Supply chain and third-party risk is the defining security challenge of our era and no compliance checklist will save you.
The Audit Passed. The Attack Still Happened.
Imagine your security team has just sailed through the annual compliance review. Green across the board. Certifications in order. Auditors satisfied. Two weeks later, customer data is on the dark web not because your systems were breached, but because a small software vendor you barely knew was on your approved supplier list had no meaningful security controls whatsoever.
This is not a hypothetical. It is the defining pattern of enterprise cyber risk in 2024 and 2025. According to the Identity Theft Resource Center, supply chain attacks now account for more than 40 percent of significant data breaches affecting large organisations. And yet, in boardroom after boardroom, when executives are asked how they manage third-party risk, the answer is almost always the same: ‘We require them to complete a questionnaire.’
A questionnaire. For access to your most sensitive systems. The hard truth is that compliance and security are not the same thing. Compliance tells you what you did last year. Security tells you what is happening right now. When those two things diverge and they always diverge, because threat actors move faster than audit cycles the gap becomes your exposure. And in today’s hyper-connected business environment, that gap increasingly lives not inside your own walls, but somewhere along your extended digital supply chain.
Compliance tells you what you did last year. Security tells you what is happening right now. The gap between those two things is where breaches live
The Modern Enterprise Does Not Have One Attack Surface. It Has Hundreds
Think about the ecosystem your organisation operates within. Your cloud infrastructure provider. The payroll software your HR team uses. The analytics platform your marketing agency accesses. The customer service chatbot built by a third-party developer. The logistics software your operations team relies on daily. Every single one of these relationships is a potential entry point for a sophisticated adversary.
This is not paranoia, it is arithmetic. The average large enterprise now shares sensitive data or system access with over 1,500 third-party vendors. Each of those vendors likely has their own suppliers and technology partners. What you are managing is not a supply chain. It is a supply web – complex, dynamic, and largely invisible to the people responsible for governing it.
The business consequences of getting this wrong are no longer theoretical. They are regulatory fines measured in hundreds of millions of dollars. They are operational shutdowns lasting days or weeks. They are customer trust, built over decades, erased in a single news cycle. They are board resignations, class-action lawsuits, and in some jurisdictions, personal liability for senior executives who failed to demonstrate adequate oversight.
And critically: they are entirely foreseeable. Which means they are also largely preventable for organisations willing to move beyond the performance of security towards the practice of it.
Red Hat Consulting GitLab Breach (October 2025)
Case Study: Red Hat Consulting – Crimson Collective GitLab Breach – October 2025
WHAT HAPPENED: On October 1, 2025, a cybercrime group calling itself the Crimson Collective publicly disclosed that it had breached a GitLab instance used exclusively by Red Hat Consulting – the professional services arm of one of the world’s leading enterprise software companies. The attackers claimed to have exfiltrated approximately 570 gigabytes of compressed data from over 28,000 internal repositories. What made this incident uniquely alarming was not the volume of data stolen, but what that data contained: detailed Customer Engagement Reports covering approximately 800 enterprise and government clients, including the US Navy, Bank of America, American Express, AT&T, and T-Mobile.
HOW IT HAPPENED: Red Hat Consulting, like most professional services organisations, uses internal collaboration environments to store client-facing deliverables – architecture designs, system configurations, infrastructure diagrams, API keys, authentication credentials, VPN settings, and cloud access tokens. These are the working documents that consultants create during engagements. The attackers gained access to this repository environment through compromised credentials, then systematically harvested consulting deliverables spanning five years of client engagements. The breach exposed not just data, but the architectural blueprints of hundreds of organisations’ most critical systems a roadmap for any attacker planning a follow-on intrusion.
THE BUSINESS CONSEQUENCES: For Red Hat’s clients, the exposure went far beyond a conventional data breach. The stolen Customer Engagement Reports gave attackers a detailed map of how each affected organisation’s infrastructure was built, where its vulnerabilities lay, and which credentials were used to connect its systems. Belgium’s Centre for Cybersecurity issued a formal high-risk advisory to all organisations that had used Red Hat Consulting services, warning of significant downstream supply chain risk. Affected organisations were immediately required to rotate all API keys, cloud access credentials, SSH certificates, and database tokens that had ever been shared with Red Hat during a consulting engagement a remediation effort that, for large enterprises, represents weeks of emergency work and material operational disruption. THE LESSON FOR EXECUTIVES: This case reframes the third-party risk question in a way that should concern every board. When you engage a consulting or professional services firm, you are not just buying expertise you are entrusting them with the architectural secrets of your business. The blueprints of your systems, the keys to your infrastructure, the credentials that unlock your most sensitive environments. If that firm’s internal collaboration environment is compromised, attackers inherit everything they would need to breach you directly without ever targeting you. The question every executive should be asking today is: who holds our infrastructure blueprints, and how secure are they?
From Stolen Blueprints to Stolen Access: Two Sides of the Same Risk
The Red Hat breach exposed what attackers can do when they steal the map to your infrastructure. The next case shows what happens when they steal the keys. Where the Crimson Collective targeted a consulting environment to harvest architectural intelligence, the threat actors behind the August 2025 Salesloft campaign took a different but equally instructive route exploiting the invisible web of trusted software integrations that quietly connects your business systems to dozens of third-party platforms you may barely think about.
The Salesloft/Drift–Salesforce OAuth Breach (August 2025)
Case Study: Salesloft Drift AI Chatbot Supply Chain Attack August 2025
WHAT HAPPENED: Between August 8 and 18, 2025, a threat actor tracked as UNC6395 carried out what has been described as the largest SaaS supply chain breach on record. The attackers exploited Drift an AI chatbot tool owned by Salesloft and widely integrated with Salesforce CRM platforms — to gain access to the Salesforce environments of more than 700 organisations across financial services, technology, retail, and other sectors. FINRA issued an emergency advisory. The FBI published a formal cybersecurity alert. Affected companies included Cloudflare, Toast, Avalara, and hundreds of others.
HOW IT HAPPENED: The attack did not begin in August. From March through June 2025, attackers quietly compromised Salesloft’s GitHub development environment, planting the groundwork for deeper access. They then pivoted into Drift’s cloud infrastructure and stole OAuth tokens digital keys that allow the Drift chatbot to connect to customer Salesforce instances on the organisation’s behalf. With those tokens, UNC6395 did not need passwords, VPNs, or any of the controls your security team checks on an audit. They simply presented credentials that looked like a legitimate integration doing its normal job. Between August 8 and 18, they ran automated bulk queries across hundreds of Salesforce environments, harvesting customer records, contact data, support case contents, and credentials embedded in case text.
THE BUSINESS CONSEQUENCES: Over 700 confirmed organisations had data extracted. Attackers claimed to have accessed up to 1.5 billion CRM-related records. Salesforce revoked all Drift tokens and removed the application from its marketplace. Affected organisations faced immediate incident response costs, regulatory notification obligations across multiple jurisdictions, and the complex task of determining exactly what had been accessed from CRM systems that often contain their most sensitive commercial and customer data. The reputational and regulatory exposure is still being assessed across the affected companies. THE LESSON FOR EXECUTIVES: This breach asks a question that most organisations cannot yet answer: do you know every third-party application that is connected to your critical business systems and what level of access each one has? Drift had legitimate, trusted access to Salesforce at hundreds of companies. No one broke in. No password was guessed. Attackers simply stole the token that said ‘I am Drift, let me in.’ Every SaaS integration your business has approved whether through IT or a business unit working independently is a potential version of this story waiting to happen.
What These Breaches Tell Us About the State of Enterprise Risk
Look closely at both cases and a clear pattern emerges. Neither organisation was negligent in the traditional sense. Both had security teams, compliance programmes, and technology investments. Both had passed audits. The failure in each case was structural, not technical: the gap between what the organisation believed its security posture to be and what it actually was.
This gap has a name in the security industry: it is called the ‘assumed compliance’ problem. Organisations perform security theatre the appearance of rigorous controls because the incentive structures around them reward it. Audits check whether policies exist. They rarely verify whether those policies are enforced in practice. Vendors sign attestations. No one verifies the attestations. Risk assessments produce reports. No one tracks whether the risks identified are actually remediated. For boards and C-suites, this creates a specific kind of danger: informed complacency. You receive reports telling you security is managed. You allocate budget. You tick the boxes. And yet, if you asked your CISO today to name the twenty vendors with the deepest access to your most sensitive data and tell you the specific controls governing each relationship, how many organisations could actually answer that question?
The question is not whether you have a cybersecurity programme. The question is whether your programme would survive a real attack and whether you would even know the difference in time.
A Leadership Action Framework: From Compliance Theatre to Real Security
Executives do not need to become security experts. But they do need to ask better questions and demand better answers. The following framework gives leaders a practical starting point for transforming supply chain and third-party risk from a compliance exercise into a genuine governance priority.
| # | Action | What It Means in Practice |
| 1 | Map Your Actual Attack Surface | Commission an honest inventory of every third party with access to your systems or data including software tools adopted at business-unit level without central IT approval. You cannot protect what you cannot see. Most organisations discover vendors they did not know they had. |
| 2 | Tier Your Vendors by Risk | Not every supplier carries equal risk. A vendor with access to your core financial systems is fundamentally different from one supplying office furniture. Establish a tiering system based on data sensitivity and access depth, and apply proportionate controls and monitoring to each tier. |
| 3 | Move from Questionnaires to Verification | Require evidence, not promises. Penetration test results, independent audit reports, and real-time security ratings tell you more than a completed checkbox form. For your highest-risk vendors, build contractual rights to assess their security posture independently. |
| 4 | Treat Incident Response as a Board-Level Rehearsal | Run tabletop exercises that specifically simulate a third-party breach scenario — not a direct attack on your own systems. How quickly can you identify what data was exposed? Can you isolate the affected vendor without shutting down critical operations? The time to answer these questions is not during an incident. |
| 5 | Align Security Accountability with Business Accountability | Security decisions made by IT teams in isolation frequently diverge from business risk appetite. Ensure that your most senior business leaders not just your CISO own the risk decisions associated with their vendor relationships. If a business unit chooses a vendor, that business unit co-owns the risk. |
| 6 | Report the Right Metrics to the Board | Move beyond reporting on compliance status and shift to risk-based metrics: how many high-risk third parties have unresolved critical issues? What is the estimated exposure if your top three vendors are compromised simultaneously? What is your mean time to detect and isolate a third-party breach? These are the questions a board should be asking. |
Security Is Not a Cost. It Is a Competitive Advantage
There is a persistent and damaging misconception in the executive suite that cybersecurity investment is purely defensive – a cost of doing business, a premium paid to avoid bad outcomes. The organisations that have escaped the worst consequences of supply chain attacks in 2024 and 2025 know something different.
When your customers, partners, and regulators see that you manage third-party risk riorously that you can demonstrate, not just assert, the integrity of your extended enterprise they make different decisions. Enterprise procurement teams increasingly include security posture in vendor selection. Insurance underwriters reward organisations with mature third-party risk programmes with materially lower premiums. In regulated sectors, evidence of proactive supply chain governance is becoming a meaningful differentiator in competitive bids.
More fundamentally, the organisations that treat security as a genuine business discipline rather than a compliance exercise are the ones that can recover fastest when things do go wrong. Because in a connected world, something always eventually goes wrong. The question is not whether you will face a supply chain security incident. The question is whether you have built the organisational resilience to contain it, communicate it clearly, and emerge with your reputation and customer relationships intact.
The audit passing is not the goal. The goal is being genuinely secure. And in the current threat environment, those two things are not the same not even close.
The organisations winning on security are not the ones with the most certifications. They are the ones who have closed the gap between what their policies say and what their systems actually do
