Two major Australian companies, Qantas and fashion retailer Mango, recently experienced separate data breaches traced back to third-party partners. These incidents have drawn renewed attention to a critical cybersecurity issue: the growing risk posed by external vendors. The breaches show that even the most well-defended organisations can be compromised by weaknesses outside their direct control.
For businesses in Singapore and across Southeast Asia, the lesson is clear. Supply chain vulnerabilities have become one of the most pressing blind spots in the digital era, with potentially far-reaching consequences.
Third-party breaches reveal a growing exposure
The incidents involving Qantas and Mango occurred within the same week, capturing the attention of both cybersecurity experts and business leaders. In the case of Qantas, reports emerged that customer data had surfaced on the dark web. While the airline stated that its core systems were not directly breached, the leaked data appears to have originated from a third-party partner involved in customer communications. Around the same time, Mango confirmed that it suffered a data breach through a marketing vendor.
According to Kash Sharma, Managing Director for Australia and New Zealand at cybersecurity firm BlueVoyant, the timing and nature of these attacks should serve as a clear warning for organisations that rely heavily on external suppliers. “With Qantas customer data now appearing on the dark web and Mango confirming a third-party breach through a marketing vendor, businesses seeing two major third-party breaches in the same week should take notice: your security posture is only as strong as your weakest link,” said Sharma.
These cases highlight a broader trend across industries. As companies outsource functions such as marketing, cloud services, and data management, they extend their digital footprint to hundreds of external entities. Each vendor relationship introduces potential entry points for attackers. Even when a company’s own defences are robust, a breach in a vendor’s system can lead to data exposure, operational disruption, or reputational harm.
Visibility and trust in digital ecosystems
Sharma pointed out that many third-party suppliers have legitimate access to sensitive customer data or key systems. However, most organisations have limited visibility into how those suppliers manage cybersecurity. “Third-party suppliers often handle sensitive data or have access to key systems, but organisations can’t always see or control the cyber standards of every partner in their ecosystem,” he said. “This is why continuous third-party risk monitoring has become essential.”
The problem is not simply a technical one. It is about trust, accountability, and the ability to verify that partners maintain the same level of security diligence. In many cases, a business may conduct initial due diligence when onboarding a vendor, but ongoing monitoring is rare. That creates gaps that attackers can exploit, especially when smaller vendors lack the resources or expertise to maintain high cybersecurity standards.
For large organisations such as airlines, banks, and retailers, vendor networks can number in the thousands. Each link in the chain introduces complexity and risk. Without the right tools and oversight, companies effectively lose control over how their data is protected once it leaves their own systems. This is where advanced third-party risk management platforms and automation tools are starting to play a critical role, enabling real-time monitoring of partners’ security health and alerting organisations to vulnerabilities before they are exploited.
Shared risks across borders
While the latest breaches occurred in Australia, their implications extend across the region. Singapore and other Southeast Asian economies share strong trade and technology connections with Australia, often relying on the same global service providers, marketing agencies, and software vendors. A compromise in one market can quickly ripple into another.
“As Singapore continues to strengthen its position as a regional digital and aviation hub, incidents like these in Australia show just how easily similar risks could ripple across borders,” Sharma said. “Many local organisations share the same types of third-party relationships, and with ongoing regulatory focus from bodies like MAS, it’s clear this is an issue that deserves more attention here too.”
Singapore’s interconnected digital economy makes it particularly vulnerable to such cross-border risks. Enterprises in sectors such as aviation, financial services, logistics, and retail often rely on shared infrastructure and multinational vendors. As these supply chains become increasingly digital, cybercriminals are exploiting the weakest link in these ecosystems. Attackers target smaller, less secure partners, then use those connections to reach larger, higher-value organisations.
This pattern has been observed globally, with breaches originating from trusted partners spreading rapidly across interconnected industries. Such incidents demonstrate how a single supplier’s vulnerability can trigger a chain reaction of compromises affecting multiple organisations. For regional businesses, this reinforces the need for cybersecurity to no longer stop at an organisation’s perimeter. It must now extend across every layer of its vendor and partner network.
Continuous monitoring and zero trust
Traditional cybersecurity models focus on securing internal networks and endpoints, assuming that external partners can be trusted once access is granted. That assumption is no longer valid. Attackers often disguise themselves within legitimate traffic or exploit authorised connections between companies.
Continuous monitoring and the adoption of zero-trust principles are now critical. This approach treats every external connection as potentially hostile until verified, ensuring that all data exchanges are authenticated and monitored in real time. For businesses with extensive third-party relationships, implementing automated third-party risk management systems can help detect anomalies such as unapproved access, expired certificates, or exposed credentials before they escalate.
Sharma noted that attackers are increasingly opportunistic, seeking the easiest route to valuable data. “Attackers are looking for the easiest way in, often by exploiting gaps in trusted partners that sit outside an organisation’s perimeter,” he said.
For Singaporean businesses, this requires a shift from reactive cybersecurity to proactive risk management. This means regularly auditing vendor access privileges, establishing contractual requirements for data protection, and requiring partners to demonstrate compliance with recognised cybersecurity standards.
Lessons for Singapore’s digital economy
Singapore’s Monetary Authority of Singapore (MAS) has long required financial institutions to manage third-party risks through frameworks such as the Technology Risk Management Guidelines. However, many non-financial organisations have yet to adopt similar measures. The recent Australian breaches highlight how vulnerable marketing vendors, loyalty platforms, and even logistics partners can become entry points for attackers.
In sectors like aviation and retail, where customer data is integral to business operations, such breaches can have immediate reputational and financial consequences. For Singaporean enterprises, the priority should be to build resilience through stronger governance, better Visibility, and shared accountability across their supply chains.
This includes conducting risk assessments before onboarding vendors, segmenting network access, and ensuring that incident response plans include third-party involvement. Organisations should also explore cyber insurance and recovery strategies that account for supply chain dependencies, recognising that liability may extend beyond their own systems.
Beyond compliance, cybersecurity has become a business imperative that directly impacts trust and competitiveness. Customers increasingly expect companies to take full responsibility for the security of their personal information, regardless of where the breach occurs.
The message from the Qantas and Mango incidents is clear. Cybersecurity has become a shared responsibility across every part of the business ecosystem. Companies can no longer afford to treat third-party relationships as an afterthought. Whether it involves a cloud provider, a marketing agency, or a software vendor, every partner must be held to the same standard of vigilance.
Sharma’s reminder captures the essence of the challenge: “Visibility across your entire supply chain is now a fundamental component of cyber resilience. Whether you’re a global fashion retailer or a major airline, the lesson is the same. You’re only as secure as the partners you keep.”
As Singapore continues to advance its position as a smart nation and regional digital hub, the need for resilient supply chain security will only intensify. Businesses that take proactive steps today to assess and monitor their third-party risks will be better equipped to protect their customers and maintain trust in an increasingly volatile digital landscape.
