Third-party breaches and the data-centre supply chain: where liability really lives
News and information from the Advent IM team.
- by Anthony Orjally
- Advent IM Blog
It’s not the bullet you hear that gets you—it’s the ricochet from someone else’s range. The last two years turned “indirect breach” into the main show: MOVEit’s zero-day turned a file-transfer utility into an exfiltration engine; Snowflake-linked compromises hinged on reused credentials and weak contractor security; Okta’s support-portal compromise became a lesson in token hygiene and identity tiering.
For data-centre operators and their enterprise tenants, these cases reframe three GRC truths:
- The processor is no longer a shield. The ICO is increasingly comfortable fining processors directly for UK GDPR security failures. Liability isn’t magically absorbed upstream.
- Identity is Tier-0 infrastructure. If your IdP support flows allow unsanitised HAR files, or your partners don’t enforce phishing-resistant MFA, you’ve created a side-channel breach path. Contract for identity controls explicitly.
- Assurance must be operational, not paper-based. Many “compliant” suppliers were still caught because diligence stopped at badges and policies. Ask for live evidence: patch timestamps, control telemetry, privileged access logs, and incident drill records.
A practical assurance pattern for DCs and tenants
- Contractuals: Mandate MFA/SSO scope, key rotation intervals, SIEM log retention, breach notification windows (<24h), and transparent sub-processor lists.
- Technical tests: Red team blended routes—tailgating + badge cloning + helpdesk pretext + BMS/PSIM attack paths.
- Governance: Supplier scorecards weighted to identity controls, data-movement tooling (MFT) exposure, and incident rehearsal quality.
- Enforcement: Right-to-audit that’s actually used; corrective action plans with dates and verification.
- Data Protection: DPIAs for interconnects/monitoring, UK GDPR Article 28 clauses that name security measures, and DUAA awareness for law-enforcement data handling edge-cases.
The punchline: treat suppliers as part of your own attack surface—because they are.
Written by Ellie Hurst, Commercial Director