NewZapp

When Your Vendor Is the Vulnerability: What 2025’s SaaS-linked Breaches Teach Comms Leaders About Third-Party Risk

Blogs   

When Your Vendor Is the Vulnerability: What 2025’s SaaS-linked Breaches Teach Comms Leaders About Third-Party Risk

Most Breaches Now Start Outside Your Walls

In 2025, third-party SaaS security emerged as the defining risk for large organisations. Rather than breaching companies directly, attackers increasingly compromise vendors and integrations—putting communications channels, deliverability, and employee trust at stake.

In 2025, a striking pattern has emerged in cybersecurity. Specifically, many of the most damaging incidents have been third-party security breaches. In these cases, attackers exploit vendor vulnerabilities; consequently, organisations face serious risks even when their own systems remain secure.  Recent incidents affecting Marks & Spencer, Workday and Harrods, have underscored the dangers of supply chain vulnerabilities. For communications leaders, these breaches provide a sobering reminder that the integrity of employee and customer communications is only as strong as the weakest link in the vendor ecosystem (FortifyData, 2025).

The new breach anatomy

The anatomy of modern third-party security breaches follows a recognisable path, particularly when SaaS vendors are involved. First, attackers target supplier helpdesks or contractors, often exploiting social engineering tactics to bypass multi-factor authentication (MFA) (CM-Alliance, 2025). Once inside, they hijack CRM or OAuth integrations, exploiting over-privileged accounts and API keys. Attackers then pivot into broader identity systems, such as Active Directory, to move laterally and extract data (SpecOpsSoft, 2025). Finally, they exfiltrate or encrypt sensitive data and begin the extortion cycle, threatening to release stolen material or demanding ransom payments.

Social engineering has become the most reliable first step for attackers when breaching third-party SaaS environments. A great illustration of this is told in the Darknet Diaries Episode 144 (Darknet Diaries, 2023), attackers are able to manipulate human operators in call centres and support desks to bypass technical safeguards. In that episode, cybercriminals successfully persuaded helpdesk staff to reset MFA tokens and provide fresh credentials by exploiting urgency, authority, and trust cues in their interactions.

These techniques mirror the real-world compromises seen in 2025. If an attacker can convince a contractor’s support agent to reset access, even the strongest technical perimeter is immediately undermined. The consistency of this pattern across industries underscores why rigorous staff training, layered approval processes, and audit logging are critical to countering human vulnerabilities.

Case examples

Marks & Spencer experienced a major disruption in May 2025, when reports indicated its IT contractor was investigating a potential ransomware intrusion (The Guardian, 2025). Analysis suggested attackers may have exploited weaknesses in helpdesk workflows, leading to widespread operational consequences and an estimated multi-million-pound financial hit (BlackFog, 2025).

Workday In 2025, Workday confirmed a breach linked to a third-party CRM, part of a wave of Salesforce-related social engineering attacks (Computing, 2025). TechCrunch reported that attackers tricked Salesforce users into sharing credentials and approving malicious OAuth apps (Whittaker, 2025). These tactics let intruders pivot into connected systems, proving how critical SaaS providers like Salesforce can become single points of failure. Salesforce’s global scale and ubiquity make it a prime target: one compromised integration can expose sensitive HR or financial data across thousands of organisations. The challenge grows when large providers rely on impersonal customer support processes, where attackers exploit inattentive helpdesk responses or procedural gaps. This mix of scale, ubiquity, and human fallibility explains why third-party security breaches tied to Salesforce and its ecosystem continue to spread quickly across industries

Harrods disclosed in early 2025 that hackers had accessed customer data through a third-party provider. Although the company stated its core systems remained intact, customer notifications later revealed a breach affecting hundreds of thousands of records. As a result, Harrods faced significant reputational damage and, in addition, came under regulatory scrutiny (Techzine, 2025).

Five recurring weaknesses in SaaS-linked breaches

Across these cases, five recurring weaknesses are evident:

  1. Helpdesk workflows: Contractors and vendors often retain authority to disable MFA or reset credentials, creating an exploitable backdoor.
  2. CRM and ecosystem sprawl: Interconnected SaaS tools expand the attack surface and multiply potential entry points.
  3. Over-privileged integration users: Service accounts frequently hold more permissions than necessary, enabling wide-reaching compromise.
  4. Weak detection at SaaS boundaries: OAuth abuse and token hijacking are rarely visible to traditional security monitoring.
  5. Fragmented comms stacks: Using multiple vendors increases the number of integrations and authentication tokens that must be protected.

Why this matters for Internal Communications leaders

Security is not solely an IT responsibility. Communication leaders must understand that channel selection is a strategic decision with inherent risk implications. Holtz (2004) argues that disciplined planning and measurement underpin effective communication. Dewhurst and FitzPatrick (2022) similarly stress that objective-led channel choices are critical for organisational alignment. When communication platforms fall victim to third-party security breaches, employee trust is undermined, engagement falters, and leadership credibility is eroded.

Frameworks such as Rapid Mass Engagement (Devine, 2023) show that trust and leadership alignment play a vital role in employee engagement. However, when attackers compromise communication platforms, employees quickly lose confidence in organisational messaging. Consequently, cultural cohesion weakens and change programmes face serious disruption

2025: Third-party breaches are the rule, not the exception

FortifyData’s (2025) analysis shows that supply chain attacks are now the predominant vector for cyberattacks. The breaches at Marks & Spencer, Workday, and Harrods illustrate how organisations can suffer collateral damage from vendor vulnerabilities, even when their internal defences are strong. Therefore, procurement processes must shift from a feature-first to a resilience-first mindset.

NewZapp has explored this theme in its own communications, emphasising the importance of creating and maintaining a risk register during SaaS procurement. A risk register acts as a structured tool that helps communications and procurement teams identify potential vulnerabilities, rate their likelihood and impact, and assign ownership for mitigation. By documenting and actively managing risks, comms leaders can make procurement choices that are transparent, evidence-based, and aligned with organisational objectives. This proactive approach reduces the likelihood of vendor weaknesses undermining engagement efforts.

To support this process, NewZapp provides a downloadable procurement risk register framework, available at: https://updates.newzapp.co.uk/-riskmatrixlp 

How NewZapp reduces third-party risk

NewZapp has designed its platform and processes specifically to mitigate the weaknesses exposed by recent SaaS breaches. Each area of vulnerability seen in 2025’s case studies has a parallel control within NewZapp’s approach:

Defence against social engineering and helpdesk exploitation:

NewZapp’s support model relies on one-to-one customer relationships. Clients deal directly with named support specialists who understand their accounts and recognise unusual requests. As a result, impersonation attempts are more easily flagged. Account resets or MFA changes require strict multi-step verification. Every request is logged and audited, and staff receive regular training to resist social engineering (NewZapp Service Definition, 2024).

Limiting ecosystem sprawl:

NewZapp avoids the sprawl of marketing or enterprise platforms by consolidating core communication channels—email, SMS, Teams/Viva, and QR—within one secure system. Its specialist focus on internal communications means organisations get exactly what they need to reach employees, without the unnecessary complexity of ERP, HR, or customer experience modules. Platforms like Salesforce or Workday integrate across hundreds of databases and applications, multiplying the number of entry points attackers can exploit. NewZapp takes the opposite approach: it narrows the scope, reduces the attack surface, and simplifies oversight. By limiting integrations and tightly controlling its environment, NewZapp makes compliance easier and monitoring more effective. Communications teams gain reliable tools that strengthen engagement without creating systemic risk. In practice, this focus reduces reliance on multiple third-party providers and lowers the chances of a breach spreading through fragmented systems

Preventing over-privileged access:

User permissions in NewZapp are subject to the principle of least privilege. Each account is configured for the minimum access required, and permissions are reviewed and audited regularly. Service accounts and integrations are scoped tightly, preventing the broad privileges that have been exploited in other platforms

Enhanced monitoring and visibility at the SaaS boundary:

All activity within the NewZapp platform is logged, monitored, and made available for customer-side audit. Suspicious login attempts or unusual usage patterns trigger alerts, ensuring that potential breaches are visible before they escalate

Reducing fragmentation of comms stacks:

By offering secure deliverability across multiple channels from a single platform, NewZapp reduces the number of integrations and tokens organisations must manage. This simplification decreases opportunities for attackers to exploit weak links in fragmented vendor environments 

Proactive resilience and compliance:

All NewZapp-hosted data resides within the UK and is safeguarded by ISO 27001 accreditation, demonstrating adherence to international best practice in information security management. Backups and recovery processes are tested regularly, with clearly defined recovery time and point objectives (RTO/RPO). These measures ensure not only regulatory compliance but also a high level of operational resilience, giving organisations confidence that communications will continue uninterrupted even in the face of disruption (NewZapp Service Definition, 2024).

A 20-point checklist for communications vendor security

To strengthen procurement decisions, organisations should apply a rigorous checklist that aligns with the three lenses of the risk matrix—security, accessibility & deliverability, and resilience & sustainability.

Security accreditation and controls

  1. Enforced SSO/SAML.
  2. MFA with passkeys, no SMS fallback.
  3. Strict verification for helpdesk resets.
  4. Scoped OAuth permissions.
  5. Regular key rotation.
  6. IP allow-listing for admins.
  7. Event log integration with SIEM.
  8. Encryption at rest and in transit.
  9. Vendor holds recognised certifications (e.g., ISO 27001).

Accessibility and deliverability

  1. Proven SPF/DKIM/DMARC alignment to prevent spoofing.
  2. Internal deliverability testing to ensure messages bypass “external sender” warnings.
  3. Accessibility compliance (e.g., WCAG for email templates).

Resilience and sustainability

  1. Regional data residency guarantees.
  2. Clear data export and termination clauses.
  3. Defined RPO and RTO.
  4. Recovery plan for token revocation.
  5. Evidence of sustainability practices and reporting (e.g., carbon assessments)
  6. Pre-approved incident communication templates.
  7. Stakeholder notification playbooks.
  8. Post-incident review and measurement.

By aligning directly with the risk matrix, this expanded checklist ensures that procurement decisions address not only technical security but also the communication-specific needs of accessibility, deliverability, and long-term resilience.

Closing thought

The third-party security breaches of 2025 make one truth unavoidable: the most vulnerable point in your communications stack is not the inbox itself, but the vendor ecosystem and the integrations that underpin it. Marks & Spencer, Workday, Harrods, and Mailchimp all suffered consequences not because their internal systems were fundamentally flawed, but because attackers exploited third-party weaknesses through social engineering, sprawling integrations, and over-privileged access.

For internal communications leaders, the lesson is clear: security must be woven into channel strategy, procurement, and day-to-day engagement. The adoption of structured tools such as a risk register and the application of an expanded 20-point procurement checklist ensure that decisions about platforms are made with resilience, deliverability, and sustainability in mind—not just cost and functionality.

NewZapp’s approach demonstrates that specialist focus, one-to-one customer relationships, ISO 27001 accreditation, and consolidated omnichannel delivery can combine to reduce exposure to the systemic risks seen in 2025. By embedding these principles into procurement and governance processes, organisations can protect trust, maintain continuity of communications, and strengthen employee engagement—even when the external threat landscape grows more complex.

In practice, this means fewer vendors, fewer integration points, and stronger, more reliable communication channels. As attacks continue to evolve, resilience and trustworthiness should be treated as non-negotiable features of any comms platform. With NewZapp, organisations can be confident that their communications are secure, compliant, and sustainable—delivering messages that reach employees without compromise.

Speak with us and find out more

speak with us

References

BlackFog (2025). Marks and Spencer ransomware attack. Available at: https://www.blackfog.com/marks-and-spencer-ransomware-attack/ [Accessed 29 Sept. 2025].

CM-Alliance (2025). The Marks and Spencer cyber-attack: everything you need to know. Available at: https://www.cm-alliance.com/cybersecurity-blog/the-marks-and-spencer-cyber-attack-everything-you-need-to-know [Accessed 29 Sept. 2025].

Computing (2025). Workday confirms data breach amid wave of Salesforce-linked cyberattacks. Available at: https://www.computing.co.uk/news/2025/security/workday-confirms-data-breach-amid-wave-of-salesforce-linked-cyberattacks [Accessed 29 Sept. 2025].

Dewhurst, S. & FitzPatrick, L. (2022). Successful employee communications: a practitioner’s guide to tools, models and best practice for internal communication. London: Kogan Page.

Devine, F. (2023). Rapid Mass Engagement. Abingdon: Routledge.

FortifyData (2025). Top third-party data breaches in 2025. Available at: https://fortifydata.com/blog/top-third-party-data-breaches-in-2025/ [Accessed 29 Sept. 2025].

Holtz, S. (2004). Corporate conversations: a guide to crafting effective and appropriate internal communications. New York: AMACOM.

PushSecurity (2025). Dissecting a recent Mailchimp phishing attack. Available at: https://pushsecurity.com/blog/dissecting-a-recent-mailchimp-phishing-attack/ [Accessed 29 Sept. 2025].

SpecOpsSoft (2025). Marks & Spencer ransomware and Active Directory. Available at: https://specopssoft.com/blog/marks-spencer-ransomware-active-directory/ [Accessed 29 Sept. 2025].

Techzine (2025). Harrods hit by data breach, hackers make contact. Available at: https://www.techzine.eu/news/security/134985/harrods-hit-by-data-breach-hackers-make-contact/ [Accessed 29 Sept. 2025].

The Guardian (2025). Marks & Spencer’s IT contractor investigating potential systems breach. Available at: https://www.theguardian.com/business/2025/may/23/marks-spencers-it-contractor-investigating-potential-systems-breach-report-claims [Accessed 29 Sept. 2025].

Tunley Environmental (2024). Carbon analysis of NewZapp Communications. Internal Report.

NewZapp Communications (2024). Service Definition Overview. Internal Document.

NewZapp Communications (2024). Communications Pricing 2024. Internal Document.

Like