Cyentia Institute and RiskRecon, a Mastercard company, released research that quantifies how a multi-party data breach impacts many other organizations in today’s interconnected digital world. 

The study, “Ripples Across the Risk Surface” is based on an analysis of 897 multi-party breaches involving three or more interrelated companies. This second edition bolsters findings from the 2019 ripples report on the risks associated with third-party direct vendors and partners, in addition to the dangers posed by the rest of the supply chain.

Key findings from the report:

  • 897 multi-party breach incidents, also referred to as ripple events, have been observed since 2008.
  • 147 newly uncovered ripples were observed across the entire data set, with 108 occurring in the last three years.
  • A median ripple breach event causes 10x the financial damage of a traditional single-party breach.
  • The worst of the multi-party breach events causes 26x the financial damage of the worst single-party breach.
  • It takes 379 days for a typical ripple event to impact 75% of its downstream victims.
  • The median number of organizations affected by ripple events across the data set was 4.

According to the research, multi-party impacts can be multifaceted, but there are two primary ways they push ripples across industries and organizations:

  1. WIDESPREAD THIRD-PARTY BREACH: This breach impacts multiple downstream organizations with a direct third-party relationship to the victim organization that generated the ripple event.
  2. SUPPLY CHAIN BREACH: This refers to a breach exhibiting cascading impacts on the generator organization’s customers, such that the exposure at one or more third parties also exposes systems or data owned by Nth-party organizations with no direct relationship to the initial victim.

Researchers say these two categories are not mutually exclusive. What often happens with more significant ripple events is that a breach first impacts the flow to multiple organizations with third-party relationships to the generator and then pushes downstream to affect many of those organizations’ customers and their customers’ customers. Thus, many ripple events start as a widespread third-party breach that kicks off multiple supply chain breaches all at once.

This is the scenario that was witnessed most recently with the 2021 Kaseya ransomware event, wherein an attacker leveraged management software commonly used by managed service providers to simultaneously attack the client base of multiple companies at once.

The full Ripples Across the Risk Surface report can be downloaded here: