In April 2025, one of Britain’s most beloved retailers was brought to its knees not through a direct assault on its own systems, but through a trusted third-party contractor. Marks & Spencer watched its online platform shut down for six weeks, its warehouses fall into manual chaos, and its share price drop sharply enough to erase more than £650 million in market value within days with the total erosion surpassing £1 billion over the weeks that followed. Three months later, on the other side of the world, Allianz Life Insurance disclosed that personal data belonging to the majority of its 1.4 million U.S. customers had been stolen not through its own systems, but through a third-party CRM platform that an attacker had tricked an employee into opening.
What links both incidents is not the method. It is the path. In each case, the attacker entered through trusted contractor’s credentials, a cloud CRM platform, a vendor already inside the perimeter. And in each case, the consequences were not measured in data packets, but in hundreds of millions of dollars, millions of exposed customers, and reputations that will take years to fully recover.
This is the defining business risk of our era. As enterprises grow adding vendors, outsourcing functions, integrating software ecosystems the surface area of their exposure grows in parallel. Third-party and supply chain risk is no longer a niche IT concern. It is a board-level imperative and, increasingly, a matter of personal executive accountability.
The Risk Your Perimeter Cannot See
The average large organization today maintains hundreds of active vendor relationships cloud providers, SaaS platforms, CRM systems, payroll processors, logistics partners, outsourced service centres each carrying some degree of access to sensitive data or critical systems. Attackers have taken notice. Recognizing that large organizations invest heavily in their own defenses, sophisticated threat actors have systematically pivoted to the path of least resistance: the supplier, the contractor, the cloud platform that already holds trusted access.
The numbers reflect this shift decisively. In 2025, supply chain attacks nearly doubled year-over-year, with 136 major third-party breach events producing an average of 5.28 downstream victims per incident, the highest multiplier ever recorded, according to Black Kite’s 2025 Third-Party Breach Report. Verizon’s 2025 Data Breach Investigations Report confirms that 30% of all breaches now involve a third party. The frequency is no longer exceptional. It is routine. And the consequences are financial loss, regulatory exposure, reputational damage land on organizations that invested in their own defenses but had not extended that discipline into their extended ecosystems.
Attackers no longer break through your walls. They walk through the door you left open for a vendor — using access that looked completely legitimate.
Marks & Spencer – When a Contractor’s Credentials Become a Crisis
In April 2025, the Scattered Spider criminal group the same network responsible for the 2023 breaches of MGM Resorts and Caesars Entertainment compromised M&S through social engineering: manipulating individuals linked to a third-party contractor into surrendering login credentials. From that foothold, they deployed DragonForce ransomware across M&S’s digital infrastructure, warehouse management, and supply chain coordination systems. M&S’s own security investment, which had been substantial, could not compensate for a gap left by an inadequately governed partner relationship.
| Entry Point | Social engineering targeting credentials linked to a third-party contractor |
| Operational Hit | Online sales suspended for six weeks; warehouses fell to manual operations; food shelves ran bare |
| Operating Profit | ~£300M impact on operating profit in 2025/26, as officially guided by M&S (May 2025 full-year results) |
| Incident Costs | £101.6M in direct costs: £82.7M for recovery and response; £18.9M third-party costs; £100M offset by cyber insurance |
| Market Cap | Over £650M erased in initial days; total market cap erosion exceeded £1 billion over following weeks |
| Consumer Impact | Online fashion, home & beauty sales fell 42.9% in H1 2025/26; competitor Next upgraded profit forecasts four times, explicitly citing “competitor disruption” |
| CMC Classification | Attacks on M&S and Co-op jointly assessed as a single Category 2 combined cyber event (June 2025) |
The operational fallout was immediate and severe. M&S’s digital platform a strategic growth engine accounting for a significant share of clothing and homeware revenue went offline for six weeks. Suppliers and logistics partners who depended on M&S’s coordination systems absorbed knock-on disruptions of their own. The company was forced to compress a planned technology overhaul into a six-month crisis programme, adding unplanned capital expenditure on top of the £300 million operating profit impact officially disclosed in its May 2025 results.
The most instructive detail for any executive is this: M&S’s own defenses were not the primary failure point. The failure was insufficient governance over third-party access. No amount of internal investment fully compensates for unmanaged risk in your extended ecosystem a reality that Allianz Life would learn in almost identical fashion three months later.
Allianz Life – 1.4 Million Records Stolen Through a Cloud CRM Vendor
On July 16, 2025, a threat actor gained access to a third-party cloud-based CRM system used by Allianz Life Insurance Company of North America not by breaching Allianz’s own infrastructure, but by socially engineering an employee through a voice phishing (“vishing”) attack impersonating IT helpdesk staff. Once inside the CRM environment with insider-level access, the attacker used Salesforce’s own Data Loader tool to perform bulk exfiltration of customer records. The breach is widely attributed to ShinyHunters and is linked to a broader campaign that targeted dozens of organizations sharing the same CRM platform during 2025. Allianz detected the intrusion within 24 hours and notified the FBI but by then, the data was already gone.
| Attack Detected | July 16, 2025 (intrusion); detected July 17; publicly disclosed July 26, 2025 |
| Entry Point | Third-party cloud-based CRM platform (reported as Salesforce); social engineering via voice phishing (“vishing”) impersonating IT helpdesk to manipulate an employee into granting access |
| Customers Exposed | Majority of 1.4 million Allianz Life customers, plus financial professionals and select employees; data included names, addresses, dates of birth, Social Security numbers, and policy identifiers |
| Data Not Taken | Allianz Life’s internal network and core policy administration system were not directly compromised; no evidence of access to core insurance infrastructure |
| Threat Actor | Widely attributed to ShinyHunters by security researchers; part of a broader Salesforce-targeting campaign linked to UNC6040 with overlapping social engineering tactics |
| Prior Warnings | Salesforce publicly warned in March 2025 about UNC6040 targeting its CRM platform; Mandiant amplified the warning in the weeks before the Allianz breach, naming ShinyHunters’ Salesforce campaign |
| Broader Campaign | Same Salesforce-targeting campaign also affected Google, Cisco, Adidas, Chanel, and others throughout 2025 a coordinated effort against shared CRM infrastructure across industries |
The Allianz Life breach carries a dimension that no executive team can afford to ignore: it was forewarned. Salesforce had publicly warned in March 2025 that threat actor UNC6040 was actively targeting its CRM platform through social engineering. Mandiant amplified the warning in the weeks before the Allianz breach, identifying ShinyHunters’ systematic campaign against Salesforce environments. The threat actor was named. The technique was named. The platform was named. Yet the governance structures needed to rapidly audit and harden third-party CRM access and to retrain helpdesk staff against vishing attacks were not in place when the call arrived. Warnings are only useful when the operational response infrastructure is already in place.
The downstream risk from the exposed data compounds the initial breach. The records including Social Security numbers, dates of birth, and policy identifiers are precisely the material needed for identity fraud, targeted phishing, and policy impersonation attacks against Allianz Life’s customers. Class-action lawsuits were filed within days of disclosure in U.S. federal courts. The breach did not end when the compromised CRM was contained. It created an extended tail of secondary exposure, legal liability, and customer remediation that will take years to resolve.
Same Playbook, Different Industry – The Threat Has No Sector Boundary
What makes the pattern that emerged in 2025 particularly alarming is not just its frequency, but its consistency. The same social engineering tactics, the same entry point – a third-party platform with trusted access to customer data executed against organizations in entirely different industries, on opposite sides of the world. From British retail in April to American insurance in July, attackers used the same playbook almost verbatim. And it worked again.
Salesforce warned about this exact attack pattern months before Allianz Life was breached. The attack happened anyway. Warnings are not protection. Governance is.
The Executive Response: Six Priorities That Move the Needle
Both M&S and Allianz Life expose the same governance gap: leadership structures that had not made third-party risk a first-order operational priority. Annual vendor questionnaires, contracts without security requirements, and boards without regular supply chain visibility are no longer adequate. Regulators agree. The SEC’s cyber disclosure rules, the EU’s NIS2 Directive, and DORA across financial services all signal the same direction: executive accountability for third-party risk is being enforced, not merely expected.
- Map your ecosystem completely. Build a full, current inventory of every vendor relationship and the access each holds including cloud platforms, SaaS integrations, and outsourced or subcontracted services. What you cannot see, you cannot govern. Treat this as a living document, not a one-time exercise.
- Embed security requirements in every contract. Specify minimum standards, breach notification timelines, audit rights, and termination clauses before signing. Allianz Life’s CRM vendor held personal data for over a million customers, the security obligations governing that relationship should have matched the exposure it created.
- Enforce least-privilege access everywhere. Every vendor and third-party platform should hold only the access it actively needs. Multi-factor authentication resistant to social engineering not just SMS codes must be mandatory on every privileged vendor connection.
- Monitor third-party activity in real time. Granting a vendor access without monitoring what they do inside your systems is issuing a building pass and removing all the cameras. Behavioral anomalies are your early warning system but only if you’re watching.
- Build rapid-response capability for external threat alerts. Salesforce publicly warned about this exact attack pattern months before Allianz Life was breached and Mandiant amplified the warning days before it happened. Organizations with mature vendor risk programmes can audit, restrict, and harden third-party access within hours of a credible threat alert. That capability requires investment before the warning arrives.
- Put third-party risk on the board agenda. Regular CISO reporting to the board on vendor posture, active supply chain threats, and remediation priorities is now a regulatory expectation and a governance necessity. When things go wrong, boards are accountable. Visibility is non-negotiable.
Security as Competitive Advantage
Third-party risk management is not just a defensive cost. Organizations that build genuine supply chain resilience are creating a durable competitive advantage. Enterprise clients across every sector now make vendor security a condition of partnership. Procurement teams scrutinize third-party risk programmes. Insurance underwriters price premiums and in some cases refuse coverage based on demonstrated supply chain controls. When M&S went offline, competitor Next upgraded its profit forecasts. Market share moves to organizations that stay operational when others do not.
The M&S attack entered through a contractor’s credentials. The Allianz Life breach came through a cloud CRM platform. In both cases, attackers used the same social engineering playbook and the same entry point: a third-party vendor with trusted access and insufficient oversight. Neither attack required nation-state resources or zero-day exploits. Both succeeded because governance had not kept pace with the complexity of the organizations’ extended ecosystems.
That is a leadership problem with a leadership solution. Organizations that treat third-party risk as a strategic discipline not an annual compliance checkbox will be better positioned to grow, earn the trust of clients and partners, and withstand the disruptions that will continue to test every organization in their ecosystem. In an environment where the same social engineering playbook can hit a British retailer in April and an American insurer in July, resilience is not just a defense. It is an advantage.
