TL;DR
Your vendors are your weakest security link. SolarWinds, Change Healthcare, and the MoveIt transfer tool breaches show how one compromised supplier can expose thousands of downstream businesses. This week, demand proof of MFA, patch SLAs, and incident notification clauses from every vendor that touches your data. If they cannot show you a clean security posture, treat them as a breach waiting to happen.
The Real Risk Is Not Inside Your Office
Most business owners think attackers come through their own front door. In 2024 and 2025, the bigger story was the side door: software vendors, cloud providers, payment processors, and IT service firms getting hit first, then leaking customer data everywhere.
A supply chain compromise means someone breaks into a company you rely on, then uses that access to reach you. It is cheaper for attackers. It is harder to detect. And it usually gives them your data without ever touching your network.
Here are three recent cases every business owner should understand.
Case 1: SolarWinds — The Software Update That Became a Backdoor
What happened
In late 2020, attackers inserted malicious code into SolarWinds Orion, a network monitoring tool used by government agencies and Fortune 500 companies. The trojanized updates went out through SolarWinds' own legitimate software channel. Customers downloaded what looked like a normal patch and installed a backdoor.
The compromise stayed hidden for months. It affected around 18,000 organizations that ran Orion, including U.S. government departments.
How bad was it
SolarWinds reported total breach-related costs exceeding $30 million in early filings, with long-term remediation, legal, and reputational costs climbing well above that figure. The incident triggered executive resignations, SEC enforcement, and a lasting rebuild of the company's security program.
For affected customers, the breach meant stolen emails, compromised identities, and months of forensic cleanup, even if they had done nothing wrong.
How it could have been prevented
SolarWinds has since tightened build-pipeline security, segmented development environments, and added stronger code-signing and monitoring. For customers, the key prevention was never blind trust in a signed update.
- Test patches in isolation before wide rollout.
- Segment network monitoring tools so they cannot reach critical systems.
- Monitor outbound traffic from management tools for unusual connections.
What your business should do differently this week
Audit every piece of software that has broad access to your network. Ask each vendor:
- How do you protect your build and update pipeline?
- Do you sign updates and verify signatures on our end?
- Can you show us a recent penetration test or SOC 2 report?
- What is your incident notification timeline?
If the answer is "we will get back to you," reduce their access until they prove otherwise.
Case 2: Change Healthcare — One Ransomware Hit Froze U.S. Healthcare Payments
What happened
In February 2024, ransomware group BlackCat/ALPHV attacked Change Healthcare, a UnitedHealth Group subsidiary that handles billing, payment, and prescription processing for hospitals, pharmacies, and clinics across the United States. The attackers gained access through compromised credentials that were not protected with multi-factor authentication.
Change Healthcare took systems offline to contain the damage. Pharmacies could not process prescriptions. Healthcare providers could not get paid. The disruption rippled through the entire U.S. healthcare supply chain for weeks.
How bad was it
UnitedHealth disclosed total breach-related costs of roughly $872 million for 2024, with full recovery costs projected to exceed $2.3 billion. The company paid a reported $22 million ransom, but attackers still leaked some data. Sensitive personal and health information for a substantial portion of Americans was exposed.
This was not just a healthcare problem. Any business using Change Healthcare, UnitedHealth, or related clearinghouse services faced delayed payments, manual workarounds, and compliance questions.
How it could have been prevented
The initial entry point was a critical account without MFA. UnitedHealth later rolled out mandatory MFA, credential vaulting, and faster privilege removal. The breach is a textbook example of a single weak identity causing catastrophic downstream damage.
- Enforce MFA on every admin and remote access account, including vendor accounts.
- Remove old or unused credentials immediately when staff or contractors leave.
- Segregate billing and payment systems so one compromise does not freeze everything.
What your business should do differently this week
List every third-party service that handles your money, health data, customer records, or operations. For each one:
- Confirm MFA is mandatory for their staff and your admin logins.
- Ask for their ransomware incident response plan and last test date.
- Require 24-hour breach notification in your contract.
- Map a fallback process if they go offline for a week.
If your business cannot operate without them for 48 hours, you need a backup plan.
ISO 27001 SMB Starter Pack — $147
Threat intelligence is one thing — having the policies and controls to respond is another. Get the complete ISO 27001 starter kit for SMBs.
Get the Starter Pack →Case 3: MoveIt Transfer — A File Tool Led to Mass Data Theft
What happened
In May and June 2023, a SQL injection vulnerability in Progress Software's MOVEit Transfer tool was exploited by the Clop ransomware group. MOVEit is a managed file transfer product used by banks, universities, government agencies, and service providers to send large files securely.
Because MOVEit sat between organizations and their partners, one vulnerable instance often meant data theft for dozens of downstream companies.
How bad was it
The breach is estimated to have affected more than 2,600 organizations and over 93 million individuals. Reported remediation, notification, and legal costs across all victims ran into the hundreds of millions of dollars. Progress Software also faced shareholder lawsuits and regulatory scrutiny.
For many SMBs, the breach was invisible until a partner or customer notified them that their data had been exposed through a vendor they barely knew they used.
How it could have been prevented
Progress Software released patches quickly, but many organizations had not applied them or had forgotten they even ran MOVEit. The root cause was poor asset inventory and slow patch cycles.
- Maintain an inventory of every internet-facing tool, including file transfer and file-sharing services.
- Apply critical patches within 72 hours, not 72 days.
- Reduce external exposure: if a tool does not need to face the internet, put it behind a VPN.
What your business should do differently this week
Send this one-question email to every IT vendor and internal team:
"Do we run MOVEit, any managed file transfer tool, or any externally reachable file-sharing platform? If yes, what patch level is it on and who is responsible for updates?"
Document the answers. If anyone shrugs, that is your highest priority fix this week.
What to Demand From Every Vendor
You do not need a 50-page security questionnaire. You need five things in writing:
- Multi-factor authentication everywhere. No exceptions for legacy accounts or "internal only" tools.
- Patch SLA in the contract. Critical vulnerabilities patched within 72 hours. High-severity within 14 days.
- Breach notification clause. 24 to 48 hours, including what data was affected and how.
- Right to audit or review. At minimum, an annual SOC 2 Type II report or equivalent.
- Data residency and deletion rules. Where your data lives, who can access it, and how it is destroyed when the contract ends.
If a vendor pushes back on all five, that is useful information. It tells you exactly where to reduce trust.
FAQ
Q: We are a small business. Would attackers really target us through a vendor?
A: They do not target you directly. They target the vendor and harvest every customer at once. Small businesses are often the easiest downstream victims because they lack the detection tools and response plans of larger firms.
Q: What if our vendor refuses to answer security questions?
A: Make them answer in the contract. If they still refuse, limit what data they can access, add monitoring, and start evaluating alternatives. Silence is a risk signal.
Q: Does cyber insurance cover supply chain breaches?
A: Sometimes, but coverage varies widely. Many policies exclude attacks that start at a third party or require you to prove the vendor was not negligent. Read your policy and ask your broker specifically about contingent business interruption and supply chain attack coverage.
Q: How quickly should we patch critical vulnerabilities?
A: For internet-facing tools, aim for 72 hours or less. For internal tools, 14 days is a reasonable ceiling. Anything longer than 30 days is a problem.
Q: Is MFA really that important?
A: Yes. Microsoft and CISA both report that MFA blocks the vast majority of identity-based attacks. The Change Healthcare breach began with credentials that lacked MFA.
Conclusion
Supply chain breaches are not theoretical. SolarWinds, Change Healthcare, and MOVEit Transfer caused billions of dollars in damage because one trusted vendor failed first, and customers paid the price.
The fix is not to stop using vendors. The fix is to stop trusting them blindly. Demand proof, write security requirements into contracts, keep an inventory of every tool that touches your data, and have a fallback plan for the day one of them goes dark.
This week, pick your three most critical vendors and ask them the five questions above. Their answers will tell you exactly where your risk lives.
References
- SolarWinds. "SEC Filing: Form 8-K and Incident Update." U.S. Securities and Exchange Commission filings, 2020–2021.
- UnitedHealth Group. "2024 Annual Report and Change Healthcare Cyber Response Disclosures." February 2025.
- Cybersecurity and Infrastructure Security Agency (CISA). "MOVEit Transfer Vulnerability Response." CISA.gov, 2023.
- Cybersecurity and Infrastructure Security Agency (CISA). "Defending Against Software Supply Chain Attacks." CISA.gov, April 2023.
- National Cyber Security Centre (NCSC). "Supply Chain Security Guidance." NCSC.gov.uk.
- IBM Security. "Cost of a Data Breach Report 2024." IBM.com/security/data-breach.
- Microsoft Security. "Multi-Factor Authentication Blocks 99.9 Percent of Account Attacks." Microsoft Security Blog.
Verifier warning: verifier could not run (PluginLlmTrustError).
Work With Us
Ready to strengthen your security posture?
lilMONSTER assesses your risks, builds the tools, and stays with you after the engagement ends. No clipboard-and-leave consulting.
Book a Free Consultation →