Background and context
A new analysis highlighted by Infosecurity Magazine points to a troubling reality behind third-party breaches: the public victim count often captures only a fraction of the real damage. According to cyber risk firm Black Kite, roughly 26,000 unnamed organizations were exposed through 136 third-party breaches, forming what it calls a hidden or “shadow layer” of downstream victims [1].
The idea is straightforward but serious. When a software vendor, managed service provider, payroll processor, file-transfer platform, or cloud-based business service is compromised, the direct victim is only the first link in the chain. Customers, partners, and clients that rely on that provider may also face data exposure, credential theft, operational disruption, or regulatory headaches, even if their own networks were never directly hacked [1].
This pattern has been visible for years. The 2013 Target breach was traced to credentials stolen from an HVAC contractor, showing how supplier access can open the door to a much larger compromise [2]. In 2017, NotPetya spread through a compromised software update channel and caused global collateral damage well beyond the initial target set [3]. SolarWinds in 2020 demonstrated how tampered software updates could reach government agencies and major enterprises [4]. Kaseya in 2021 showed how attackers could weaponize remote management tools used by managed service providers to hit many downstream customers at once [5]. More recently, mass exploitation of MOVEit Transfer exposed data across hundreds of organizations that shared the same third-party file-transfer platform [6].
Black Kite’s finding fits neatly into that history. The core message is not that 26,000 organizations were all breached in one single campaign. Rather, it suggests that the visible breach narrative around third-party incidents often understates the true blast radius by a very large margin [1].
What the “shadow layer” means in technical terms
The “shadow layer” refers to indirect victims: organizations affected because they depend on a compromised supplier or service provider. In practice, that can happen in several ways.
One common route is through stolen vendor credentials or remote access. If a supplier has privileged access into customer environments for maintenance, billing, support, or IT administration, attackers can use that trust relationship to move downstream. This was one of the lessons from the Target case, where third-party access became a stepping stone [2].
Another route is software supply-chain compromise. In the SolarWinds case, attackers inserted malicious code into Orion software updates, turning a trusted update mechanism into a delivery channel for espionage malware [4]. Customers installed what appeared to be legitimate software, but the trust chain had already been compromised.
A third route involves shared platforms and multi-tenant services. The MOVEit incidents are a clear example: exploitation of vulnerabilities in a widely used file-transfer product allowed attackers to steal data from many organizations that relied on the same service or appliance [6]. The same logic applies to HR systems, legal service providers, cloud storage platforms, customer support portals, and identity integrations.
Managed service providers create another concentration point. When an MSP or remote management platform is compromised, one intrusion can fan out into dozens or hundreds of customer environments. CISA has repeatedly warned that MSPs are attractive targets because of the scale and privileged access they offer attackers [7].
Importantly, the Black Kite figure appears to be an aggregated risk finding across 136 separate third-party breaches, not a single vulnerability or malware family [1]. That means there may be no single CVE, no single threat actor, and no single set of indicators of compromise. The technical takeaway is broader: modern organizations are deeply dependent on external software, services, and data processors, and each dependency can multiply exposure.
This is also why traditional breach accounting often falls short. A vendor may disclose its own incident, but not all downstream customers will immediately know whether their data, systems, or users were affected. Some may learn only after forensic review, regulator inquiries, legal notifications, or extortion leak postings. Others may never be publicly named at all [1][7].
Why the real victim count is often hidden
Public breach disclosures tend to focus on the entity that was directly compromised. That makes sense from a reporting standpoint, but it can obscure the broader consequences. A payroll provider might be breached, yet the real impact lands on every employer whose employee records were stored there. A law firm compromise may spill into client confidentiality issues. A cloud identity integration problem can expose email, files, and tokens belonging to many separate organizations.
ENISA has repeatedly described supply-chain attacks as high-impact because they exploit trust relationships and shared dependencies rather than targeting one organization at a time [8]. Verizon’s Data Breach Investigations Report has also noted the role of third-party involvement in breaches, reinforcing that many organizations are affected through partners and suppliers rather than direct compromise alone [9].
The result is a visibility problem. Security teams may have mature controls inside their own network and still lack a complete map of the external services that process sensitive data or connect into internal systems. That blind spot is where the “shadow layer” lives.
Impact assessment
The Black Kite estimate suggests that the scope of downstream exposure is potentially enormous. If 26,000 organizations were linked to 136 third-party breaches, the average hidden victim count per incident is significant, though the real distribution is likely uneven, with a small number of highly connected providers accounting for a large share of downstream impact [1].
Who is affected? Potentially any organization that outsources critical business functions or depends on shared software and service providers. That includes enterprises, small and midsize businesses, healthcare providers, financial firms, schools, retailers, law firms, and government bodies. In many sectors, third-party dependence is unavoidable.
Severity varies by incident type. In some cases, the impact may be limited to data exposure such as names, addresses, payroll details, health information, or account records. In others, the risk is more severe: stolen credentials, unauthorized access into internal systems, ransomware deployment, business interruption, legal liability, and mandatory notification obligations. For regulated sectors, a third-party breach can trigger compliance issues even if the organization was only indirectly affected.
The systemic risk angle matters as well. Concentration around a few dominant SaaS platforms, MSPs, file-transfer tools, and identity services means one compromise can ripple across thousands of customers. That turns a vendor incident into a business continuity problem for entire sectors. From a board and insurer perspective, this is no longer just a vendor management issue; it is a core operational resilience issue [7][8].
There is also a reputational consequence. Customers generally do not distinguish much between a company that was directly breached and one that exposed their data through a supplier. If your records were lost because a third party mishandled them, the trust damage still lands on your organization.
How to protect yourself
Organizations cannot eliminate third-party risk, but they can reduce the odds that a supplier breach becomes their breach.
1. Build a real third-party inventory.
Know which vendors process sensitive data, host critical workflows, or have network, identity, API, or administrative access. Many companies track procurement relationships but not technical dependencies. Those are not the same thing.
2. Rank vendors by access and impact.
Not every supplier needs the same level of scrutiny. Focus first on providers with privileged access, sensitive data holdings, or a role in identity, remote management, finance, HR, legal operations, backups, and file transfer.
3. Enforce least privilege for vendors.
Limit third-party access to only what is necessary, segment it, and review it regularly. Remove dormant accounts quickly. Require phishing-resistant MFA for supplier access wherever possible [7].
4. Review contracts and notification terms.
Make sure vendors are required to disclose security incidents promptly, preserve logs, support investigations, and meet minimum security controls. Delayed notification can turn a manageable issue into a crisis.
5. Monitor supplier exposure continuously.
Annual questionnaires are not enough. Track vendor breach reports, exposed services, leaked credentials, and major advisories affecting software in your dependency chain. CISA and ENISA guidance on supply-chain security can help shape this process [7][8].
6. Prepare for downstream incident response.
Your response plan should include third-party breach scenarios: who assesses impact, who contacts the vendor, how tokens and credentials are rotated, what systems are isolated, and when legal or regulatory teams are engaged.
7. Reduce trust in shared integrations.
Audit OAuth apps, API keys, service accounts, and federated identity connections. These often persist quietly for years and can become a hidden route into data or email systems. Protect sensitive communications and remote access with strong encryption and access controls where appropriate.
8. Back up and segment critical systems.
If a vendor compromise leads to ransomware or destructive activity, segmentation and tested offline backups can limit the damage.
9. For individuals:
Watch for breach notices from employers, healthcare providers, schools, and service providers. Reset passwords if notified, enable MFA, monitor financial and medical accounts, and consider extra precautions when using public networks, such as a trusted VPN service.
The bigger lesson
Black Kite’s “shadow layer” estimate is a useful warning that the public story around supply-chain attacks is often incomplete. The named victim in a breach may be only the visible center of a much larger web of exposure. For defenders, that means security can no longer be measured only at the network perimeter or by internal controls. It must also account for the vendors, platforms, and service providers that quietly hold data, credentials, and operational access on an organization’s behalf [1][7][8].
As supply-chain attacks continue to exploit trust at scale, the organizations that fare best will be the ones that know their dependencies, limit third-party privilege, and plan for the day a supplier becomes the weakest link.
