Vendor Vulnerabilities: The Privacy Risks Lurking in Your Supply Chain

Privacy
Written By Lauren Preston

From a privacy perspective, we have always known that humans are our weakest link. We are susceptible to errors, manipulation, and exploitation. According to a Data Breach Investigation Report published by Verizon in 2024, 68% of data breaches in 2024 were the result of unintentional human actions. Humans are still the largest cause of data breaches, which highlights the importance of a strong privacy program that empowers employees to understand the impact they can have on data privacy within an organization.

That said, Verizon also reported that 15% of breaches in the dataset involved a supply chain interconnection, a 68% increase from the previous year. Other reports from Prevalent and CrowdStrike also focus on the surge in third-party breaches and cyber security incidents, which reached 61% in 2024.

Both reports underscore the critical nature of a robust privacy and security program focusing on both humans and third parties (whether vendors or supply chains).

To demonstrate the shadow that third parties can cast over your business, we don’t need to look too far back. In July 2024, a “small breach” was discovered by Snowflake where a limited number of customer accounts had been affected due to its lack of security. They did not know this at the time, but this would eventually evolve into one of the biggest breaches in 2024. The breach affected up to 165 organizations (and 2.4 million customer records). The breach occurred because of something so simple –not implementing second-factor authentication. The bad actor was able to hack an employee’s account and used that Snowflake employee’s credentials to gain access to the Snowflake customer database, which they could do because second-factor authentication was not enabled. One of their customers was AT&T, who reported a loss of 5% in their stock post the breach. The bottom line is, had these customers conducted an effective due diligence looking at security and privacy risks, they would have identified the lack of second-factor authentication (and perhaps other risks) and either worked with Snowflake to mitigate the risks or chosen to go to another vendor.

Third-party breaches are still a major threat vector, with threat actors exploiting these relationships for diverse motivations, such as espionage, financial gain, and surveillance. Now more than ever, it is essential to ensure that your staff is adequately trained on privacy best practices, ways to identify when a breach has occurred, and ways to discover risks associated with third-party relationships.  

The data shows that third-party breaches are more frequent, suggesting that current vendor due diligence practices may not be sufficient to address the escalating risks, particularly as we move into the era of AI. What is more, third-party breaches cost organizations in mitigation, recovery, reputational harm, as well as financial loss, as we saw in the Snowflake incident.  Even in circumstances where you have invested in your own information security, you still run the risk of third-party breaches if you do not have a rigorous vendor due diligence process that addresses both privacy and security risks.

An organization can never outsource its responsibility over its data. As an organization, you remain the accountable party for your customer and employee data, irrespective of whether the third party is the cause of the breach. Privacy legislation in Canada ultimately requires an organization to take reasonable steps to protect personal information, which includes evaluating the privacy practices of third-party vendors you engage with.

What does the law say?

More specifically, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) requires an organization to use contractual or other means to provide a comparable level of protection while personal information is being processed by third parties. This is largely the same requirement in the private sector privacy legislation in Alberta and British Columbia, as well as provincial public and health sector privacy laws. More recently, Quebec’s Act respecting the protection of personal information in the private sector (the “Quebec Act”) allows a person carrying on an enterprise to communicate personal information to a third party without an individual’s consent only if the information is necessary for carrying out a mandate or performing a contract of enterprise or for services. The caveat for this, however, is that there must be a written contract including measures to protect the confidentiality of the information, to ensure that the information is used only for carrying out the mandate or performing the contract, and to ensure that the third party does not keep the information after the expiry of the mandate or contract.

Mishandling personal information is detrimental to your organization and allowing your third parties to mishandle your information is equally detrimental. Further, allowing third parties any access to your infrastructure without any assessment of their practices is essentially leaving the window to your organization open for either the third party or other bad actors to jump through. The vendor due diligence process does not need to be complicated and you can follow a conditional and tiered approach based on a pre-screening mechanism to establish how deep to dive into the vendor due diligence and which pillars to tackle (privacy, security, or both). The assessment should involve a comprehensive review of a vendor's security and privacy practices, policies, and track record to identify and mitigate potential risks.

Other benefits to having a fulsome vendor due diligence process include:

  • Risk mitigation: Vendor due diligence helps to identify and mitigate vendor risks during the contracting process. These risks can then be addressed proactively either contractually or with technical or organizational safeguards.

  • Improved negotiations: The process can uncover information that can be used to negotiate improved pricing or related benefits to offset risks, ensuring that the value correlates with the risk.

  • Ensuring regulatory compliance: Vendor due diligence helps to identify specific regulatory requirements, controls or standards that you need to adhere to and if identified, you can hold the vendor accountable for shared responsibilities.

  • Reduced data breach risk: Organizations that implement strong vendor due diligence are better positioned to minimize the risk and impact of breaches and thus reduce the financial and reputational harm to the business.

  • Data protection: The process ensures vendors are aligned with your security standards and regulatory requirements.

The statistics and benefits serve as a crucial reminder that vendor due diligence is not just a best practice but a necessity for organizations aiming to protect their data and infrastructure and maintain business continuity.

Lauren Preston

Lauren Preston is a Privacy Solutions Architect at Bamboo Data Consulting who thrives on making privacy practical, approachable, and even enjoyable. With expertise spanning finance, tech, health, and more, she loves creating strategies that help businesses stay secure while building trust. When she’s not tackling privacy challenges, Lauren writes about everything from data compliance tips to building privacy-first cultures while focusing on the legal aspect of privacy. She’s a Certified Information Privacy Professional (CIPP/C) who believes privacy can be as interesting as her next creative challenge - or at least close!

Next

The ABCs of Bill 194: Pt. 3 Cybersecurity & AI