Assessing supply chain risks from service providers in rapidly growing companies

Written By fra juniper

Executive Summary

  • This brief describes an anonymised case study that illustrates some commonly encountered risks around the use of third-party service providers in rapidly developing organisations, such as start-ups.

  • An unscheduled change by the developer of a third-party service used by the company led to a data breach; the subsequent investigation of the third-party service by the company quickly identified multiple further red flags.

  • This case underlines the importance of effective and proportionate third-party due diligence at all stages of company development, even in the initial formative phase of a startup.

Data breach caused by supplier’s human error

This case study concerns a small remote-first company in the services sector. The company has expanded rapidly from a low base in recent years, with its digital estate comprising a combination of a custom-built platform and multiple third-party service providers. 

In 2025 the company suffered a breach of customer data. A change in the functionality of the third-party service led to client data briefly becoming accessible by all of the company’s personnel in a way that undermined existing access controls.

The data breach was a result of human error on the part of the supplier. The supplier’s development team rolled out an update that changed how access was handled for the company’s personnel. A configuration change meant to address this issue led to all users being granted full access. Although there is no evidence that any data were accessed improperly, this nonetheless constituted a breach.

Investigation reveals further issues

The company conducted an investigation to determine the root cause of the breach. The investigation found that the third party service had been used since the very early days of the company, when its low price point and flexibility was attractive in an extremely dynamic and resource-constrained environment. In this context, due diligence was not a priority. 

The investigation into the third-party provider was conducted through requests for information, interviews, examination of its online infrastructure, and due diligence on key personnel. 

The investigation rapidly identified multiple red flags around the third-party provider. These included evidence of poor development and access control practices, weak security governance, and a limited public profile. In some instances there was positive evidence of poor practices. In others areas the lack of clarity over the provider’s approach was itself grounds for concern.

Outcome 

Given the depth of the concerns and the level of uncertainty around the provider’s security controls and data handling protections the recommendation was to transition away from the platform and move business processes to an alternate provider. 

The transition to a new system was disruptive for the organisation. It was faced with a choice between continuing to use the provider’s services while assessing alternatives or experiencing substantial disruption to its business operations. 

Identifying an alternative provider also absorbed significant organisational resources and bandwidth. Having seen the potential downsides, the organisation nonetheless ensured that it applied a higher standard of due diligence to potential providers. 

Recommendations

Even small start-ups should implement basic due diligence processes from the beginning of the company’s life.

  • Basic checks on company status, location, policy documentation, and online infrastructure are relatively simple to conduct.

  • Identifying red flags will ultimately save time by eliminating obviously unsuitable providers.

Companies with unmapped dependencies should conduct a rapid assessment to identify high-risk areas.

  • Companies that have grown rapidly from a standing start may find that they have substantial unmapped and unassessed dependencies on third-party providers.

  • A rapid ‘light touch’ assessment of the company’s digital infrastructure, dependencies, and risks can identify areas of greatest risk.

Companies should introduce more intensive due diligence as they transition to a more mature posture.

  • Companies handling personal or sensitive data must ensure that data security and data processes are aligned to meet insurance and data protection requirements.

  • It is likely that some third-party providers that were appropriate for a company at an earlier stage of development will require transitioning out as the company grows.

Contact us

Secured is a UK-based organisation that provides strategic advisory services to organisations concerned about threats to the security of research, innovation, and investment.

Our security practitioners help entities secure their intellectual property, build operational and financial resilience, and cultivate a positive organisational security culture. 

We provide research on the national security implications of emerging technologies as part of our scientific and technical intelligence assessment capability.

Secured is part of Tyburn St Raphael Ltd, a boutique security consultancy.

info@tyburn-str.com

hello@secured-research.com

fra juniper
Previous

Dependence on US technologies: a new geopolitical exposure
Next

SECURED analysis featured by RUSI