Methodology of the Report

The findings in this report are the result of a multi-source, intelligence-led investigation conducted by the Black Kite Research Team. We combine verified public breach disclosures with Black Kite’s external cyber risk telemetry and supply chain intelligence to analyze how third-party data breaches emerged, propagated, and concentrated across the ecosystem throughout 2025.

1. Data Sources and Scope

This report covers third-party data breach events disclosed between January 1, 2025 and December 31, 2025. The breach dataset is limited to verified, publicly disclosed incidents and is designed to reflect what can be substantiated from reliable reporting and primary disclosures.

To support technical and risk analysis, we used:

Black Kite platform telemetry (external, non-intrusive observations of posture, exposure, and weakness signals)

Verified public disclosures (regulatory filings, official breach notifications, vendor statements, and credible investigative reporting)

Supply chain relationship data from Black Kite’s Supply Chain intelligence

Vulnerability intelligence, including references to CISA’s Known Exploited Vulnerabilities (KEV) Catalog for exploited-in-the-wild context

2. Verification Rules and Inclusion Criteria

To prevent inflation and speculation, we applied strict inclusion rules:

  • Only verified sources were accepted.
  • Threat actor claims were not treated as sufficient evidence on their own. Attribution was included only when it was corroborated by reliable reporting or primary disclosure context.
  • A company was counted as an impacted downstream victim only if it was explicitly named and there was credible confirmation that it was affected by the breach.
  • Disruptions/outages without confirmed data breach impact were excluded.
  • Statements such as “customers may have been affected” or “X customers could be impacted” were not included unless the impacted organizations were named and the impact was substantiated.

3. Incident Counting and De-Duplication Controls

To ensure consistent counting across complex corporate structures:

  • If a breach affected a parent company and multiple subsidiaries, brands, or franchise entities as part of the same incident, it was counted as one (1) victim event, unless distinct disclosures confirmed separate incidents.
  • This prevents artificial inflation where a single compromise is reported across multiple entities that share the same underlying breach source.

4. Dataset Design

To analyze past impact, baseline posture, and systemic concentration risk, the report is built on three datasets:

Dataset 1 (Part I — What Happened in 2025):

  • 136 verified third-party breach events (vendors) in 2025
  • 719 unique named victim companies identified across those events

Dataset 2 (Part II — Baseline Posture at Scale):

  • Approximately ~200,000 organizations selected from Black Kite platform coverage to measure baseline posture signals (e.g., cyber grade, RSI, patch-failure signals) independent of breach headlines

Dataset 3 (Part III — Concentration Risk in the Forbes Global 2000 Ecosystem):

  • Company universe sourced from Forbes Global 2000
  • Vendor relationships derived from Black Kite Supply Chain data

We mapped shared vendors across this ecosystem and isolated the most widely shared vendors after filtering out generic infrastructure noise, enabling concentration-risk analysis of the most connected nodes.

5. Industry Classification Standard (NAICS Alignment)

All entities across the three datasets were normalized using NAICS classification to ensure consistent sector-level comparisons, reduce category drift, and support like-for-like aggregation across breach events, platform posture data, and supply chain vendor ecosystems.

6. Vulnerability and KEV Methodology (CVE Context)

Where vulnerability-driven risk was discussed, we referenced CVEs in context and used CISA’s KEV Catalog as a benchmark for “known exploited” exposure. This allows us to distinguish between theoretical vulnerability presence and vulnerabilities with evidence of active exploitation, especially in the concentration-risk vendor set.

7. Technical Ratings Explained

The Black Kite Technical Rating ranges from 0 to 100 and covers 19 risk categories. Scores are also translated into letter grades for clarity:

A (Excellent): 90–100

B (Good): 80–89

C (Fair): 70–79

D (Poor): 60–69

F (Failing): 0–59

8. Limitations

This report is intentionally conservative and bounded by verification:

  • It reflects only breaches that were publicly disclosed and could be substantiated under strict inclusion rules.
  • Downstream impact is often underreported: many incidents disclose aggregate impact without naming affected companies, limiting victim attribution and sector mapping.
  • External telemetry reflects what is observable from outside; internal controls, unreported incidents, and private remediation efforts are outside the scope of this methodology.
  • Finally, because attribution quality varies widely across disclosures, actor-level conclusions are limited to cases with sufficient corroboration.
PREVIOUS