Black Kite: Data breaches escalate to records amid slow disclosure by supply chain companies

Third-party data breaches and risks were able to escalate due to speed of the impact of the incidents cascading faster than speed of disclosure, leaving hundreds of supply chain companies as victims of breaches with thousands more unnamed, according to a newly released report.  

Last year, not only were more companies breached, but the speed of impact of these breaches was faster than the speed at which they were disclosed, according to the new Third-Party Breach Report by Black Kite, vendor of a cyber risk management platform. Black Kite’s report analyzed third-party data breaches last year from Jan. 1 to Dec. 31.  

See also: What industrial and health care breaches teach us about cyber resilience 

The Black Kite report, which examined the supply chain’s vulnerabilities by evaluating 2025 third-party breach events and dominant trends and the cyber posture of about 200,000 monitored companies on the Black Kite platform, found an average of 5.28 downstream victims per third-party breach, the highest level observed to date, reflecting an increase in the scale and coordination of attacks.  

Black Kite found 136 unique major incidents, affecting 719 companies, plus an estimated 26,000 additional impacted companies that were not officially named.

Across incidents, Black Kite identified 719 named victim companies, which were explicitly disclosed but only represented a portion of those organizations impacted. In 27 separate incidents, vendors disclosed downstream impact only in aggregate terms, revealing the 26,000 companies that were impacted but not named.

“Traditional third-party risk management is not keeping pace with the reality of today’s threats,” said Ferhat Dikbiyik, chief research and intelligence officer at Black Kite. “Over the past year, these risks have transformed from a series of isolated accidents into a systematic crisis.” 

Dikbiyik continued: “The Black Kite Research Group took a deep dive into the supply chain, and from our findings, we can forget about the ‘weakest link.’ Supply chains are actually most fragile at their highest points of connection.” 

“Knowing this, it’s imperative that security teams understand where risk enters, where it concentrates, and how it propagates, and to get there, they need to shift toward active intelligence and systematic awareness.” 

See also: Crystal Ball 2026 Series 

The approximately 26,000 impacted companies were part of a “shadow layer” behind aggregate disclosures, the report said, which were affected but never officially named.  

According to Black Kite, this layer emerged during the window of time to disclose a breach. While the median time to detect an intrusion was 10 days, the median delay to disclose the information to the public was more than seven times longer, 73 days, which the report claimed represents a transfer of risk from vendor to downstream consumer.   

Both detection and disclosure of incidents are slow, with median detection at 10 days—79 events with timeline data—and median disclosure lag of 73 days with an average of 117.

Industries that had the most breach events were software services for vendor breach events and health care services for company industries. While the report identified the victims of these breaches, in almost 73% of instances, the attacker was unknown.  

See also: AI can expose manufacturing data to risk, so audit your implementations, third-party links 

The report also found that even companies that had strong cyber grades are not inherently resilient under real-world pressure, often co-existing with weak fundamental controls and exposed technical signals that made them a target for ransomware attacks.  

This intersects most prominently in the manufacturing and professional services industries, where high ransomware susceptibility intersects with poor patch discipline. 

Black Kite recommended that to decrease the risk of a breach in 2026, companies should use techniques to prepare before breaches happen, rather than reacting when they do happen, to increase the speed of disclosure. 

For example, the report said that companies should use concentration risk mapping to map dependencies across the supply chain and identify frequently shared vendors to prioritize where concentration risk lives.  

See also: Global supply chains becoming more connected, AI ready 

It also recommended to use active intelligence to shrink the window of opportunity for breaches, such as implementing continuous monitoring; prioritizing “pressure zone” remediation; demanding transparency with vendors; and shifting from compliance to operational resilience through contingency plans and scenario-based risk assessments.