January 28 is Data Protection Day. This is a good opportunity to briefly review one aspect of data protection: the risks inherent in supply chains. Many information security laws and standards explicitly identify supply chain risk as an area to be considered. Data protection regulations do not always do so in such an explicit manner; however, numerous provisions have been formulated precisely because of risks arising within supply chains.

As a result, many organizations do not treat this topic as a direct threat when designing their data protection frameworks — which is a mistake, especially in light of major data protection incidents in 2025, where the primary cause was the materialization of supply chain risks.

Major 2025 Data Protection Incidents Involving Supply Chain Risks

One of the most significant supply chain–type incidents in 2025 originated from the integration of the SalesLoft and Drift chat platforms. Through a vulnerable third-party integration, OAuth tokens were compromised, providing access to Salesforce data of more than a million organizations (including Google, Chanel, Qantas, TransUnion, etc.). Attackers gained access through a service provided by a third party in the supply chain. As third-party tools increasingly integrate with internal corporate data across the industry, every organization needs to approach each new tool with careful scrutiny. This incident affected hundreds of organizations through a single integration point, highlighting the interconnected risks in today’s technology landscape.

The personal data of Volvo Group’s North American employees (names, Social Security numbers) was exposed after their HR software provider, Miljödata, suffered a ransomware attack in August 2025. Volvo’s own systems were not compromised; however, data leakage through the vendor’s Adato systems may have affected more than 1.5 million individuals during an attack attributed to the DataCarry group. Volvo is providing credit monitoring and data protection services to those affected.

During the new Shai-Hulud supply chain attack campaign, hundreds of npm (Node Package Manager) packages infected with trojan code were published. The primary objective was to obtain credentials used in developer and CI/CD environments. The collected information was automatically uploaded in encoded form to GitHub, where more than 27,600 repositories became accessible. The Shai-Hulud 2.0 campaign, involving trojans embedded in npm packages that infected software dependencies, resulted in large-scale data leakage.

Salesforce detected suspicious activity on 19 November 2025 and suspended Gainsight integrations on 20 November. Unauthorized access is estimated to have occurred between 23 October and 19 November 2025. The Attack method was the following: a classic SaaS supply chain attack. The attackers (like the ShinyHunters group) did not directly breach Salesforce but used stolen OAuth tokens and secrets obtained during a previous incident affecting the SalesLoft/Drift platform. Hackers exploited the Gainsight application operating via Salesforce, gaining access to data from more than 200 companies.

According to Korean Air’s announcement in December 2025, the airline was hit by a serious supply chain attack in which data of approximately 30,000 current and former employees was leaked. The Cl0p group exploited a critical Oracle E-Business Suite vulnerability to access a supplier’s system, resulting in the exposure of employee data. The flaw enabled unauthenticated remote code execution (RCE) on internet-exposed servers.

It is clear that supply chain risks significantly affect data protection. Therefore, the requirements set out in the GDPR must be taken seriously to ensure an adequate level of protection.

A controller may not entrust data processing to just any party, but only to an organization that implements appropriate technical and organizational measures and acknowledges that it bears obligations equivalent to those of the controller (while the controller remains responsible for the processor’s data protection). (Article 28)

Both controllers and processors must apply appropriate security measures, including encryption, access management, integrity protection, and regular testing. If a data protection incident occurs at the processor, the controller is not automatically exempt from responsibility. (Article 32)

If a data protection incident — such as data leakage or theft — occurs at the processor, it must be reported without undue delay to the controller, who then reports it to the data protection authority. This can be interpreted as an incident reporting obligation linked to supply chain risks. (Articles 33 and 34)

The data protection impact assessment (DPIA) is key. It must identify supply chain risks, covering the use of external service providers, data flows and their context, and international data transfers. (Article 35)

The above illustrates that the GDPR does, in fact, address supply chain risks, even if not always under that specific label.

Summary

In these supply chain–related incidents, the initial entry point was not the primary system of the affected organization but rather:

compromise of third-party APIs, integrations, and OAuth tokens (SalesLoft/Drift),
ransomware attack or outage at a vendor software/service provider (Miljödata),
backdoors in software packages/dependencies (npm Shai-Hulud),
compromise of a partner application (Gainsight),
vulnerability in a supplier’s system (Oracle EBS / Korean Air).

In 2025, the number of such third-party supply chain attack vectors increased, often leading to simultaneous data loss across multiple organizations.

Proper implementation of GDPR requirements and real incident-driven data protection practices can help prevent such incidents or at least reduce the likelihood of their occurrence.

Author

Baranya Zsolt

Baranya Zsolt

SENIOR INFORMATION SECURITY AUDITOR

Related Posts

Share This