Your Vendor Just Announced a Breach: The 24-Hour Customer Response Checklist

Sources:Verizon 2025 DBIR: Third-Party Breach Trends|IBM Cost of a Data Breach 2025|Identity Theft Resource Center 2025 Business Aftermath Report
15%
of breaches in the 2025 Verizon DBIR involved a third-party component — up from 9% the year prior, showing accelerating supply chain risk
$4.88M
average cost of a data breach in 2025 — IBM report; breaches involving third-party credentials or access cost 9.5% more than average
72 hours
GDPR notification window that vendors in the EU are required to notify affected customers — but many notifications are delayed or information-sparse
196 days
average time to identify a breach in 2025 — IBM; customers often learn about vendor breaches before the vendor has completed their own investigation

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A vendor's breach notification email is the worst time to start thinking about your exposure. By the time you receive the notification, the breach has likely already occurred, data may already be in threat actor hands, and any credentials, API tokens, or session data the vendor held on your behalf may already be in use.

The 24-hour response window from the customer side is about protecting your environment from the downstream effects of the vendor's incident — not waiting for their investigation to conclude. This checklist covers what to do immediately, what specific information to demand from the vendor, and how to assess whether your organization needs to escalate to a full incident response posture.

Hours 0-4: Immediate access triage

The first priority is auditing and revoking the access your organization gave the vendor — regardless of what data the vendor says was compromised. Vendor breach notifications are often conservative in their initial scope assessments.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Hours 4-12: Demand specific answers from the vendor

Vendor breach notifications are legally drafted and deliberately vague about scope in the initial notification. Your right as a customer is to demand specific answers to specific questions within a defined timeframe.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Hours 12-24: Assess exposure and determine escalation

With initial access triage complete and vendor answers requested, assess whether this requires escalation to a full incident response posture or can be managed as a vendor risk event.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Post-incident: Reduce future downstream exposure

Vendor breaches are recurring events. Reducing the blast radius of future vendor breaches requires structural changes to how vendor integrations are architected.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

The vendor breach notification email is not the beginning of the event — it is a late notification of something that already happened. The 24-hour customer response is about closing the access vector (rotating credentials, suspending vendor accounts, auditing sessions) before confirmation of exposure, because by the time the vendor's investigation concludes weeks later, an attacker using compromised vendor credentials will have already achieved their objective. Act on access revocation immediately; treat vendor answers as information that modifies your escalation decision, not as a prerequisite for taking protective action.

Frequently asked questions

Is my organization required to notify my own customers if a vendor breaches data they held for me?

In most regulatory frameworks (GDPR, CCPA, HIPAA, and state privacy laws), you as the data controller are responsible for notifying affected individuals when personal data is compromised — regardless of whether the breach occurred at your organization or at a third-party processor. Vendor breach of data you entrusted to them is your breach for notification purposes in most frameworks. Engage your DPO and legal counsel immediately upon confirmation that personal data was affected.

What is the difference between a vendor breach notification and a vendor security incident?

A vendor breach notification is a formal disclosure that personal data or sensitive information was accessed without authorization — triggering regulatory and contractual obligations. A vendor security incident is a broader term covering any security event at the vendor, including attempted but unsuccessful access, system outages caused by attacks, or internal security events that did not expose customer data. Vendors sometimes issue 'security incident' notifications to avoid the legal trigger of 'breach' notifications — distinguish between the two in your response process.

How should I handle a vendor who is slow to respond to my questions after their breach notification?

Document every information request with timestamp and send via email to create a paper trail. Escalate within the vendor organization to your account executive and the vendor's security or privacy team. Reference specific contractual notification and cooperation obligations if they exist. If the vendor is non-responsive on questions about your specific data exposure, consult legal counsel about your options under the contract and applicable privacy regulations. For critical integrations, assume worst-case exposure and take protective action while waiting for vendor confirmation.

Sources & references

  1. Verizon 2025 DBIR: Third-Party Breach Trends
  2. IBM Cost of a Data Breach 2025
  3. Identity Theft Resource Center 2025 Business Aftermath Report

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.