This article is dedicated to the "who" in “who is creating multi-party data breaches?” You could argue that we should have started here since every one of these incidents began with someone who precipitated everything we’ve discussed so far. But that’s exactly why we saved this for last; the prior context should help us better understand the threat actors behind extreme multi-party cyber events. As a heads up, they might be who you’d expect.

Threat actors

Similar to most other incident data sets that we’ve seen, this one featuring large ripple events points to external threat actors as the most common perpetrator. As per the image below, they were also behind more total financial losses (69%) and nearly all secondary organizations (97%) that were impacted by these incidents. Since outsiders encompass a large and diverse collection of potential ne’er-do-wells, we attempted to distinguish the type of external threat actor in the figure below.


It probably won’t come as a surprise to anyone to learn that the majority of external actors behind these events represent various professional cybercriminal organizations. We can also point to them as being responsible for 80% of all collateral damage caused to downstream firms. They’re constantly adding to the hot mess that the modern Internet has become. May they one day eat the “fruits” of their labor.

What might come as a shock from the chart below is how prevalent and pernicious state-affiliated groups are among these incidents. We attribute one in five of the largest multi-party loss events in recent history to state-affiliated actors. Furthermore, those actors caused the majority of financial losses, with over $10 billion recorded on their tab! Who says government can’t be effective?


It’s an old mantra in InfoSec that insiders are responsible for 80% of risk, and our research bears that out. But not in the way you think. Insiders are villains far less often than they’re vectors. The first chart in this blog focuses on the former, which is why the numbers seem less than impressive to insider risk proponents. But a quick glance back at the table in this article will reveal numerous threat actions that rely on insiders as a vector—including the top dog of them all, credential attacks.

As trusted entities, the same “vector more than villain” principle applies to third parties. They didn’t intentionally or maliciously take part in many of these events, but credentials, remote services, etc. provided to them certainly made a big contribution behind the scenes. Also, don’t forget that Figure 9 is concerned strictly with who was behind the initial incident. Every single one of the thousands of secondary loss events that resulted from those initial incidents can be attributed to third parties.

We could leave it there, but we have a thing against making claims without backing them up with data. So we’re going to quickly do that. If you take the incidents from Figure 9 along with threat actions from Table 1 that involve or target trusted parties, some pretty big numbers pop out of the calculator. All told, insiders and third parties caused or indirectly contributed to 34 of the 50 extreme events we analyzed for this study. Those 34 events carry a combined price tag of $17.3 billion—99% of all recorded losses!

Bottom line - don’t assume your employees and third parties are out to do you harm. That won’t create a healthy or secure business relationship. But you also shouldn’t assume that all will be well if everyone just joins hands and sings Kumbaya.

Initial victims / Ripple generators

We’ll touch on one final aspect of the “who” behind these mega multi-party loss events—the central victim firm. More specifically, which types of organizations most often generate tsunami events? THe figure below lists the generating sectors as well as the ripple propagation methods observed among them. We caution against drawing too much from these 50 incidents, but there are a few interesting observations we feel safe in making.


First, the Information and Professional sectors were most often at the center of cyber tsunamis in this study. This makes even more sense when we understand that these typically map to software development and IT service providers, respectively. Similarly, most victims in the Administrative sector (fourth in the pack by total tsunamis) can be viewed as ancillary services to the Financial sector (third by total tsunamis)–think credit bureaus, consumer credit ratings, collection agencies, etc.

The prevalence of fraud or legal ripples among the Hospitality and Retail sectors checks out given their contact with cardholder information, although Hospitality (read: mostly chain restaurants) serves up the largest number of secondary impacts via

Shared systems. As a sector, it has all the ingredients of a prime target for criminals: small margins to dedicate to overmuch security, an emphasis on speed, and tasty data.

Lastly, Manufacturing is the sole representative of the Supply chain disruption type: as much as security professionals may talk about availability impacts on a company’s bottom line, these tsunamis are in a class of their own where delays can result in train cars backing up literally.

Download the full report here to see the full details.