Third-party access risks: 7 threat types and Zero-Trust mitigation best practices

What does a sportswear brand have in common with a medical facility? Third-party identity security risks!

Adidas America and the University of Chicago Medical Center (UCMC) are facing lawsuits this month for failing to safeguard personal data that was exposed through the contact centers their outside vendors. Far from just an IT problem, breaches caused by third parties have grown into operational, legal, and reputational issues.

Let’s analyze these two cases.

The Adidas lawsuit, which a customer filed at the Illinois federal court, says an undisclosed customer-service provider was hacked in May, yet Adidas’ breach notice omitted the vendor’s name, what information was taken, and when the intrusion occurred. The lawsuit points to a 2018 incident to argue the sports-brand “knew or should have known” the outsourcing risk.

Point of breach: The third-party customer service center.

At the UCMC lawsuit, two former patients claim a July 2024 intrusion at debt-collector Nationwide Recovery Services went undetected for ten months and exposed unencrypted data for roughly 38 000 people, including birth dates and medical details. Their lawsuit contends the hospital ignored long-standing HIPAA guidance on vendor oversight, leaving victims to fend off identity-theft threats “for their lifetimes.” 

Point of breach: The debt collector vendor’s contact center.

Both suits seek damages and injunctive relief on behalf of nationwide classes and underscore a widening legal trend: companies are being hauled into court not for hacking their own systems, but for alleged lapses in monitoring the third-party firms that do it for them. The legal penalties are hefty.

In September 2024, AT&T agreed to pay $13 million to settle a Federal Communications Commission (FCC) investigation into a January 2023 data breach involving a third-party cloud vendor. This breach exposed the information of approximately 8.9 million AT&T wireless customers. 

IT service providers, contact center support, and third-party risks

Third-party access risks, especially those posed by IT service providers and contact center support, are a growing concern for organizations due to the increasing reliance on external vendors for critical business functions. These risks are multifaceted and can lead to significant security, compliance, and operational challenges.

• Overprivileged access
  Third-party users are often granted more permissions than necessary for their role, increasing the risk of abuse or accidental exposure.
  Example: A vendor with administrative access might inadvertently (or intentionally) make changes that compromise system integrity.
  
  
• Lack of visibility and control
  Organizations may struggle to maintain visibility into which third parties have access, what permissions they have, and how their credentials are managed.
  Example: Old or forgotten third-party accounts can become security blind spots, especially if not regularly reviewed or deprovisioned.
  
  
• Compliance and regulatory risks
  Failure to properly manage third-party identities can result in non-compliance with data protection regulations (e.g., GDPR, HIPAA), leading to fines and reputational damage.
  Example: Healthcare organizations must ensure third-party vendors comply with HIPAA requirements for access to patient data.
  
  
• Supply chain and cascading breaches
  A breach at a third-party vendor can cascade to the primary organization, especially if shared credentials or secrets are involved.
  Example: The Target breach was initiated through a compromised HVAC vendor’s credentials, allowing attackers to access payment systems.
  
  
• Abuse of privileges
  Third-party personnel may misuse their access, either intentionally (malicious insider) or unintentionally (human error), leading to data theft or operational disruption.

A comprehensive classification of third-party identity risks

The table shows different kinds of risks, from leaked secrets to major supply-chain hacks. Focus on the rows where an IT vendor or call-center caused the problem. In many of the notable cases, the customer-service centres/points of third parties were the weak link.

These seven categories map cleanly onto the NIST CSF 2.0 “ID.SC” supply-chain controls and ISO 27001:2022 Annex A third-party clauses, ensuring no blind spots across credentials, entitlements, visibility, and regulatory obligations 

The Unosecur way: Best practices for mitigating third-party access risks

• Limit and monitor access
  Grant third parties only the level of access necessary to perform their duties: no more, no less. Regularly review and certify access rights.
  
  
• Implement strong Identity and Access Management (IAM) practices
  Use multi-factor authentication (MFA), role-based access control (RBAC), and privileged access management (PAM) to secure third-party access.
  
  
• Adopt a Zero Trust approach
  Assume that third-party users are already compromised and verify every access request. Limit lateral movement within the network.
  
  
• Conduct due diligence and continuous monitoring
  Perform thorough background checks and security assessments before onboarding vendors. Continuously monitor third-party security practices and compliance.
  
  
• Prioritize vendors based on risk
  Assess and prioritize third-party vendors based on the sensitivity of the data they handle and the potential impact of a breach.
  
  
• Maintain visibility and control
  Keep an up-to-date inventory of all third parties with access to your systems and data. Monitor their activities and promptly address any security issues.

Also read: A practical guide to ITDR and ISPM

Advantage Unosecur

Unosecur tackles day-to-day third-party governance with a tight combination of agent-less entitlement controls and real-time defence. 

Its Unified Identity Fabric inventories every human, vendor and machine identity across AWS, Azure, GCP, SaaS and on-prem AD within minutes, then overlays business context to spotlight risky privileges. 

Just-in-Time (JIT) workflows hand out MFA-gated, auto-expiring access for contractors or suppliers, while the built-in PAM module records every privileged session. Literally, just-in-time access is the smartest upgrade you can make to your identity security program. 

Behind the scenes, behavior analytics map events to MITRE ATT&CK and can instantly revoke credentials or isolate accounts if lateral-movement tactics such as DCSync or Kerberoasting are detected.

For ongoing assurance, Unosecur’s entitlement review cadence automatically right-sizes or removes stagnant rights, turning once-manual recertification into a background process. 

Continuous telemetry and anomaly scoring keep vendor activity under watch, feeding one-click audit reports for ISO 27001, SOC 2, GDPR and HIPAA. 

Also read: The manager’s plain-language guide to ISOX, GDPR, and HIPAA

Third-party access risks are significant and multifaceted, especially for IT service providers and contact center support. Organizations must implement robust access controls, continuous monitoring, and a zero trust approach to mitigate these risks and protect sensitive data and systems. 

Book a 30-minute live demo of Unosecur and watch Just-in-Time access, real-time ITDR, and one-click audit evidence in action. No slides, just your data.

‍