Multi-party breaches vs third-party related incidents

30.09.2021

Back to blog list

A sophisticated network of digital interconnections causes the unavoidable growth of multi-party data breaches.

According to the research released by Cyentia Institute and RiskRecon and based on the analysis of 897 multi-party data breach incidents which have happened since 2008.

The most awful multi-party data breach brings 26 times bigger financial loss than the most terrible single-party one might cause.

Multi-party breaches are also known as ripple events — incidents which cover more and more organisations and keep affecting them one by one even after some time. It usually takes almost a year for a multi-party breach to harm 75% of businesses which were in any relation to the breach source.

The average number of companies involved in a ripple event is 4.

It’s like working with an unreliable contractor the systems of which have access to your data but the proper security policies aren’t introduced and there’s no data protection strategy implemented — in such case it doesn’t matter how good your own security rules are within your corporate perimeter and how sure you are about the level of compliance of your organisation, if the quality of risk management program of your contractor is much lower than your perfectly verified control tactics than your data simply can’t be safe.

That’s what happens with businesses impacted by a multi-party breach incident. Poor security measures taken by any party can affect companies which aren’t connected to this “weak spot operator” directly but are interrelated with it via some other service.

The widest damage is done when some service provider suffers a security issue, and the system, where the problem occurs, is focal to the provided services, i.e. centralised services. In this way the number of affected organisations can amount to hundreds.


Don't share your data with an organisation which doesn't take full responsibility for its protection and which doesn't comply with the recent information security requirements. Learn more why it is important to control third-party security policies.



Third party Risk management Confidential documents