Lead Analysis
Security & Risk5 min

Verizon DBIR 2026 Indicates That Third Parties Are Involved in 30% of Corporate Breaches

Painel de LED em tons de verde e azul representando segurança digital e cibersegurança
Photo by Adi Goldstein on Unsplash

The annual report analysed 22,052 incidents and 12,195 confirmed breaches, doubling the weight attributed to suppliers and partners as vectors of compromise.

Executive Summary


  • Third-party risk doubles: Involvement of suppliers and partners jumped from 15% to 30% of confirmed breaches, according to the Verizon DBIR 2026, released in May.
  • Exploitation of vulnerabilities: A 34% increase in the use of vulnerability exploitation as the initial vector, focusing on "edge devices": VPNs, firewalls, and routers exposed to the internet.
  • Ransomware persists: Present in 44% of analysed breaches, up from 32% in the previous cycle, maintaining the vector as the number one priority for response.
  • Human error dominant: 60% of breaches involve a human component: phishing, misdelivery, or misconfiguration, reinforcing the need for structured awareness programmes.

    • Context


    Verizon published the latest edition of its Data Breach Investigations Report (DBIR) in May 2026, concerning incidents recorded between 1 November 2024 and 31 October 2025. The dataset covers 22,052 incidents and 12,195 confirmed breaches, the largest sample since the series began in 2008.


    The central theme of this edition is the consolidation of third-party risk as a structural variable in the threat landscape. The percentage of breaches involving suppliers, SaaS platforms, MSPs, or data processors rose from approximately 15% in the previous DBIR to 30% in this edition.


    The Data


    The figures consolidated by the DBIR 2026 reshape defensive investment priorities. Exploitation of vulnerabilities as the initial vector reached 20% of breaches, a 34% increase compared to the previous cycle. Attackers have focused on edge devices: VPNs, perimeter firewalls, and internet-exposed equipment, as detailed in a technical analysis of the report by Beyond Identity.


    Compromised credentials remain the most common entry point: present in 22% of cases. Ransomware was identified in 44% of breaches, a significant increase from the 32% reported in DBIR 2025. Human error, considered collectively, is present in 60% of cases.


    Verizon did not release a specific breakdown for Brazil, but the DBIR's methodological design includes global incidents, with active participation from the Brazilian Security Incident Response Team (CERT.br) and response teams within the LATAM context.


    Sector Impact


    For the Brazilian IT market, two immediate effects are emerging. The first is regulatory: the General Data Protection Law (LGPD) assigns shared responsibility between the controller and operator. With third parties accounting for 30% of global breaches, the risk of sanctions from the ANPD due to supply chain failures becomes materially more relevant for integrators, MSPs, and SaaS developers handling Brazilian corporate customer data.


    The second is contractual. Third-party audit clauses, incident notification SLAs, and inspection rights, which are still heterogeneous in B2B contracts in Brazil, are likely to become standard in RFPs from large corporations. IT consultancies providing services to banks, retailers, and telecom operators should anticipate detailed inquiries regarding subprocessors, patching policies, and identity management.


    The combination of vulnerability exploitation in edge devices with ransomware as the ultimate goal strengthens the roadmap for migration towards Zero Trust architectures and identity-based network segmentation, agendas already prioritised by Gartner and Forrester since 2024.


    Risks and Opportunities


    The direct financial risk goes beyond regulatory fines. The Ponemon Institute, in its Cost of a Data Breach series with IBM, has documented a rising average cost per incident over the past five years. For Brazilian C-Level executives, the package of LGPD risk + remediation cost + reputational damage + operational disruption needs to be modelled collectively, not in silos.


    The business opportunity lies in the consolidation of Third-Party Risk Management (TPRM) services as an autonomous revenue line. Local MSSPs such as Tempest, Cipher, and ISH have begun to offer the service, but with limited scale. The signals from the DBIR 2026 suggest room for aggressive growth in this segment throughout 2026 and 2027.


    What Leaders Should Observe


    1. Immediate audit of critical suppliers: Map top 20 suppliers by volume of processed data or access criticality. Require SOC 2 Type II, ISO 27001 or equivalent, with expiration managed within compliance pipeline.

    2. Patching of edge devices as a budget priority: Allocate a dedicated patch management cycle for VPNs, firewalls, and exposed routers. Define an internal maximum SLA of 72 hours for CVEs with a CVSS above 7.5.

    3. Review of B2B contract clauses: Standardise templates with audit rights, incident notification SLAs within 24 hours, and joint liability for breaches originating from subprocessors.

    Lead Analysis