Supply-Chain Cyber Risk: How Your Vendors Expose You

ByStéphane Hivert

Lire en français

The 2025 Cyber Threat Overview recently published by ANSSI (French National Cybersecurity Agengy) highlights that cyber threats are now systemic and affect all businesses.

In particular, cyber risk linked to third-party vendors continues to rise.

Recent publications from ANSSI, Palo Alto, and CrowdStrike on the evolving cyber threat landscape confirm this trend: attackers are increasingly exploiting software, cloud environments, and SaaS (Software-as-a-Service) connections to reach their targets.

In other words, a company can be exposed to cyber risk without being directly targeted.

The incident that affected Cegedim Santé in late 2025 is a concrete illustration of how this works.
In this article, we examine this case and highlight the practical lessons it offers, particularly for SMEs.

Key takeaways

  • Your vendors can expose your data, even if you are not directly attacked
  • A commonly used software application can give attackers broad access to your data
  • These attacks are stealthy, automated, and may go unnoticed for weeks
  • Your cybersecurity is only as strong as your weakest link

Data exposed without a direct attack

The Cegedim incident shows that large-scale data exposure can happen without a direct attack, through tools used in day-to-day operations.

Cegedim develops business software designed in particular for healthcare professionals and accessible online.

Among these software applications is MonLogicielMedical, used by around 3,800 medical practices.

A major incident, but widely misunderstood

Contrary to early interpretations, there was no exposure of full medical records.

However, administrative data relating to millions of patients was accessed without authorization, and some sensitive information may also have appeared in freely entered comments.

Based on the information available:

  • 11 to 15 million patient records were accessible
  • around 1,500 medical practice accounts were affected
  • the exposed data included first name, last name, date of birth, address, phone number, and email address

This data is enough to enable identity theft, extortion attempts, or targeted fraud.

This case may seem specific to the healthcare sector. It is not.

A real-world case that concerns all SMEs

A business can be exposed indirectly through its third-party software or vendors, even if its internal security is strong.

This case is not limited to healthcare.

Attackers are increasingly targeting third-party software and everyday services to affect a large number of organizations through a single operation.

Any company that uses third-party management software, an HR tool, or a CRM is exposed to this risk. If that software is compromised, the company may face a cyber incident regardless of the strength of its internal security.

But how does this kind of attack actually work?

An attack using existing, authorized accounts

The attack consists of using a legitimate system with authorized access, but in an automated and stealthy way.

An attack designed to stay invisible

The Cegedim incident was declared in late 2025 after an unusually high volume of requests was observed, at a pace and scale far beyond normal usage.

This type of pattern is typical of modern attacks.

The attacker most likely did not try to break into the system. They used it like a normal user, but in an automated way and at very large scale.

The investigation has not yet reached its final conclusions, but several plausible scenarios are often considered in this type of incident:

  • a password recovered and reused here
  • misconfigured access rights allowing far more data to be viewed than intended
  • an automated program that, once logged in with legitimate access, continuously and silently extracts data

What makes these attacks dangerous is how stealthy they are.

They can continue for several weeks or months without triggering any alert, and in some cases, attackers erase their traces afterward, leaving little or no evidence behind.

Ordinary weaknesses, massive consequences

These attacks illustrate a vendor cyber risk that is often underestimated, even though it is built on very common weaknesses.

First, inadequate protection mechanisms: nothing flags unusual volumes of data being accessed, permissions are too broad, and activity is not monitored.

Second, a heavy dependency on external providers: these vendors are often treated as black boxes and trusted without regular verification.

Taken individually, these weaknesses may seem minor. Combined, they can create the conditions for a serious and prolonged data exposure.

Why vendor cyber risk directly affects SMEs

In general, SMEs are attractive targets for cybercriminals: fewer resources, less monitoring, and default trust in the tools they use.

More specifically, vendor cyber risk is more complex than a conventional attack: it is indirect, difficult to detect, and often impossible to anticipate without visibility into the vendor’s environment.

Given this risk, SMEs are doubly exposed: they have less capacity than large companies to absorb the consequences, and less leverage to impose transparency requirements on their vendors.

1. Heavy reliance on tools you do not control

Some of your data is hosted by your vendors, without real visibility into their level of security and without a dedicated team to verify it.

2. No control over what happens when a vendor has an incident

If one of your vendors is compromised, you can neither anticipate it, nor intervene, nor limit the damage in real time.

3. An attack on your vendor automatically affects you

You are not directly targeted, but the consequences are direct. Your data is exposed, even though you did nothing wrong.

4. Your security is only as strong as your weakest link

Even if your business is well protected internally, a vulnerability at a software provider or service vendor is enough to expose your data.

5. A vendor incident may last for weeks before you are informed

You rely on your vendor to tell you what happened. Without independent detection capabilities, you may remain exposed without even knowing it.

Practical steps you can take

Reducing cyber risk linked to third-party software and vendors requires better detection, regular assessment of weaknesses, and tighter control over access to data.

These measures may sound complex. In practice, they come down to a few concrete actions.

1. Detect abnormal activity earlier

In many organizations, unusual use of tools or software goes unnoticed because usage is not actively monitored.

2. Identify weaknesses regularly

Some vulnerabilities in systems or third-party software remain invisible in day-to-day operations because there is no regular assessment.

3. Reduce the impact if an incident occurs

The more numerous, accessible, and centralized your data is within your tools, the harder it is to contain the consequences of a security incident — and the more costly it becomes to manage.

4. Avoid overly broad access rights

Access rights to tools or data that are broader than necessary directly increase the volume of data exposed in the event of an incident.

Are you ready?

You will probably not be attacked directly, but you will be exposed if you do not have control over the cybersecurity of your systems and third-party providers.

Do you really have visibility into your vendors?

Have you carried out a vendor cybersecurity review, even a partial one?

Do you truly control the data you store?

Do you know what sensitive information is present in your tools, and why?

Would you be able to detect an abnormal situation?

Or could this kind of activity go unnoticed for several weeks?

In summary

An SME’s cybersecurity now also depends on its vendors. This is what supply chain cybersecurity is about.

Cyber risk no longer comes only from outside. It can be embedded directly in the tools you use and trust.

In other words, it is no longer just about protecting yourself, but about controlling the assets and dependencies your business relies on.

If cyber risk can come from your vendors, you can also become a source of cyber risk and affect your own clients and partners.

Author
Stéphane HIVERT
Cybersecurity Specialist for SMEs
E-commerce, Industrial Sector Specialist

Contributor
Lai LY
Cybersecurity Governance Specialist for SMEs
Financial Services Sector Specialist

Where are your vendor blind spots?


In most SMEs, cybersecurity related to third-party software and vendors is addressed only partially, when it is addressed at all.

This is exactly where specialized support makes the difference.

At LINARIS, we help SME leaders structure the management of cyber risk related to vendors and third-party software, and identify their critical dependencies.

We help them align, in a proportionate way, with ANSSI, DORA, and NIS2 requirements.

An initial discussion is often enough to reveal blind spots that usually go unnoticed.

[Contact us]

Disclaimer

This report is provided for informational purposes only and reflects the author’s opinion as of the date of analysis. It does not constitute legal or regulatory advice and does not guarantee the absence of risks or vulnerabilities. Threats and risk levels may change over time. Any decision made on the basis of this report remains the sole responsibility of the reader.