The Vendor Is Now the Attack Surface
Updated for 2026
For a decade, security teams focused on one goal: keep attackers out of the network. Secure the perimeter. Lock down the endpoints. Control who can log in. The old model assumed attackers would come straight at your organization.
The 2024 numbers show that model is broken. SaaS breaches surged 300% in 2024, per the Obsidian Security 2025 SaaS Security Threat Report. Attackers no longer go straight at organizations. They go after the SaaS tools those organizations trust with their records.
When your cloud tool is the attack target, a strong internal network does not help. Customer records, employee documents, and sensitive content live on the tool's servers. They are locked with the tool's keys. They are exposed when the tool is hit.
2024 SaaS Breach Numbers
The 2024 breach totals show the scale of the risk.
Conduent suffered a breach that exposed 25.9 million records. Conduent runs business process work for government agencies and large firms. It handles benefits, payments, and citizen services. The 25.9 million people affected had no idea a third party held their information.
NHS Digital had a breach that hit 9 million patients. Patient records were exposed through a cloud tool's servers. Patients gave that information to their health providers. They had no reason to know it ever reached a third-party platform.
These are not rare events. They are the new norm. Large breaches now hit millions of people who trusted one organization but had their personal information held by another they never knew existed. For how law assigns blame in these cases, see our GDPR compliance overview.
Why SaaS Breaches Work Differently
A classic network breach takes many steps. Attackers must get past the perimeter. They must move through systems. They must extract documents. Each step is a chance to get caught.
SaaS breaches work differently. When attackers hit a cloud platform, they reach the records of every client that sent content through that platform. One breach yields documents from dozens or hundreds of clients at once.
The 9-minute breach window — time from first access to record theft in SaaS systems, per Obsidian Security incident records — shows how fast this works. Inside a shared platform, attackers find content from many clients at once. That value concentration makes each attack highly efficient.
Contracts do not close this gap. GDPR Article 82 assigns shared blame to processors for breaches they cause. But proving fault takes months. By then, the records are already gone. See our security and compliance page for how zero-knowledge tools change this result.
The DPA Does Not Protect Your Records
GDPR Article 28 says organizations must use only processors that give "sufficient guarantees." The Data Processing Agreement is the written proof of those guarantees.
Like a HIPAA Business Associate Agreement, the DPA covers the legal side. It does not cover what happens to your documents on the provider's servers.
A cloud tool with a fully GDPR-compliant DPA may still:
- Store customer records using server-side encryption with provider-held keys
- Run employee information through a shared system used by many other clients
- Keep logs and cached content beyond the agreed uses
- Suffer a breach that exposes all of the above
The DPA sets legal duties. It does not create a technical wall against exposure. When attackers breach the platform in 9 minutes, the DPA does not slow them down.
For plain-language help on Article 28 duties, see the GDPR glossary.
Why the 300% Surge Is Structural
The 300% surge reflects two forces working at once.
First, the volume of sensitive information in SaaS platforms grew sharply in 2024. More organizations moved more work to cloud tools. More documents landed on third-party servers. More content means more reason to attack those servers.
Second, attackers adapted. Organizations now send customer records, financial logs, HR information, legal content, and health records through SaaS tools. Hitting one platform yields records from many clients. The math rewards going after platforms over going after individual organizations.
The 300% figure is not a crime spike. It marks a structural shift in where attacks go.
Zero-Knowledge Anonymization as the Fix
The fix starts with one shift in thinking. If any platform can be hit — and the 2024 record proves they can — then no platform should receive your customers' personal information in a readable form.
Zero-knowledge anonymization before upload changes the breach risk entirely. When a platform holding zero-knowledge-processed content is attacked:
- Attackers reach anonymized records with no readable customer identifiers
- No subject notice is needed because no personal information was exposed
- No GDPR Article 82 joint liability case is required
- No regulatory follow-up results from the breach
The attack hits the platform. It does not reach your customers. Their personal information never arrived on the platform's servers in readable form.
This is not theory. It is a simple fact: there are no records to steal because none were sent in a readable form. The FAQ covers common questions on zero-knowledge anonymization. Our pricing page shows what this protection costs at scale.
The 300% surge changes the risk math. Checking a supplier's security posture and contract terms means betting that your supplier won't be the next headline. Zero-knowledge anonymization removes that bet.
Sources
- Obsidian Security 2025 SaaS Security Threat Report — 300% Surge — VERIFIED-EXTERNAL
- BusinessWire: Obsidian Security Press Release — 300% YoY Surge — VERIFIED-EXTERNAL
- GDPR Article 28: Processor — VERIFIED
- GDPR Article 82: Right to compensation — VERIFIED