIRs supply chain metric, followed by backdoors/command-and-control (C2) and extortions. Last year in the ransomware space, we saw — whether theyre researching them themselves, or buying them — [threat actors] got their hands on so many zero-day vulnerabilities, says Alex Pinto, associate director of threat intelligence at Verizon Business and co-author of the DBIR.
But should attacks like these be considered a supply chain issue? Could organizations benefit from conflating all of these different vectors of attack together?
Of third-party bugs, Pinto recalls, As we looked into it, we thought this looked like it might be not just a vulnerability management problem, but a vendor management problem in some ways. Thats when we decided: How about we try to look at this holistically?
To the DBIR team, addressing bugs is bigger than just patching whenever they might arise. Its about how organizations choose and engage with their vendors. No organization can prevent every potential vulnerability in the software they use, but vendors do leak certain kinds of signals that might indicate their worthiness.
For example, Pinto says, Weve been getting more external signals recently when you think about the work that the SEC is doing. Now, when something really bad happens, [vendors] have to
tell the SEC
. So that gives us more signals about: Are they doing a good job or not?
In its report, Verizon Business recommended that organizations start looking at ways of making better choices so as to not reward the weakest links in the chain. The
consequences of making the wrong choices
will inevitably be more vulnerabilities to deal with down the line.
There are things we can control and things we cannot control in the vendor management process. So we have to take into account those kinds of external signals, and how we can use that to improve our posture and encourage our vendors to have better posture, Pinto says.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Supply Chain Breaches Up 68% Year Over Year, According to DBIR