ACCORDING to Black Kite, which compiled its seventh annual Third-Party Breach Report, the blast radius of third‑party data breaches is far larger than first thought, with more than 433 million individuals impacted by 136 events in 2025. The report found 136 verified breaches had 5.28 publicly named downstream victims per vendor, amounting to 719 companies and 433 million individual end customers, with an additional 26,000 corporate victims reported by affected vendors.
Ground zero for these breaches tended to be software services vendors, which accounted for 38 breaches (28%) of the 136 verified breaches, followed by professional and technical services and healthcare services providers. Among downstream corporate victims, most are in healthcare (258), education (140) and financial services (101).
The report notes delays in breach discovery and public disclosure, with a median detection time of 10 days and an average of 68 days, and median customer notification time of 73 days and an average of 117 days. It also states that of 200,000 organisations monitored by Black Kite, 54% had at least one critical vulnerability and 23% had corporate credentials circulating on the dark web.