June 2025 Vendor Management News

Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.

Recently Added Articles as of June 26

Third-party data breach compromised 5.4 million records: A third party experienced a ransomware attack that led to a data breach affecting 5.4 million records. It’s currently the second-largest healthcare breach reported to HHS in 2025. The incident involved sensitive data such as names, contact details, health insurance information, and medical records. While no data misuse has been reported, the breach underscores the significant risks posed by vendor relationships and highlights the need for strong incident response protocols and continuous monitoring of third-party cybersecurity practices.

Tips to find the right cybersecurity vendor: Selecting the right cybersecurity vendor is a complex but critical decision, especially for organizations with limited internal resources. It’s essential to take a structured approach. Start by identifying your organization’s specific risks and goals, then shortlist three to five vendors with proven expertise in your industry. Evaluate them thoroughly across key areas: service offerings, security practices, incident response, integration capabilities, and contract terms. Be sure to assess each vendor’s certifications, reputation, support model, and financial stability. Request real-world examples, check references, and ensure transparency. The right vendor can reduce your cyber risk, while the wrong choice can lead to costly downtime, compliance issues, and reputational harm.

Recent breach with third party emphasizes need for TPRM: A recent breach at Swiss supply chain provider Chain IQ highlights the growing threat of third-party cybersecurity incidents. Although no customer business data was stolen, internal contact information from major clients was compromised. This incident is a reminder that even well-secured organizations are vulnerable through their vendors. The evolving tactics of threat groups further complicate the landscape. Organizations must move beyond one-time vendor assessments to continuous monitoring, enforce clear incident response expectations, and adopt real-time threat intelligence tools.  

Selecting a TPRM software platform: Growing trade volatility, cyber threats, regulatory pressures, and supply chain disruptions are accelerating the adoption of third-party risk management (TPRM) technology, according to Gartner. As organizations increasingly rely on third parties, many are turning to TPRM platforms to enhance risk visibility, streamline oversight, and support continuous monitoring of both third and fourth parties. Prioritize adaptability, scalability, and integration capabilities when selecting a TPRM solution to ensure alignment with long-term risk and business goals.

New study reveals weaknesses in third-party and supply chain risk management: Many cybersecurity leaders (88%) are concerned about escalating supply chain cyber risks, yet most organizations are still relying on outdated TPRM approaches, according to a new report. With third-party involvement in breaches nearly doubling and 79% lacking visibility into their nth-party ecosystems, attackers are exploiting a growing attack surface. Real-time threat intelligence integration, dedicated supply chain incident response workflows, vendor tiering based on risk, and cross-functional collaboration are crucial strategies to mitigate risks. 

Recently Added Articles as of June 12

Check out this week's news brief below, including the fallout from recent third-party data breaches.

Lawsuits spotlight vendor-caused data breaches and weak oversight: Two different organizations are facing lawsuits after third-party cyberattacks resulted in major data breaches. Plaintiffs say the organizations failed to keep personal information safe and question whether the organizations did enough to vet and monitor vendors. These types of suits aren’t uncommon anymore — most of the lawsuits make the case that third-party relationships are known risks organizations are responsible for.  

Third-party breaches affect most of Europe’s large financial organizations: Most of Europe’s largest financial services organizations have been affected by third-party data breaches, according to new research. This is a 25% increase from two years ago. On top of the third-party breaches, 97% of the large financial services organizations were impacted by a fourth-party breach. It’s critical that organizations adopt proactive strategies to assess and mitigate third-party cybersecurity risks.  

Main health and food distributor disrupted by cyberattack: A cyberattack disrupted the operations of the largest health and food distributor in the U.S. and Canada. The supplier said its ability to fulfill and distribute customer orders was disrupted — and the disruptions are expected to continue. Supply chains continue to be a target for hackers, disrupting not only the supplier, but also organizations.  

NHS continues to face blood supply issues after 2024 third-party cyberattack: After a third-party cyberattack in June 2024, the National Health System in England is still facing blood supply issues. The third-party cyberattack disrupted patient care and testing services last year, triggering a national shortage of type O-negative blood.  

Recently Added Articles as of June 5

Catch up on this week's recent banking TPRM enforcement actions, the latest third-party data breaches, and best practices to keep your TPRM program strong. 

Recent BaaS enforcement actions highlight TPRM importance: Recent enforcement actions and regulatory scrutiny underscore the critical need for strong third-party risk management practices in bank–fintech relationships. Regulators are focused on gaps in anti-money laundering (AML) and know your customer (KYC) compliance. Banks are ultimately responsible for the actions of their partners. At the same time, examiner shortages and evolving third-party structures make self-policing and internal controls more important than ever. Robust third-party oversight is critical to remain compliant and protect your bank’s operations.  

Medical patients impacted by third-party breach nearly one year later: Nearly 40,000 patients were potentially impacted by a third-party data breach from July 2024. Although the breach occurred last year, some hospitals haven’t learned of the impact until recently. Compromised data includes Social Security numbers, financial information, and medical information. The Chicago medical group impacted by the third-party breach has ended its relationship with the third party.

Third-party breach at data broker impacts nearly 400,000: A third-party data breach at a data broker has affected almost 400,000 people. A hacker accessed the data broker’s GitHub account, compromising Social Security numbers, drivers’ license numbers, and phone numbers.  

Community bank impacted by third-party breach: A third-party breach recently affected a community bank and about 5% of its customers. The bank said it ceased activity with the third-party vendor and said the incident didn’t cause a material impact to operations.  

Strategies to address growing third-party risks: Third-party risk isn't just about data breaches anymore; today’s threats also include ransomware attacks, system outages, and software errors that can lead to major business disruptions and hefty costs. To manage this, organizations should assess vendor vulnerabilities with detailed risk reports, understand the potential operational impact of disruptions, and prioritize mitigation strategies based on the vendor's criticality.  

Third-party data breach from 2024 revealed to impact almost 2 million: A healthcare third-party data breach from March 2024 has now impacted almost two million people. It now ranks as one of the largest healthcare breaches of 2024. The breach started with a third-party service provider’s system while the healthcare organization itself was a revenue cycle management service provider. These providers are often top targets due to the valuable data they hold. It can often be a lengthy process to determine the full impact of these attacks.  

Increasing third-party and AI risks in the manufacturing industry must be addressed: Data breaches in the manufacturing industry continue to increase – including third-party incidents. Increasing cybersecurity threats, new technologies, and third-party dependencies have created the perfect storm manufacturers can’t ignore. While artificial intelligence (AI) introduces new efficiencies, it’s also increasing risks, particularly with AI vendors. Many third parties require system integration and data, creating new vulnerabilities. Assessing vendor risks before the relationship begins is a critical best practice to implement. Understand if the vendor has security protections in place for your data.