They’re the guardians of our most sensitive and confidential information, but new research has found that no matter how careful they are, 41.8 per cent of financial technology firms have suffered data breaches due to vulnerabilities at other companies they don’t control.

Those companies, security benchmarking firm SecurityScorecard recently found, have inherited security vulnerabilities from third parties such as business partners, suppliers, customers, and even cloud service providers providing critical technology capabilities.

SecurityScorecard – which runs automated testing panels to score companies’ cybersecurity defences – found that fully 18.4 per cent of fintechs had experienced publicly reported data breaches, with 28.2 per cent reporting multiple incidents.

Its new fintech-focused report – a subset of its latest global Third-Party Breach Report – found technology products were involved in 63.9 per cent of third-party breaches, with DNS Health issues common and 46.4 per cent of companies found to have application security issues.

Most frequently compromised were cloud platforms and file transfer software like CrushFTP and MOVEit, which was exploited in a 2023 attack that affected over 1,000 companies including British Airways, BBC, Putnam Investments, Flagstar Bank, and Bluefin.

“Fintech companies anchor global finance, but one exposed vendor can take down critical infrastructure,” SecurityScorecard senior vice president of Strike Threat Research Ryan Sherstobitoff said, warning that “third-party breaches aren’t edge cases”.

“They reveal structural risk,” he continued, “and in fintech, that means operational outages across payment systems, digital asset platforms, and core financial infrastructure.”

There are many keys to the kingdom

Misconfigurations, outdated and unpatched software, and stolen account credentials allow cybercriminals to move laterally into even the best-secured fintechs by masquerading as authorised users, or using automated APIs to access data they shouldn’t.

During the second half of last year, Australian government figures show, 62 per cent of data breaches due to cybersecurity incidents were caused by the theft of such credentials, posing an immediate threat for fintechs that generally just assume their partners are secure.

Third-party exposure extends even further across the supply chain as well, with insecure systems of the suppliers of third-party suppliers – known as fourth-party exposure – exploited in 11.9 per cent of data breaches.

That’s more than double the global average, confirming not only that cybercriminals are working hard to breach fintech companies but that the complexity and sheer magnitude of their information systems is leaving them worryingly exposed.

Indeed, the rate of compromise of fintechs was ahead of the 35.5 per cent of all data breaches that were attributed to third-party compromises – confirming that fintechs’ complex, interoperable digital payment ecosystems are honeypots for cybercriminals.

Best of a bad bunch

Third-party exposure has been blamed for a range of major cybersecurity breaches, with SecurityScorecard previously finding that 98 per cent of global organisations have relationships with at least one third party that had suffered a data breach.

Furthermore, its research found, half of companies have indirect relationships with at least 200 fourth-party vendors that had been breached in the previous two years.

Such broad exposure has had predictable consequences: US healthcare operator Ascension, for one, confirmed in December that a data breach at a former business partner had exposed contact, demographic details, and healthcare records.

Ticketek blamed its recent breach on a “reputable, global third-party supplier”, while one million ClubsNSW patrons were compromised in a third-party incident last year and Sydney University is evaluating its exposure to the recent breach of software provider Beakon.

Yet despite their being regularly compromised, SecurityScorecard noted that fintechs had the strongest overall security posture of any industry in which the 250 analysed companies operate, and recommended companies take several steps to protect themselves.

These included evaluating vendors based on their exposure and breach history; auditing their and their partners’ software integrations; and fixing common application security issues like unsafe redirect chains, misconfigured storage and missing SPF records.

They also recommended enforcing multi-factor authentication, monitoring dark web sites for reused credentials, taking down spoofed domains, and, given that most incidents were tied back to companies with multiple breaches, advised extra care when dealing with them.