Third Party Examples- Real-World Cases and Applications
Third Party Examples That Actually Matter in the Real World
Everyone talks about third party risk. Very few people show you what it actually looks like in practice. This isn't another generic guide repeating the same tired definitions. These are real cases, real failures, and real lessons you can actually use.
Third party relationships touch every business operation. Vendors, suppliers, contractors, SaaS platforms, cloud providers, logistics partners. If you think your organization operates in isolation, you're wrong. And that ignorance is exactly what attackers are counting on.
What Third Party Relationships Actually Mean
A third party is any entity outside your direct organization that you share data with, grant system access to, or depend on for business operations. This includes:
- Software vendors with access to your customer data
- Payment processors handling your transactions
- Cloud providers storing your files
- Marketing agencies with login credentials
- HR platforms with employee information
- Physical suppliers with warehouse access
The list goes on. Most businesses have dozens or hundreds of these relationships without fully understanding the risk exposure each one creates.
Major Third Party Data Breaches That Actually Happened
Target (2013) — The HVAC Vendor That Cost Millions
Target's massive breach exposed 110 million customer records. The entry point? A third party HVAC vendor with network access to run electronic billing and contract maintenance. Attackers used vendor credentials to pivot into Target's payment systems.
Damage: $202 million in settlement costs. CEO resigned. Brand trust tanked for years.
The lesson here isn't subtle: your security is only as strong as the weakest vendor with network access. Target didn't even sell HVAC systems. They just let a vendor connect to their network and paid the price.
SolarWinds (2020) — Software Updates as Attack Vector
SolarWinds provided network management software to thousands of organizations, including multiple federal agencies and Fortune 500 companies. Attackers compromised the software build process and pushed malicious updates to 18,000 customers.
Only about 40,000 organizations received the infected update. Around 400 chose to ignore the warning signs. Even fewer discovered they'd been breached before the intrusion was made public.
Damage: Dozens of government agencies compromised. Major tech companies infiltrated. Years of cleanup required.
This wasn't a vendor with bad security practices. SolarWinds was a security-focused vendor. The attackers compromised the build pipeline itself, which means no amount of vendor vetting would have caught it.
Accellion (2020-2021) — Legacy Software Nobody Updated
Accellion provided file transfer software to hundreds of organizations. The problem: many customers were running ancient versions of the software that hadn't received security patches in years.
Attackers found vulnerabilities in outdated installations and exploited them across healthcare systems, universities, financial institutions, and government agencies simultaneously.
Damage: University of California medical systems exposed. Jones Day law firm compromised. Shell oil company lost data. Multiple healthcare providers affected by related breaches.
Organizations blamed Accellion. Accellion blamed customers for not updating. Both were right. Third party security is a shared responsibility that neither side was owning.
Okta (2022) — A Sub-Processor's Laptop Got Hacked
Okta's own systems weren't compromised. Instead, attackers gained access through a third party customer support vendor. The vendor's laptop was remotely accessed through a remote desktop session.
Okta took weeks to disclose the breach publicly. Their initial response downplayed the incident significantly.
Damage: 366 organizations potentially exposed. Okta stock dropped. Reputation damaged.
This case proves that your vendors' vendors matter too. You can audit your direct suppliers all day, but if they hire contractors with poor security hygiene, you're still exposed.
Third Party Applications in Different Industries
Healthcare
Medical organizations depend on third parties for everything: billing software, electronic health records, imaging systems, lab result integrations, insurance verification, and pharmacy connections.
A breach at any single vendor can expose patient data protected under HIPAA. The consequences aren't just financial—patients' most sensitive information ends up on dark web forums.
Real example: The 2019 Quest Diagnostics breach exposed 11.9 million patient records through a billing collections vendor. No direct hack of Quest systems. Just a vendor with inadequate security.
Financial Services
Banks don't handle their own payments, credit checks, fraud detection, or core banking software. They rely on dozens of third party providers for critical functions.
Regulators are increasingly focused on third party concentration risk—what happens when multiple banks use the same vendor, and that vendor fails or gets breached.
Real example: The 2023 MOVEit breach hit hundreds of financial institutions, pension funds, and insurance companies. Banks that had no direct relationship with Progress Software still got dragged into the mess through their payroll providers, benefits managers, and other vendors using vulnerable file transfer software.
Retail and E-commerce
Online retailers depend on payment processors, shipping integrations, marketing platforms, inventory management systems, and customer service tools. Each connection is a potential entry point.
Real example: The 2018 Ticketmaster breach came through a third party customer support chatbot vendor. Customers who never heard of Inbenta suddenly had their payment data compromised.
Technology Companies
Tech firms often have the most complex third party ecosystems. Open source libraries, cloud infrastructure, API integrations, SDKs, and partner platforms all create interconnected dependencies.
Real example: The Log4j vulnerability in 2021 affected virtually every Java application worldwide. Organizations scrambled to patch not just their own code, but every vendor product containing the vulnerable library. The ripple effects took months to fully resolve.
Types of Third Party Relationships You Need to Track
Not all third parties create equal risk. Here's how they break down:
- Vendors with system access — Cloud providers, SaaS platforms, managed service providers. These can see your data or run processes on your behalf.
- Vendors with data access — Analytics platforms, marketing tools, CRM systems. They hold your customer information but don't have direct system access.
- Vendors with physical access — Cleaning crews, maintenance contractors, delivery services. Lower cyber risk, but real physical security concerns.
- Sub-processors — Your vendors' vendors. Often invisible to your risk assessments but increasingly targeted by attackers.
Comparing Third Party Risk Management Approaches
| Approach | What It Covers | Weakness | Best For |
|---|---|---|---|
| Questionnaire-only | Self-reported security practices | Easy to fake; doesn't verify actual controls | Low-risk vendors |
| Annual audits | Point-in-time assessment | Outdated immediately after; expensive | Critical vendors only |
| Continuous monitoring | Real-time threat intelligence | Requires tools and expertise | High-risk vendors |
| Security ratings services | Publicly observable security posture | Limited scope; doesn't see internal controls | Quick triage of large vendor lists |
| Penetration testing | Active exploitation testing | Expensive; point-in-time | Critical systems |
Most organizations need a combination. Questionnaires work for low-risk vendors. Continuous monitoring makes sense for vendors touching sensitive data. Security ratings services help you prioritize where to focus deeper assessment efforts.
How to Actually Assess Third Party Risk
Skip the generic frameworks. Here's what works in practice:
Step 1: Build Your Inventory
You can't manage what you can't see. Map every vendor with access to your systems or data. Include the data types they touch, the access level granted, and the business criticality of the relationship.
Most organizations discover they have twice as many vendors as they thought once they actually look.
Step 2: Tier by Risk
Not every vendor deserves the same scrutiny. Focus on vendors that:
- Process sensitive data (PII, financial, health)
- Have network access to your internal systems
- Are critical to business operations
- Have a history of security incidents
Lower tier vendors get basic questionnaires. Critical vendors get deep dives.
Step 3: Verify, Don't Trust
Self-attestation is worthless on its own. Every vendor will say they have good security. What matters is what you can actually verify:
- Request SOC 2 reports and actually review them
- Check for recent penetration test results
- Verify patch management practices
- Confirm sub-processor disclosure
- Test incident response capabilities
Step 4: Contract for Accountability
Your contracts should include:
- Security requirements and compliance obligations
- Breach notification timelines (24-72 hours is reasonable)
- Right to audit or assess
- Data handling and deletion requirements
- Insurance requirements
- Termination and data return procedures
If your contracts don't have teeth, your vendor won't either.
Step 5: Monitor Continuously
Third party risk isn't a one-time assessment. You need ongoing monitoring for:
- Security rating changes
- News about breaches or vulnerabilities
- Changes in vendor's own third party relationships
- Compliance status updates
What Third Party Risk Management Gets Wrong
Most programs fail because they focus on compliance theater instead of actual risk reduction. Here's what doesn't work:
- Questionnaires nobody reads — Sending 200 questionnaires and filing the responses isn't security. It's paperwork.
- Ticking boxes for auditors — Doing the minimum to satisfy a compliance requirement doesn't protect you from attackers.
- One-time assessments — A vendor can have perfect security in January and get breached in March.
- Ignoring sub-processors — Your vendor's poor security choices can burn you just as badly as their own.
- No incident response coordination — When a vendor gets breached, do you know who to call? Do they know how to reach you?
The Bottom Line
Third party risk is real, it's growing, and most organizations are underestimating it. The examples above aren't edge cases—they're the new normal. Attackers specifically target vendors because it's easier than breaching direct targets.
You can't eliminate third party risk. You can only manage it. Build your inventory, tier your vendors, verify controls, contract for accountability, and monitor continuously. That's not glamorous work. It's the work that actually prevents breaches.
Start with your highest-risk vendors. Pick one. Get their SOC 2 report. Actually read it. That's more than most organizations do, and it's already a meaningful improvement.