In late May 2023, a zero-day vulnerability in MOVEit Transfer — a widely used managed file transfer software — was exploited by a ransomware group known as Cl0p. Within weeks, the breach had cascaded across hundreds of organizations: federal agencies, state governments, universities, financial institutions, and healthcare providers.

The scale was staggering. The breach eventually affected an estimated 40 million individuals. Victims included the U.S. Department of Energy, several state motor vehicle agencies, British Airways, and dozens of hospitals and health systems. Many organizations did not know they were affected because MOVEit was running inside a vendor’s infrastructure, not their own.

This is the defining feature of supply chain attacks: you can have a perfect internal security posture and still be exposed through a vendor you rely on. The MOVEit incident is the largest data breach of 2023, and it will likely remain a case study in third-party risk for years.

The practical lesson is not to distrust your vendors. It is to know which vendors have access to your data, what data they can touch, and what your exposure looks like if they are compromised.