Systemic Risk: Banking Data Breaches and the Supply Chain

2026 banking data breaches highlight the systemic risk linked to the supply chain: here's why the weakest link is the third-party vendor.

Systemic Risk: Banking Data Breaches and the Supply Chain

In 2024, the Evolve Bank & Trust breach compromised the personal data of millions of customers across multiple financial platforms. Almost all major US financial institutions and many foreign ones have suffered data breaches in recent years, highlighting how a bank's security is only as strong as the weakest link in its supply chain. The current scenario, confirmed by the recent measures of the Garante Privacy in March 2026, demonstrates that third-party vendor vulnerabilities continue to represent a prevalent attack vector and a growing liability for the sector.

The impact of the Evolve Bank & Trust breach in 2024

The incident that hit Evolve Bank & Trust in 2024 represents a paradigmatic case of the inherent fragility of modern financial ecosystems. The attack was not limited to the perimeter of the single institution but generated a domino effect that compromised the personal data of millions of customers distributed across multiple financial platforms. This event demonstrated that data compartmentalization, theoretically guaranteed by cloud and distributed architectures, often fails when a third-party vendor concentrates access to vast repositories of information.

The interconnected nature of modern banking infrastructures means that a single compromised entry point can expose a disproportionate amount of data. Banks, in fact, store extremely sensitive information that goes well beyond simple login credentials. The affected databases include full name, Social Security number, account numbers, transaction history, employer, and income. The combination of this data provides malicious actors with a complete picture of the individual's identity and financial situation, making the consequences of such breaches particularly persistent and difficult to mitigate for the victims.

Supply chain and third-party vendors: the weak link in banking security

Dependence on third-party vendors is an operational necessity for modern banks, which outsource functions ranging from payment processing to data analysis, to IT infrastructure management. However, this dependency has transformed the supply chain into the primary vector of systemic risk. As highlighted by a DeXpose article: "Third-party vendor vulnerabilities are responsible for a growing share of major breaches." This statement reflects a reality in which attackers prefer to direct their exploits toward targets with fewer defensive resources, rather than directly attacking the perimeter fortifications of financial institutions.

Attackers are likely to exploit the implicit trust granted to vendors to move laterally within banking networks. When a financial or data analysis service provider is compromised, shared credentials and API keys become direct bridges to the bank's systems. This suggests that traditional perimeter-based security architectures are obsolete; effective security must shift to Zero Trust models, where every access, even by established partners, is continuously verified and limited to the minimum necessary.

The growing share of breaches attributable to these vectors highlights a disproportion between the level of security implemented by banks and that of their vendors. Almost all major US financial institutions and many foreign ones have suffered data breaches in recent years, and most of these incidents have roots in the compromise of an upstream vendor. The failure to enforce stringent cybersecurity standards throughout the entire supply chain nullifies the defensive investments of the primary institution.

The Garante Privacy measures in 2026 on breaches

Recent regulatory actions in Italy confirm the urgency of addressing the issue of banking data security and transparency towards users. On March 26, 2026, the Garante Privacy issued a measure (no. 10234984) against a bank, following the discovery of a prolonged breach. The institution had stated that unauthorized accesses took place between February 21, 2022, and April 24, 2024. The extremely wide time window of the breach, lasting over two years, highlights severe deficiencies in anomaly monitoring and detection systems, a criticality often linked precisely to the delegated management of third-party identities and accesses.

The breach involved a wide range of subjects, including customers (and among these, as emerged during the investigations, also relatives and acquaintances of employees), as well as employees and former employees of the bank. The gravity of the situation led the Garante Privacy to order the bank, with a press release on March 30, 2026, to inform customers of the data breach within 20 days, a deadline that underscores the severity of the non-compliance previously found in the notification.

Just a few days earlier, on March 12, 2026, the Garante Privacy had issued another measure (no. 10230412) that raised issues related to profiling and unlawful data processing. The bank had required explicit consent for profiling aimed at offering personalized financial products for specific customer clusters. However, within the contested banking operation, no consent had been requested, as the bank had merely identified a predominantly digital customer segment through extractions based on conditions and objective criteria defined by internal working groups.

Regulation, supervision, and privacy by design

Regulatory evolution seeks to respond to these systemic criticalities. On February 3, 2026, the Bank of Italy issued new supervisory provisions for payment institutions and electronic money institutions. These directives impose more stringent standards for the management of operational and IT risks, requiring institutions to assess not only their own robustness but also the exposure arising from relationships with third-party vendors.

At the same time, Federprivacy published an alert on improper banking inquiries, emphasizing the need to frame these practices in light of the privacy by design and privacy by default principles introduced by the GDPR. The identification of customer segments based on arbitrary extractions, such as the reasonably presumed "predominantly digital customer" segment, constitutes a logical component of the banking operation that often escapes compliance checks, especially when data flows through external analytics service providers.

The convergence of these regulatory prescriptions indicates that supervision is shifting from mere post-breach repression to requiring systems to be structured in a way that prevents improper access and extraction of data from the design phase. Banks must now demonstrate not only that they have implemented technical security measures but also that they have integrated the principles of data minimization and protection by design into daily operational processes and the logic of banking operations.

Frequently asked questions

Why do banking data breaches often occur through third-party vendors?
Third-party vendors represent the weak link because they often have privileged access to bank systems to deliver their services, but implement lower security standards. Attackers exploit this asymmetry to compromise the vendor and move laterally toward banking databases.
What sensitive data is involved in banking breaches?
Banks store extremely sensitive information such as full name, Social Security number, account numbers, transaction history, employer, and income—data that enables identity theft and complex financial fraud.
What do the Garante Privacy measures of March 2026 establish?
The Garante Privacy measures penalized the lack of adequate security measures and the failure to inform users, ordering the bank to notify customers of the breach within 20 days and intervening against the improper use of data for customer segmentation without consent.

The information has been verified on the cited sources and updated at the time of publication.

Sources