# Why hackers are targeting your digital supply chain, not just your systems

> Source: <https://thenextweb.com/news/why-hackers-are-targeting-your-digital-supply-chain-not-just-your-systems>
> Published: 2026-07-07 15:26:45+00:00

Hackers are constantly looking for new ways to gain access to businesses and it’s rare that it’s through the front door.

For most organisations [cybersecurity](https://thenextweb.com/news/google-ai-zero-day-exploit-cybersecurity-arms-race) still focuses on protecting internal systems and preventing unauthorised access through measures such as firewalls, encryption and employee training. However, this approach assumes that attackers are trying to gain access directly.

It is now no longer sufficient to rely on your own internal cybersecurity controls to secure information. As digital supply chains become more complex with an increasing number of suppliers involved, attackers are now bypassing organisations’ internal controls altogether. Instead, they are exploiting gaps in the trusted supplier network that already have legitimate access to systems and data.

Over the last year a series of high-profile cyber incidents affecting major businesses has highlighted the disruptive and costly nature of these attacks.

So, how does this happen, what does it mean for businesses and what steps can you take to reduce the risk?

## How do attackers enter the digital supply chain?

Instead of attacking organisations directly, hackers increasingly target suppliers and service providers within the digital supply chain, including website or software suppliers, development and testing platforms or information storage solutions. These third parties often have access to systems, data or networks, making them attractive targets and critical risk areas for organisations to manage.

[Supply chain attacks](https://thenextweb.com/news/lastpass-klue-supply-chain-breach-customer-data-stolen) target one or more elements that an organisation needs to provide the products or services it offers. For example, attacks might involve a malicious software update or stolen login details or a vulnerable [open-source](https://thenextweb.com/news/hugging-face-clawhub-malware-ai-supply-chain) component, or an insecure integration between systems.

In particular, digital supply chain attacks happen when software developers rely on widely used third party libraries to add functionality to their applications. If an attacker manages to embed [malicious code](https://thenextweb.com/news/meta-mercor-breach-ai-training-secrets-risk) into one of these libraries, any developer who later integrates it into their software may unknowingly introduce a security weakness into their product.

In 2024, a malicious backdoor was introduced to XZ Utils, a widely used, low-level open-source compression tool found in many Linux systems. The attack did not rely on hacking systems directly and instead exploited the supply chain. At the time the issue was discovered, the affected versions had not yet been widely deployed in production environments. However, they were included in development builds of major distributions, prompting maintainers to rebuild their packages to address the vulnerability. Computer scientist Alex Stamos commented that had the backdoor remained undetected, it would have “given its creators a master key to any of the hundreds of millions of computers around the world that run SSH”.

Once a supplier’s products, services or technology have been breached or compromised, attackers can then access and further compromise the organisation’s systems. These attacks often go unnoticed until systems are disrupted, data is encrypted or stolen or a ransom demand is issued. In the XZ Utils backdoor, the malicious code was only discovered as a developer noticed unusual performance behaviour during routine testing.

More often than not, by the time the attack is discovered the damage is often already done and the business impact can be significant.

## The business impact

The most immediate impact of a [cyberattack](https://thenextweb.com/news/jaguar-land-rover-hack-russian-hackers-nyt-investigation) is typically financial. Ransom demands can be substantial, particularly where attackers understand that the disruption has affected multiple customers or critical services. Even where no ransom is paid, business often end up with high associated costs related to business interruption, system recovery and professional advice, which all add to the financial impact of a cyberattack.

For digital-first and platform-based companies, downtime quickly translates into lost revenue, furthering the financial implications. In one recent incident, a large consumer-facing business (Co-op) said the cyberattack it suffered in 2025 “impacted both financial and operational areas”, resulting in at least £206m in lost revenues.

The operational impact can be just as severe. If a key supplier goes offline or suspends access to their services to contain the attack, business operations effectively grind to a halt. Organisations may be unable to process transactions, fulfil orders or access key systems, forcing them into manual workarounds. Following a cyber-attack in 2025, a well-established and reputable business (Marks & Spencer) was forced to suspend online orders for almost two months and had to switch to manual processing during this time. Rather than targeting M&S’s core infrastructure, the attack took advantage of weaknesses in MoveIt, a commonly used enterprise file transfer tool. As a result, sensitive information relating to both employees and customers was compromised, including contact information, payroll data and in certain instances, National Insurance numbers. Although payment details were not believed to be affected, the scale and nature of the breach prompted a formal incident response, internal reviews, and regulatory involvement from the Information Commissioner’s Office (ICO). The financial impact was estimated at £300m in lost profits.

However, the most significant and lasting consequence is often reputational. Customers rarely differentiate between a company and its suppliers when something goes wrong. From a customer’s perspective, the failure is experienced as a single breakdown of service, regardless of where responsibility ultimately lies. Trust built up over years can be lost overnight, particularly if communication is slow, defensive or unclear. Rebuilding that trust is both time-consuming and expensive, often requiring sustained investment in customer engagement, service improvements and assurances around future resilience against such issues. Even then, the damage can have long-term effects on customer loyalty, future sales and commercial relationships.

## The role of regulation

Regulators are increasingly focused on digital supply chain resilience, reflecting the growing recognition that cybersecurity is not just confined to an organisation’s internal controls. As supply chain attacks become more common, incidents caused by third party suppliers are not treated as external events but as a failure of governance, due diligence and ongoing oversight by the organisation itself.

This approach is already well established under the General Data Protection Regulation (GDPR), which is implemented in the UK by the Data Protection Act 2018. Under the UK GDPR, organisations that act as data controllers remain responsible for protecting personal data, even where the processing of data is outsourced to third parties. Any weakness in a supplier’s cybersecurity controls and any data protection breach is treated as a governance issue for the data controller.

Therefore, data controllers must ensure their data processors implement appropriate technical and organisational measures to protect personal data and report any data breaches to the controller without undue delay. A failure by an organisation to comply with its obligations under the GDPR can result in regulatory action, financial penalties and damage to the business’s reputation.

At EU level, the EU Artificial Intelligence Act takes a similar approach for artificial intelligence. Organisations that develop, use or rely on AI systems, including those sourced from third parties, are expected to understand how those systems work, how they are secured and what risks they introduce, particularly where AI is classified as “high-risk” or embedded into critical business processes.

In practice, organisations must take a more active role in overseeing any AI tools and digital services used across their supply chain. Simply trusting suppliers to manage cyber and AI risks on their behalf is no longer sufficient. Regulators increasingly expect organisations to demonstrate that they understand their digital dependencies and can identify where critical risks sit. Furthermore, they must have effective controls in place to manage those risks before incidents occur.

This must form part of a broader digital supply chain and cybersecurity risk management framework which organisations now needs to actively consider putting in place and documenting. Furthermore, organisation need to undertake robust supplier due diligence and ongoing monitoring and should have in place clearly defined response plans.

## Mitigation strategies

Supply chain attacks are difficult to mitigate as an organisation not only has to trust all the suppliers it works with directly but also the suppliers who supply them. As such, organisations cannot eliminate supply chain risk entirely.

However, the risk can be reduced through proactive measures, including:

Requiring robust security measures: conduct thorough due diligence with any potential supplier before commissioning their services and require them to evidence practical security measures, including patch management, employee training, access controls and multi-factor authentication.

Conducting regular risk assessments: identify vulnerabilities across the supply chain and assess the potential impact of disruptions, ensuring mitigation efforts are prioritised effectively.

Reviewing third party contracts: ensure contracts include clear and relevant terms on each party’s responsibilities. Consider each supplier on a case-by-case basis, rather than implementing a template set of security requirements. Some key points to consider include incident notification, liability, service levels, data protection obligations and audit rights.

Testing systems: perform tests over any system developed for the organisation by third parties.

Providing support: develop and provide appropriate supporting guidance, tools and processes to enable the effective management of the supply chain, provide support and assistance where security incidents may affect the business or the wider supply chain.

Developing incident response plans: create and regularly update incident response plans which explicitly cover third party attacks, including decisions around ransom demands, customer communications and regulatory notifications.

Raising awareness of security: explain security risks in plain language, encourage training of core staff (both internally and externally), promote and adopt sharing of security information.

Investing in insurance: cyber insurance can help mitigate financial losses. Third party suppliers should also have appropriate insurance in place.

As digital supply chains continue to expand, cybersecurity is no longer just an IT problem. It is a test of how well organisations understand and manage the risks posed by the suppliers, platforms and technologies they depend on.

Recent incidents demonstrate that weaknesses in the digital supply chain can quickly escalate into major financial, operational and reputational damage. Regulators now expect organisations to anticipate and manage these risks as part of effective governance, rather than reacting once disruption has occurred.

Organisations that take a proactive approach, rather than waiting for an incident to expose weaknesses, will be far better placed to protect their operations, comply with regulatory expectations and maintain the trust of customers and stakeholders.

If you have questions about preparing for and managing digital supply chain incidents, or would like to review your contractual arrangements with key suppliers, please contact [Michaela Britton ](michaela.britton@penningtonslaw.com)or [Joanne Vangdesan](Joanne.Vengadesan@penningtonslaw.com) and they will arrange for one of Penningtons Manches Coopers LLP experts to get in touch.

## Get the TNW newsletter

Get the most important tech news in your inbox each week.

Expertise from selected TNW Council members, admitted through an application and review process to a fee-based program. Opinions expressed by the authors are their own.
