The Vendor Is Now the Attack Surface
For a decade, enterprise security teams focused on perimeter defense: secure the network, protect the endpoints, control access to internal systems. The threat model assumed that attackers would try to penetrate the organization directly.
The 2024 SaaS breach data shows this model is obsolete. SaaS breaches surged 300% in 2024, according to Obsidian Security's 2025 SaaS Security Threat Report. Attackers are no longer targeting organizations directly — they are targeting the SaaS vendors those organizations trust with their data.
When your vendor is the attack surface, the fact that your own network is secure is irrelevant. The customer data, employee records, and sensitive business information you processed through that vendor is on their infrastructure, accessible with their keys, and exposed when their systems are compromised.
2024's SaaS Breach Numbers
The scale of 2024 SaaS breaches illustrates the exposure:
Conduent experienced a breach that exposed 25.9 million records. Conduent provides business process outsourcing services to government agencies and large enterprises — including benefits administration, payment processing, and citizen service portals. The 25.9 million records included individuals who interacted with government services and had no knowledge that their information was held by a third-party vendor.
NHS Digital experienced a breach affecting 9 million patients. The NHS breach exposed patient data processed through a SaaS vendor's infrastructure — clinical information that patients had provided to their healthcare providers and had no reason to believe was transmitted to a third-party platform.
These are not outliers. They represent the new normal for data exposure: large-scale breaches affecting millions of individuals who provided data to organizations they trusted, which passed it to vendors those individuals never knew existed.
Why SaaS Breaches Are Structurally Different
Traditional network breaches require attackers to penetrate an organization's perimeter, navigate internal systems, and exfiltrate data — a multi-stage process with multiple detection opportunities.
SaaS breaches operate differently. Attackers who compromise a SaaS vendor gain access to the data of every customer who has processed information through that vendor. A single compromise yields the customer records of dozens or hundreds of enterprise clients simultaneously.
The 9-minute breach window — the time between initial access and data compromise in SaaS environments, per Obsidian Security's incident response data — reflects this structural difference. Once inside a vendor's infrastructure, attackers encounter data from multiple organizations stored in a shared environment. The attack surface concentrates the value.
For organizations that have signed GDPR-compliant Data Processing Agreements with their SaaS vendors, the breach does not eliminate compliance liability. GDPR Article 82 assigns joint liability to data processors for breaches that result from their non-compliance with GDPR obligations. But joint liability requires proving the vendor was non-compliant — a complex investigation that takes months while the data is already in the hands of threat actors.
The DPA Does Not Protect the Data
GDPR Article 28 requires organizations to use only processors that provide "sufficient guarantees" to implement appropriate technical and organizational measures. The Data Processing Agreement is the contractual evidence of those guarantees.
Like HIPAA's BAA, the DPA addresses the contractual relationship. It does not address the technical reality of what happens to your data on the vendor's infrastructure.
A SaaS vendor operating under a GDPR-compliant DPA may still:
- Store your customers' data using server-side encryption with vendor-controlled keys
- Process your employees' information in a multi-tenant environment shared with other customers
- Retain data logs, processing records, and cached content beyond the purposes specified in your agreement
- Have their infrastructure compromised in a way that exposes all of the above
The DPA creates obligations. It does not create a technical barrier to data exposure. When attackers breach the vendor in 9 minutes, the DPA does not slow them down.
The 300% Surge Is a Selection Effect
The 300% surge in SaaS breaches reflects two trends operating simultaneously.
First, the absolute volume of data in SaaS platforms grew substantially in 2024. As more organizations moved more processes to cloud-based vendors, the data available in vendor environments increased proportionally. More data on vendor infrastructure creates more incentive for attackers to target vendor infrastructure.
Second, attackers have adapted their methodology to match the value concentration. Organizations now process more sensitive data through more SaaS vendors than ever before — customer records, financial transactions, HR data, legal documents, healthcare information. SaaS vendors have become high-value targets because breaching one vendor yields data from many organizations.
The 300% figure describes a structural shift in where attacks are directed, not merely an uptick in generic criminal activity.
Zero-Knowledge Architecture as Vendor Risk Mitigation
The conceptual shift zero-knowledge architecture requires is straightforward: if your vendor cannot be trusted to hold your data securely — not because of any specific failure, but because any vendor can be breached — then your data should never reach your vendor in identifiable form.
Zero-knowledge anonymization before transmission to SaaS vendors changes the breach exposure fundamentally. When a vendor using zero-knowledge-processed data is breached:
- Attackers access anonymized records with no recoverable customer identifiers
- No data subject notification is required because no personal data was exposed
- No GDPR Article 82 joint liability investigation is necessary
- No regulatory enforcement inquiry results from the breach
The breach affects the vendor. It does not affect your customers' data because your customers' data was never on the vendor's servers in recoverable form.
The 300% surge in SaaS breaches changes the vendor risk calculation. Organizations that evaluate vendors solely on security posture and contractual commitments are trusting that their vendor will not appear in the next breach statistic. Zero-knowledge architecture eliminates that dependency.
Sources: