Earlier this year, our SOC investigated an incident where a supplier’s backup and restore process went badly wrong. Inexperienced staff created a temporary cloud storage bucket for moving production data, and left it unsecured, unencrypted, and accessible to the internet for months. Sensitive customer records were exposed, and the issue only came to light when a researcher stumbled across the data and raised the alarm.
The lesson is clear: even well-intentioned suppliers can introduce significant risk. And while certifications and questionnaires are important, they rarely uncover the day-to-day practices that make-or-break data security.
In this post, we’ll look into what happened, why it matters, and how IT, risk and security leaders can reduce their exposure to this kind of third-party failure.
What Happened
Let’s start with the sequence of events.
- A company had built a core business process on a fast-growing SaaS platform.
- The platform experienced an outage, and a decision was made by the supplier that backups had to be restored so that operations could continue.
- A junior team member of the supplier staff was tasked with the restore. Instead of following standard procedures, they spun up a temporary storage bucket to hold the backup data.
- That bucket was misconfigured: publicly accessible, unencrypted, and without authentication.
- The restoration was completed and operations resumed as normal but the supplier had forgotten to delete the temporary storage bucket.
- For months, the data sat exposed to the open internet. No monitoring was in place to detect access, and the company was completely unaware that the poor supplier practices had exposed them.
- Eventually, a security researcher came across the data and alerted the company CEO directly.
By the time anyone realised, there was no way of knowing who else might have accessed or downloaded the information.
Why This Matters
It’s tempting to think of this as a one-off mistake, but it’s really an illustration of a bigger issue: third-party risk is systemic, not occasional.
A few points stand out:
- The volume and sensitivity of data: We’re not talking about harmless log files. The exposed information included personal and financial records - the kind of data that carries regulatory, reputational, and legal consequences.
- The lack of visibility: The customer had no idea the exposure was happening. Without monitoring in place, there was no audit trail to prove whether data was accessed.
- The illusion of outsourcing risk: The customer assumed that by using a highly certified SaaS supplier, responsibility for data handling was covered. In reality, accountability for protecting customer data always remains with the business that owns it.
This is why supplier oversight isn’t just a compliance exercise. It’s a resilience issue.
What Traditional TPRM Misses
Many organisations run third-party risk management (TPRM) as a tick-box exercise: send out questionnaires, collect responses, and file them away. The problem is that those questionnaires only capture what suppliers say they do, not what they actually do when something goes wrong. Suppliers also tend to hide bad practices or the lack of controls in the high volume of responses that typically accompanies these assessments.
In this case, no questionnaire would ever have revealed that:
- Junior staff with limited oversight were being trusted with production restores.
- Standard operating procedures weren’t consistently followed, or there was a lack of understanding of the standard operating procedures and whether they presented any risk to the company.
- Cloud storage was being misconfigured during urgent recovery tasks.
These are the kinds of details that only surface when you test, audit, or monitor in real time. They live in the messy space between “policy on paper” and “practice on the ground.” For more details on what Third Party Risk Management means in its modern context, read our overview here.
How to Avoid It Happening to You
So how should Heads of IT, risk and security approach this problem? A few practical steps stand out.
1. Go Beyond the Paper Check
Questionnaires and certifications have their place, but they shouldn’t be the only tool you use. Ask suppliers for evidence:
- Can they show you their backup and restore process?
- Do they have proof of access controls and encryption being applied in practice?
- How do they monitor for misconfigurations?
- How are supplier staff trained on cyber and information security risks?
- Where possible, ask for artefacts, not just assurances.
2. Prioritise Critical Suppliers
Not every supplier can be reviewed in the same depth. Focus your efforts on those who handle sensitive data or underpin critical business processes. Create a tiering model that helps you decide who warrants deeper scrutiny, and who can be handled with lighter-touch assurance.
Our Supplier Criticality Tiering Guide can help you focus your efforts where they matter most, and avoid being blindsided by a partner’s mistake.
3. Build Continuous Oversight
TPRM shouldn’t be an annual exercise. Consider:
- Integrating supplier alerting into your SIEM, where contracts allow – to capture exposure to emerging risks.
- Using external monitoring tools to check for misconfigured assets linked to your suppliers and compliance with their own policies and standards.
- Running regular tabletop exercises that include third-party scenarios.
The goal is to shorten the time between a supplier mistake and your awareness of it.
4. Be Honest About Residual Risk
Some risks can’t be fully outsourced or controlled. That’s uncomfortable, but it’s the truth. The key question is: does the residual risk of outsourcing a critical process exceed your appetite? If so, it may be time to rethink whether certain functions should remain in-house.
5. Strengthen Your Own Response Plans
Even with the best oversight, suppliers will make mistakes. What matters then is how quickly you detect, contain, and respond. Make sure your incident response plan explicitly covers third-party scenarios:
- Who gets notified when a supplier breach happens?
- How do you communicate with regulators and customers?
- How do you quickly identify resources that have been shared with suppliers?
- What’s the process for isolating or replacing the supplier’s services if needed?
The Bigger Picture
Supplier risk has always been part of doing business, but today it’s amplified by two trends:
1. Reliance on SaaS and cloud suppliers: Many organisations now run their most critical processes on platforms they don’t own or directly control.
2. The speed of scale-ups: New vendors grow quickly, often without the mature security and governance processes of larger enterprises.
That combination makes it all too easy for well-meaning suppliers to become your weakest link.
Bridging the Gap Between Policy and Practice
This incident wasn’t the result of a sophisticated cyber-attack. It was the product of human error, poor process, and inadequate oversight at a supplier. Yet the impact was the same: sensitive data exposed, customer trust shaken, and questions left unanswered.
For IT, risk and security leaders, the takeaway is simple: don’t assume your suppliers are secure just because they’ve ticked some boxes. Go deeper, ask for evidence, and build continuous oversight into your TPRM programme.
Most importantly, recognise that while you can outsource a service, you can’t outsource accountability. Your customers will always look to you - not your suppliers - to keep their data safe.
