Black Kite’s 2026 Third-Party Breach Report Identifies Risk Concentration as the Primary Catalyst for Global Cascading Failures
Third-party breaches scaled because impact cascaded faster than disclosure, baseline control gaps stayed repeatable, and the most relied-upon vendors remained structurally exposed
BOSTON, March 3, 2026 /PRNewswire/ — Black Kite, the leader in third-party cyber risk management, today announced the release of its seventh annual Third-Party Breach Report, which analyzes third-party data breaches in 2025, including how they occurred, organizational impact, and structural conditions shaping third-party cyber risk at scale. The report found 136 unique major incidents, affecting 719 companies, plus an estimated 26,000 additional impacted companies that were not officially named.
Black Kite Logo (PRNewsfoto/Black Kite)
“Traditional third-party risk management is not keeping pace with the reality of today’s threats,” said Ferhat Dikbiyik, Chief Research & Intelligence Officer, Black Kite. “Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis. The Black Kite Research Group took a deep dive into the supply chain, and from our findings, we can forget about the ‘weakest link.’ Supply chains are actually most fragile at their highest points of connection. Knowing this, it’s imperative that security teams understand where risk enters, where it concentrates, and how it propagates, and to get there, they need to shift toward active intelligence and systematic awareness.”
Black Kite’s report examines the supply chain’s interconnectedness and vulnerabilities by evaluating last year’s key third-party breach events and dominant trends, the cyber posture of approximately 200,000 monitored companies on the Black Kite platform, and the concentration risk among the top 50 most relied upon third parties within the Forbes Global 2000 ecosystem.
2025 Incidents and Impact 2025 saw a surge in verified incidents with 136 major events. However, what stood out is not that companies were breached, but rather, a significant “shadow layer” emerged behind aggregate disclosures. In fact, while 719 companies were publicly named as victims, approximately 26,000 additional impacted companies were affected but never publicly named. At the individual level, publicly disclosed figures point to 433 million impacted people.
In 2025, we saw an average of 5.28 downstream victims per third-party breach, the highest level observed to date (2.56 in 2024, 3.09 in 2023, 4.73 in 2022, and 2.46 victims per incident in 2021). This uptick reflects a sharp increase in the scale and coordination of attacks, driven by threat actors targeting shared platforms, centralized services, and high-dependency vendors. As attackers move upstream, single compromises increasingly translate into multi-company impact.
The visibility gap is further exacerbated by a persistent “Silent Window”: while the median time to detect an intrusion was 10 days, the median delay to disclose that breach to the public was 73 days. This delay represents a massive transfer of risk from the vendor to the unsuspecting downstream customer.
Key findings include:
Verified incidents surged to 136 events, with 719 named victim companies, and a much larger hidden layer behind aggregate disclosures
Publicly disclosed impact reached 433 million people, while vendors reported approximately 26,000 additional affected companies without naming them
Detection is slow, disclosure is slower, with median detection at 10 days (79 events with timeline data) and median disclosure lag of 73 days (average 117)
What the Third-Party Ecosystem Looks Like Across a baseline of approximately 200,000 monitored organizations, randomly selected to understand the current state of the industry, the ecosystem appears healthy on paper with an average Cyber Grade of 90.27 (A). While a high average grade indicates that many organizations meet standard control expectations and compliance checklists, it does not guarantee that the ecosystem is resilient under real-world pressure. Third-party risk scales through common failure modes and dependency structures, so ecosystems can look strong in aggregate while remaining fragile in the specific places attackers repeatedly exploit.
For instance, the reality of the terrain is defined by repeatable weaknesses. Over 53% of organizations have at least one critical vulnerability, and 23% have corporate credentials circulating on the dark web. This creates “Pressure Zones,” particularly in manufacturing and professional services, where high susceptibility and weak discipline overlap. Notably, these sectors have been the top two hit by ransomware for four consecutive years. Education is another high-pressure sector. This is not driven by attack sophistication, but by chronic exposure. High credential leakage, inconsistent patch discipline, and operational constraints combine to create environments where compromise is easier to initiate and harder to contain.
On the other hand, finance presents a different pattern. Ransomware Susceptibility Index® (RSI™) scores remain materially lower because sustained governance pressure forces tighter control over identity, patching, and exposure management. Regulatory frameworks and continuous audit expectations raise the cost of negligence and shorten tolerance for unresolved weaknesses.
Key findings include:
Across nearly 200,000 monitored organizations, the ecosystem appears healthy on paper, with an average Cyber Grade 90.27 (A), yet failure signals are widespread – 53.77% have at least one critical vulnerability, and 23.34% have corporate credentials circulating on the dark web.
The ecosystem is not uniformly risky, with manufacturing and professional services sitting in the pressure zone with high Ransomware Susceptibility and weak patch discipline, while finance trends toward a more controlled profile.
The Concentration Risk Crisis: Top 50 Shared Vendors The top 50 vendors shared by the Forbes Global 2000 represent not only a concentrated point of failure, but also, threat actors know they are the “master keys” to some of the world’s largest organizations, so they are hunting them aggressively.
Of utmost concern is that these vendors maintain a lower average Cyber Grade (83.9, B) than the ecosystem at large, and a staggering 70% of them have at least one vulnerability currently listed in the CISA KEV catalog. With 62% of them showing corporate credentials in stealer logs, this sensitive information is already circulating on the dark web.
Key findings include:
70% have at least one CISA KEV exposure, and 84% have critical vulnerabilities (CVSS ≥ 8)
80% show phishing URL exposure, and 40% show active targeting signals
62% have corporate credentials exposed in stealer logs, and 30% have breached credentials in the last 90 days
52% have a breach history, with 18% in the last year
Methodology The findings in this report are the result of a multi-source, intelligence-led investigation conducted by the Black Kite Research Group. Black Kite combined verified public breach disclosures with the company’s external cyber risk telemetry and supply chain intelligence to analyze how third-party data breaches emerged, propagated, and concentrated across the ecosystem throughout 2025. The report covers third-party data breach events disclosed between January 1, 2025, and December 31, 2025. The breach dataset is limited to verified, publicly disclosed incidents and is designed to reflect what can be substantiated from reliable reporting and primary disclosures.
About Black Kite Black Kite is the AI-native third-party cyber risk management platform trusted by over 3,000 customers to manage every supplier and every risk across their extended ecosystem. Powered by the industry’s highest-quality risk intelligence, spanning over 40 million companies, Black Kite is differentiated by the accuracy, transparency, and actionability of its data. The platform automates vendor monitoring and risk assessments, surfacing reliable insights into ransomware susceptibility, regulatory gaps, financial exposure, and more. With Black Kite, security and risk teams gain always-on visibility and trusted intelligence to act early, reduce exposure, and stay ahead of third-party threats. Black Kite has received numerous industry awards and recognition from customers. Learn more at www.blackkite.com, or on the Black Kite blog.
