third-party-risk

When the Breach Isn't at Your Bank: Third-Party Risk Hits Healthcare and Finance in the Same Week

John Z Black Apr 15, 2026

Incidents & Breaches #data-breach #third-party-risk #healthcare #financial-services #springfield-hospital #marquis #lapsus #vendor-risk

A hospital email account, a fintech ransomware attack still sending notifications eight months later, and a Lapsus$ claim against a financial vendor. Third-party concentration risk landed in two sectors at once this week.

Two Breaches Today. One Was Careful. One Was a Unlocked Door. Both Were Catastrophic.

John Z Black Apr 14, 2026

Incidents & Breaches #rockstar #shinyhunters #data-breach #snowflake #alinto #supply-chain #third-party-risk

ShinyHunters dumped 78.6 million Rockstar records after the ransom deadline expired. They never touched Rockstar directly. They went through a cloud analytics vendor. Meanwhile, a French email provider left an Elasticsearch cluster open to the internet and exposed 40 million records across L'Oreal, Renault, and French government embassies.

The LAPD Was Not Hacked. But 7.7 Terabytes of Its Data Leaked Anyway.

John Z Black Apr 12, 2026

Incidents & Breaches #lapd #world-leaks #hunters-international #data-breach #third-party-risk #vendor-risk #law-enforcement

World Leaks didn't touch LAPD's network. They breached a third-party file-sharing app connected to the LA City Attorney's Office that apparently had no password protecting it. 337,000 files including Internal Affairs records and witness names are now in an extortion group's hands.

Healthcare Had a Bad Week. A Really, Really Bad Week.

John Z Black Mar 29, 2026

Incidents & Breaches #healthcare #data-breach #nyc #france #cerballiance #coastal-carolina #hipaa #third-party-risk #patient-data

Three healthcare breaches in one week, all tracing back to the same problem: third-party vendors with access to patient data and not enough security around it.

Crunchyroll Got Breached. Their Systems Were Never Touched.

John Z Black Mar 29, 2026

Incidents & Breaches #crunchyroll #data-breach #okta #third-party-risk #supply-chain #zendesk #consumer #identity-chain

6.8 million Crunchyroll users had their data stolen through a three-hop attack chain that went from a vendor's infected laptop through Okta into Crunchyroll's customer service platform, without ever touching Crunchyroll's own systems.

AI Export Controls Are Now a SOC Problem, Not Just a Legal Memo

John Z Black Mar 21, 2026

Policy, Law & Governance #ai-policy #export-controls #security-governance #third-party-risk #compliance

New enforcement activity pushes export-control risk into day-to-day security operations, especially around access, logging, and partner workflows.

Breach Disclosure Lag Is Becoming the Real Story in Financial Supply Chains

John Z Black Mar 18, 2026

Incidents & Breaches #breach #financial-services #third-party-risk #disclosure #ransomware #governance #incident-response

The Marquis breach started with a ransomware attack. The damage is still accumulating months later -- not because of what happened technically, but because of how disclosure was handled.