Supply-Chain Cyber Risk #1 : How Your Vendors Expose You

Lire en français

The 2025 Cyber Threat Overview recent­ly pub­lished by ANSSI (French Nation­al Cyber­se­cu­ri­ty Agengy) high­lights that cyber threats are now sys­temic and affect all busi­ness­es.

In par­tic­u­lar, cyber risk linked to third-par­ty ven­dors con­tin­ues to rise.

Recent pub­li­ca­tions from ANSSI, Palo Alto, and Crowd­Strike on the evolv­ing cyber threat land­scape con­firm this trend : attack­ers are increas­ing­ly exploit­ing soft­ware, cloud envi­ron­ments, and SaaS (Soft­ware-as-a-Ser­vice) con­nec­tions to reach their tar­gets.

In oth­er words, a com­pa­ny can be exposed to cyber risk with­out being direct­ly tar­get­ed.

The inci­dent that affect­ed Ceged­im San­té in late 2025 is a con­crete illus­tra­tion of how this works.
In this arti­cle, we exam­ine this case and high­light the prac­ti­cal lessons it offers, par­tic­u­lar­ly for SMEs.

Key takeaways

  • Your ven­dors can expose your data, even if you are not direct­ly attacked
  • A com­mon­ly used soft­ware appli­ca­tion can give attack­ers broad access to your data
  • These attacks are stealthy, auto­mat­ed, and may go unno­ticed for weeks
  • Your cyber­se­cu­ri­ty is only as strong as your weak­est link

Data exposed without a direct attack

The Ceged­im inci­dent shows that large-scale data expo­sure can hap­pen with­out a direct attack, through tools used in day-to-day oper­a­tions.

Ceged­im devel­ops busi­ness soft­ware designed in par­tic­u­lar for health­care pro­fes­sion­als and acces­si­ble online.

Among these soft­ware appli­ca­tions is Mon­Logi­cielMed­ical, used by around 3,800 med­ical prac­tices.

A major incident, but widely misunderstood

Con­trary to ear­ly inter­pre­ta­tions, there was no expo­sure of full med­ical records.

How­ev­er, admin­is­tra­tive data relat­ing to mil­lions of patients was accessed with­out autho­riza­tion, and some sen­si­tive infor­ma­tion may also have appeared in freely entered com­ments.

Based on the infor­ma­tion avail­able :

  • 11 to 15 mil­lion patient records were acces­si­ble
  • around 1,500 med­ical prac­tice accounts were affect­ed
  • the exposed data includ­ed first name, last name, date of birth, address, phone num­ber, and email address

This data is enough to enable iden­ti­ty theft, extor­tion attempts, or tar­get­ed fraud.

This case may seem spe­cif­ic to the health­care sec­tor. It is not.

A real-world case that concerns all SMEs

A busi­ness can be exposed indi­rect­ly through its third-par­ty soft­ware or ven­dors, even if its inter­nal secu­ri­ty is strong.

This case is not lim­it­ed to health­care.

Attack­ers are increas­ing­ly tar­get­ing third-par­ty soft­ware and every­day ser­vices to affect a large num­ber of orga­ni­za­tions through a sin­gle oper­a­tion.

Any com­pa­ny that uses third-par­ty man­age­ment soft­ware, an HR tool, or a CRM is exposed to this risk. If that soft­ware is com­pro­mised, the com­pa­ny may face a cyber inci­dent regard­less of the strength of its inter­nal secu­ri­ty.

But how does this kind of attack actu­al­ly work ?

An attack using existing, authorized accounts

The attack con­sists of using a legit­i­mate sys­tem with autho­rized access, but in an auto­mat­ed and stealthy way.

An attack designed to stay invisible

The Ceged­im inci­dent was declared in late 2025 after an unusu­al­ly high vol­ume of requests was observed, at a pace and scale far beyond nor­mal usage.

This type of pat­tern is typ­i­cal of mod­ern attacks.

The attack­er most like­ly did not try to break into the sys­tem. They used it like a nor­mal user, but in an auto­mat­ed way and at very large scale.

The inves­ti­ga­tion has not yet reached its final con­clu­sions, but sev­er­al plau­si­ble sce­nar­ios are often con­sid­ered in this type of inci­dent :

  • a pass­word recov­ered and reused here
  • mis­con­fig­ured access rights allow­ing far more data to be viewed than intend­ed
  • an auto­mat­ed pro­gram that, once logged in with legit­i­mate access, con­tin­u­ous­ly and silent­ly extracts data

What makes these attacks dan­ger­ous is how stealthy they are.

They can con­tin­ue for sev­er­al weeks or months with­out trig­ger­ing any alert, and in some cas­es, attack­ers erase their traces after­ward, leav­ing lit­tle or no evi­dence behind.

Ordinary weaknesses, massive consequences

These attacks illus­trate a ven­dor cyber risk that is often under­es­ti­mat­ed, even though it is built on very com­mon weak­ness­es.

First, inad­e­quate pro­tec­tion mech­a­nisms : noth­ing flags unusu­al vol­umes of data being accessed, per­mis­sions are too broad, and activ­i­ty is not mon­i­tored.

Sec­ond, a heavy depen­den­cy on exter­nal providers : these ven­dors are often treat­ed as black box­es and trust­ed with­out reg­u­lar ver­i­fi­ca­tion.

Tak­en indi­vid­u­al­ly, these weak­ness­es may seem minor. Com­bined, they can cre­ate the con­di­tions for a seri­ous and pro­longed data expo­sure.

Why vendor cyber risk directly affects SMEs

In gen­er­al, SMEs are attrac­tive tar­gets for cyber­crim­i­nals : few­er resources, less mon­i­tor­ing, and default trust in the tools they use.

More specif­i­cal­ly, ven­dor cyber risk is more com­plex than a con­ven­tion­al attack : it is indi­rect, dif­fi­cult to detect, and often impos­si­ble to antic­i­pate with­out vis­i­bil­i­ty into the vendor’s envi­ron­ment.

Giv­en this risk, SMEs are dou­bly exposed : they have less capac­i­ty than large com­pa­nies to absorb the con­se­quences, and less lever­age to impose trans­paren­cy require­ments on their ven­dors.

1. Heavy reliance on tools you do not control

Some of your data is host­ed by your ven­dors, with­out real vis­i­bil­i­ty into their lev­el of secu­ri­ty and with­out a ded­i­cat­ed team to ver­i­fy it.

2. No control over what happens when a vendor has an incident

If one of your ven­dors is com­pro­mised, you can nei­ther antic­i­pate it, nor inter­vene, nor lim­it the dam­age in real time.

3. An attack on your vendor automatically affects you

You are not direct­ly tar­get­ed, but the con­se­quences are direct. Your data is exposed, even though you did noth­ing wrong.

4. Your security is only as strong as your weakest link

Even if your busi­ness is well pro­tect­ed inter­nal­ly, a vul­ner­a­bil­i­ty at a soft­ware provider or ser­vice ven­dor is enough to expose your data.

5. A vendor incident may last for weeks before you are informed

You rely on your ven­dor to tell you what hap­pened. With­out inde­pen­dent detec­tion capa­bil­i­ties, you may remain exposed with­out even know­ing it.

Practical steps you can take

Reduc­ing cyber risk linked to third-par­ty soft­ware and ven­dors requires bet­ter detec­tion, reg­u­lar assess­ment of weak­ness­es, and tighter con­trol over access to data.

These mea­sures may sound com­plex. In prac­tice, they come down to a few con­crete actions.

1. Detect abnormal activity earlier

In many orga­ni­za­tions, unusu­al use of tools or soft­ware goes unno­ticed because usage is not active­ly mon­i­tored.

2. Identify weaknesses regularly

Some vul­ner­a­bil­i­ties in sys­tems or third-par­ty soft­ware remain invis­i­ble in day-to-day oper­a­tions because there is no reg­u­lar assess­ment.

3. Reduce the impact if an incident occurs

The more numer­ous, acces­si­ble, and cen­tral­ized your data is with­in your tools, the hard­er it is to con­tain the con­se­quences of a secu­ri­ty inci­dent — and the more cost­ly it becomes to man­age.

4. Avoid overly broad access rights

Access rights to tools or data that are broad­er than nec­es­sary direct­ly increase the vol­ume of data exposed in the event of an inci­dent.

Are you ready ?

You will prob­a­bly not be attacked direct­ly, but you will be exposed if you do not have con­trol over the cyber­se­cu­ri­ty of your sys­tems and third-par­ty providers.

Do you really have visibility into your vendors ?

Have you car­ried out a ven­dor cyber­se­cu­ri­ty review, even a par­tial one ?

Do you truly control the data you store ?

Do you know what sen­si­tive infor­ma­tion is present in your tools, and why ?

Would you be able to detect an abnormal situation ?

Or could this kind of activ­i­ty go unno­ticed for sev­er­al weeks ?

In summary

An SME’s cyber­se­cu­ri­ty now also depends on its ven­dors. This is what sup­ply chain cyber­se­cu­ri­ty is about.

Cyber risk no longer comes only from out­side. It can be embed­ded direct­ly in the tools you use and trust.

In oth­er words, it is no longer just about pro­tect­ing your­self, but about con­trol­ling the assets and depen­den­cies your busi­ness relies on.

If cyber risk can come from your ven­dors, you can also become a source of cyber risk and affect your own clients and part­ners.

Author
Stéphane HIVERT
Cyber­se­cu­ri­ty Spe­cial­ist for SMEs
E‑commerce, Indus­tri­al Sec­tor Spe­cial­ist

Con­trib­u­tor
Lai LY
Cyber­se­cu­ri­ty Gov­er­nance Spe­cial­ist for SMEs
Finan­cial Ser­vices Sec­tor Spe­cial­ist

Where are your vendor blind spots ?


In most SMEs, cyber­se­cu­ri­ty relat­ed to third-par­ty soft­ware and ven­dors is addressed only par­tial­ly, when it is addressed at all.

This is exact­ly where spe­cial­ized sup­port makes the dif­fer­ence.

At LINARIS, we help SME lead­ers struc­ture the man­age­ment of cyber risk relat­ed to ven­dors and third-par­ty soft­ware, and iden­ti­fy their crit­i­cal depen­den­cies.

We help them align, in a pro­por­tion­ate way, with ANSSI, DORA, and NIS2 require­ments.

An ini­tial dis­cus­sion is often enough to reveal blind spots that usu­al­ly go unno­ticed.

[Con­tact us]

Disclaimer

This report is pro­vid­ed for infor­ma­tion­al pur­pos­es only and reflects the author’s opin­ion as of the date of analy­sis. It does not con­sti­tute legal or reg­u­la­to­ry advice and does not guar­an­tee the absence of risks or vul­ner­a­bil­i­ties. Threats and risk lev­els may change over time. Any deci­sion made on the basis of this report remains the sole respon­si­bil­i­ty of the read­er.