1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

---

Your Software Vendor Just Became Your Biggest Security Risk

Every time you sign up for a new SaaS tool, you are trusting that company with a slice of your business. Your customer data. Your financial data. Your employee records. Your communications. And that trust extends to their vendors, and their vendors' vendors.​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​

‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

According to Dataminr's 2026 Cyber Threat Landscape Report — released this week and based on 6.3 million external threat alerts — one in four modern breaches now exploit a vulnerability in a third-party vendor, not the target organisation directly [1][8]. That's a 20% higher risk magnitude than a direct attack on your own infrastructure.

Worse: when a vendor pivot breach succeeds, it causes twice the data impact per incident compared to a standard breach [1]. You're not just exposed — you're doubly exposed, because the attacker has already bypassed the first line of defence before you even know you're a target.​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌​‌‌‌​‍​‌‌​​‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​​​‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌​‌​​​‍​‌‌​​​​‌‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

---

What Happened to Betterment's 1.4 Million Customers (And Why It Matters for Your Business)

The Betterment breach, disclosed this week, is a textbook example of the vendor attack chain playing out in real life.

Betterment is an investment platform with over a million customers in the United States. In January 2026, an attacker used social engineering — impersonating someone trusted — to gain access to a third-party platform Betterment used for customer communications [2]. They didn't break into Betterment's servers. They went through the side door: a vendor.

Once inside, the attacker exfiltrated the personal data of approximately 1.4 million customers, including full names, personal and work email addresses, phone numbers, job titles, employer information, retirement plan details, financial interests, and meeting notes [2]. ShinyHunters, a prominent ransomware group, has since published this data publicly after Betterment refused to pay a ransom.

The stolen data includes enough context for highly personalised phishing attacks — someone could receive an email that addresses them by name, references their company's 401(k) plan, and impersonates their financial adviser. This isn't random spam. It's surgical.

According to Malwarebytes, one CSV file in the leaked dataset contained detailed profiles on 181,487 individuals — a "gold mine for phishers" [2]. The same week, Figure, a fintech company, disclosed a breach affecting 1 million customers — also triggered by an employee being socially engineered through a third-party account [3].

Two breaches. Two third-party platforms. Both in the same week.

---

How Fast Are Vendors Being Weaponised Against You?

The speed of exploitation is what makes vendor vulnerabilities so dangerous for SMBs.

According to Dataminr's 2026 report, 96% of third-party vulnerabilities (CVEs) are weaponised within the same calendar year they are disclosed [1]. That means attackers are not sitting on stockpiles of exploits — they are racing to use new vulnerabilities the moment they are published, frequently before your vendor has patched them, and certainly before you know to ask.

FIRST (Forum of Incident Response and Security Teams) forecasts that 2026 will see a record 50,000 to 59,000+ new CVEs disclosed [4] — up from an already-record 2025. With one in four breaches now coming through vendor CVEs, the maths is stark: the attack surface of every business that uses third-party software is growing faster than most organisations can track.

In some cases, a moderate-severity vulnerability in a vendor's platform can translate to a breach that causes $50M to $100M+ in financial losses for the organisations downstream [1].

---

Why SMBs Are Particularly Vulnerable to This Attack Pattern

Large enterprises typically have dedicated vendor risk management teams, contracts with security clauses, and the leverage to demand SOC 2 or ISO 27001 certifications from suppliers. Most SMBs don't.

The Identity Theft Resource Center (ITRC) found that 2025 saw a record 3,322 data compromises in the United States alone [5] — an all-time high. Third-party breaches accounted for a significant portion. SMBs are often not the primary target, but they're caught in the blast radius when a shared SaaS platform, payroll provider, or communications tool is compromised.

The e-Marketing Associates 2026 cybersecurity analysis confirms the pattern: third-party breaches involving SMBs doubled in the 2025–2026 period, while regulatory scrutiny of data handling is simultaneously increasing [6]. That means the fallout — legal liability, customer notifications, regulatory fines — is larger than ever.

---

What Good Vendor Security Actually Looks Like

The goal here isn't to make you paranoid about using software — it's to make your vendor relationships defensible. Here's what businesses that handle this well do differently:

1. Ask vendors hard questions before signing Before you give a vendor access to your systems or customer data, ask: Do you have a SOC 2 Type 2 report? An ISO 27001 certification? A published breach response policy? If the answer is "what's that?" — that tells you something important.

2. Limit what each vendor can see Apply the principle of least privilege to your vendor relationships. A communications platform doesn't need access to your financial records. A marketing automation tool doesn't need access to your customer service tickets. Compartmentalise.

3. Include security requirements in contracts Require vendors to notify you within 24–72 hours of a breach that may affect your data. Require them to maintain cyber insurance. Make breach response obligations explicit. Many SMBs have zero security language in their vendor contracts — this is an easy win.

4. Track what you've given access to Maintain a vendor inventory: what each tool has access to, what data it holds, who in your team has accounts. When a vendor announces a breach, you need to know immediately whether you're affected. Without a list, you're guessing.

5. Enable MFA everywhere — including vendor portals The Betterment and Figure breaches both involved social engineering of human accounts. Multi-factor authentication doesn't prevent social engineering, but it adds a critical layer that slows attackers down and often forces them to abandon an attack.

6. Watch your vendor's CVE advisories Set up alerts for your key software vendors' security bulletins. When a CVE is published, patch or upgrade as fast as your vendor releases a fix. Given that 96% of CVEs are weaponised in the same year, speed matters [1].

---

The Real Competitive Advantage: Trust

There's an upside to getting vendor security right that's worth naming: customer trust is a genuine differentiator.

In a world where 1.4 million people just had their retirement plan data published on the internet, the businesses that can demonstrate they handle data responsibly — through auditable vendor management, contractual protections, and proactive security posture — win contracts that their competitors don't even get to bid on.

For businesses operating in healthcare, finance, legal, or government sectors, demonstrable vendor security hygiene is increasingly a procurement requirement. It's not a burden — it's a qualification.

---

FAQ

References

[1] Dataminr, "2026 Cyber Threat Landscape Report," Dataminr, Feb. 2026. [Online]. Available: https://resources.dataminr.com/dataminr-for-cyber-defense/dataminr-2026-cyber-threat-landscape-report

[2] P. Arntz, "Betterment data breach might be worse than we thought," Malwarebytes, Feb. 19, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/02/betterment-data-breach-might-be-worse-than-we-thought

[3] "Data breach hits 1 million Figure customers," American Banker, Feb. 19, 2026. [Online]. Available: https://www.americanbanker.com/news/data-breach-hits-1-million-figure-customers

[4] FIRST, "2026 Vulnerability Forecast," Forum of Incident Response and Security Teams, Feb. 11, 2026. [Online]. Available: https://www.first.org/blog/20260211-vulnerability-forecast-2026

[5] "ITRC: Data-Breach 'Transparency Is on Life Support'," Insurance Journal, Feb. 18, 2026. [Online]. Available: https://www.insurancejournal.com/news/national/2026/02/18/858534.htm

[6] "Cybersecurity Essentials for SMBs in 2026," e-Marketing Associates, 2026. [Online]. Available: https://www.e-marketingassociates.com/blog/cybersecurity-essentials-for-smbs-in-2026

[7] A. Jones, "Top Cyber Risks For Businesses in 2026," Anthony Jones Insurance, 2026. [Online]. Available: https://anthonyjones.com/cyber-risks-businesses-2026/

[8] A. Barker, "Report: 1 in 4 Data Breaches Exploit Third-Party Vulnerabilities," Tech.co, Feb. 19, 2026. [Online]. Available: https://tech.co/news/report-1-in-4-data-breaches-exploit-third-party-vulnerabilities

[9] "Infosecurity: FIRST Forecasts Record-Breaking 50,000+ CVEs in 2026," Infosecurity Magazine, Feb. 19, 2026. [Online]. Available: https://www.infosecurity-magazine.com/news/first-forecasts-record-50000-cve

---

Your vendor relationships are only as secure as the weakest link in the chain. lilMONSTER helps SMBs map that exposure and close the gaps — without enterprise complexity or cost. Book a vendor security review today.