Third-party cyber risk is no longer a niche concern. The recent Rockstar incident shows how attackers are now exploiting trusted relationships, not just breaking through the perimeter.
Rockstar Games said a limited amount of non-material company information was accessed in connection with a third-party breach, with no reported impact on players or operations (The Verge, 2026). On paper, that sounds relatively contained. What makes the incident more useful is the reported route in. Public reporting suggests the attackers may have reached Rockstar through a trusted third-party path involving Anodot and Snowflake, rather than through a more conventional direct compromise (Computer Weekly, 2026). That matters because it points to a problem many organisations still do not test hard enough: some of the most serious routes in now come through access that already looks legitimate.
If that reporting is right, the lesson is straightforward. The issue was not just that Rockstar was targeted. It was that the reported route appears to have relied on access that already existed and trust that had already been granted.
The perimeter is no longer the problem
A lot of cyber thinking is still shaped around the perimeter. Are we patched? Do we have MFA? Have we trained staff? Are endpoints protected? Those are all sensible questions. They are also no longer enough on their own. Modern businesses do not operate only on their own systems. They operate through suppliers, analytics platforms, connectors, outsourced services, service accounts, and delegated identities that become part of day-to-day operations so quickly they stop looking like security decisions at all.
That is where the problem becomes harder to see.
It is not just supplier risk. It is trust debt
Trust debt builds up when access is granted for speed, convenience, or commercial usefulness, then quietly outlives the decision that justified it. A supplier keeps broad visibility because narrowing it feels painful. A service account stays over-permissioned because nobody wants to break the workflow it supports. An analytics tool sits close to sensitive data because it produces useful insight and no one has felt the need to challenge the relationship since it was put in place.
Over time, those decisions stop feeling like security decisions at all. They just become part of how the business works. That is exactly what makes them dangerous. This is how third-party cyber risk quietly builds over time, not through a single decision, but through accumulated trust that is never revisited.
That is what makes the Rockstar breach worth paying attention to. If the reported route did involve a trusted analytics layer and stolen tokens, this was not a straightforward attacker-versus-perimeter story. It was a case of a modern estate being compromised through relationships, services, and identities that already made operational sense on paper.
What the data is telling us about third-party cyber risk
Verizon’s 2025 Data Breach Investigations Report supports the wider shift to third-party attacks. Third-party involvement featured in 30% of breaches, roughly double the previous year, while credential abuse remained one of the most common initial access routes (Verizon, 2025). That should force a different question. The issue is no longer only how to stop attackers getting into an environment. It is what happens when they arrive through a path, service, or identity the business already trusts. It is a harder question, but it is also the one that gets closer to real exposure.
Because the real exposure usually does not sit in the obvious places. It sits in inherited access nobody has reviewed in months. The integration that was useful enough to get approved and then quietly forgotten. The supplier relationship that made complete operational sense but widened the trust surface of the business. The token or service account that now does far more than anyone would be comfortable with if they had to explain it under pressure.
Those are not abstract governance problems. They are often the difference between an incident that is containable and one that becomes disruptive.
We have already seen how quickly that kind of exposure stops being a technical issue and becomes a business problem.
The business impact does not stay in the security team
When we covered the JLR incident last year, one of the clearest lessons was that cyber events do not stay neatly inside the security team for very long. JLR said in September 2025 that its retail and production activities had been severely disrupted by a cyber incident and that systems had been proactively shut down while recovery work continued. It later extended the production pause. By November, the company disclosed £196 million in cyber-related costs for the quarter and said production had returned to normal levels only by mid-November (Jaguar Land Rover, 2025a; Jaguar Land Rover, 2025b; Jaguar Land Rover, 2025c). That is the part breach coverage often underplays. The impact is rarely “security team investigates incident”. It becomes a production issue, a fulfilment issue, a supplier confidence issue, a recovery issue, and eventually a financial issue. It becomes a leadership problem.
The Rockstar and JLR incidents are not identical, and it would be lazy to pretend they are. JLR did not formally attribute its attack. Rockstar’s incident has been publicly linked to ShinyHunters. But reporting around JLR pointed to a group using the name Scattered Lapsus$ Hunters, while ZeroFox later reported that a leak site associated with that grouping had been renamed to ShinyHunters during a wider extortion-focused campaign (ITV News, 2025; ZeroFox, 2026). That does not prove the same actors were responsible in exactly the same way. It does, however, suggest a broader criminal ecosystem that is fluid, opportunistic, and comfortable moving across sectors and trust boundaries.
That is why this matters beyond one breach, one brand, or one supplier.
The real issue is visibility, traceability, and control
The deeper issue is how much trust organisations quietly embed into systems and services they no longer inspect closely enough. Once access is distributed across suppliers, analytics platforms, connectors, cloud services, and delegated identities, the issue is not only who gets in. It is what they can see, what they can move, what they can infer, and whether the organisation can trace what happened afterwards with enough confidence to respond properly.
Where this gets harder than most teams expect
That is not just a security tooling issue. It is a visibility, traceability, and control issue.
It is also where cyber, data, and AI begin to converge in a more practical way.
If the reported Rockstar route did involve an analytics platform sitting close to a Snowflake environment, then the lesson is not just about supplier exposure in the old sense. It is about what happens when modern estates become layered with optimisation tooling, analytics services, connectors, and delegated access that all make sense individually, but collectively deepen the trust surface underneath. Businesses want speed, automation, and better insight. Fair enough. But every additional platform that can see, move, analyse, enrich, or act on data changes the shape of the attack path. That is not an argument against modern tooling. It is an argument for being much more deliberate about access, visibility, traceability, and control.
This is where a broader data conversation starts to matter too.
The issue is not simply that a supplier might be weak. It is whether the data moving through those relationships is properly classified, governed, traceable, and controlled. This is often where organisations realise they are managing data and using data, but not properly optimising the lifecycle underneath it.
That is where trust stops being a vague aspiration and starts becoming something that has to be evidenced.
This is where many organisations discover how little of that picture they can answer quickly.
The questions most organisations still cannot answer quickly
Which third parties have meaningful access to sensitive systems right now?
Which integrations rely on long-lived tokens or service accounts?
Which tools sit close enough to important data flows that compromise would create more than a technical inconvenience?
Which supplier failure would become a real operational problem tomorrow morning, not just a red box on a risk register?
What data moves across those relationships, and how confidently could the business evidence that under pressure?
Those are the questions that separate “we have controls” from “we actually understand our exposure”.
That is the value in a story like Rockstar. It is a reminder that modern cyber exposure often sits not only in what an organisation owns directly, but in what it has learned to trust by default.
What third-party cyber risk should prompt you to review
The useful lesson in the Rockstar breach is not simply that another high-profile company has been hit. It is that modern attacks increasingly move through trusted relationships, service accounts, analytics platforms, delegated access, and identity paths that already sit inside normal operations. That is why trusted access deserves far more scrutiny than it usually gets, and why it is still one of the easiest places for organisations to assume they are safer than they really are.
That is the reality of third-party cyber risk today. It is not just about who gets in, but how much they can do once they arrive through trusted access.
Take our Cyber Health Check
If you want a clearer view of where your vulnerabilities and resilience gaps may sit, take our Cyber Health Check.
It is a practical way to assess your current posture and identify where hidden exposure may be building across users, access, suppliers, and trusted relationships.
References
Computer Weekly (2026) ‘Grand Theft Auto’ publisher Rockstar hit by hackers again, 13 April. Available at: https://www.computerweekly.com/news/366641486/Grand-Theft-Auto-publisher-Rockstar-hit-by-hackers-again
ITV News (2025) M&S hackers ‘claim to be behind Jaguar Land Rover cyber attack’, 4 September. Available at: https://www.itv.com/news/central/2025-09-04/m-and-s-hackers-claim-to-be-behind-jaguar-land-rover-cyber-attack
Jaguar Land Rover (2025a) Statement on Cyber Incident, 2 September. Available at: https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident
Jaguar Land Rover (2025b) Statement on cyber incident, 16 September. Available at: https://media.jaguarlandrover.com/news/2025/09/statement-cyber-incident-2
Jaguar Land Rover (2025c) JLR Performance Impacted in Challenging Quarter, 14 November. Available at: https://media.jaguarlandrover.com/news/2025/11/jlr-performance-impacted-challenging-quarter
The Guardian (2026) Hacker group threatens to release Grand Theft Auto VI data in Rockstar Games attack, 13 April. Available at: https://www.theguardian.com/games/2026/apr/13/grand-theft-auto-vi-rockstar-games-data-hack-ransom
The Verge (2026) Rockstar Games says hack will have ‘no impact’, 12 April. Available at: https://www.theverge.com/games/910815/rockstar-games-says-hack-will-have-no-impact
Verizon (2025) 2025 Data Breach Investigations Report, April. Available at: https://www.verizon.com/business/resources/reports/dbir/
