A Black Kite report analyzing 136 major third-party breaches finds the actual impact is far larger than reported: roughly 26,000 additional organizations and up to 433 million individuals were affected. On average, each breach had 5.28 downstream victims. A critical visibility gap exists — while median breach detection took 10 days, public disclosure lagged 73 days, transferring risk to unsuspecting downstream organizations. Over 54% of monitored organizations have at least one critical vulnerability, and 23% have credentials on the dark web. Adversaries are increasingly targeting mid-sized companies within larger ecosystems after researching vendor relationships. Most attacks could be prevented through basic patch management and MFA. AI is accelerating attacker capabilities, including AI-driven ransomware negotiations, while defenders are still catching up.
Sort: