Supply Chain Attack

What Is a Supply Chain Attack?

A supply chain attack is a cyberattack that attempts to inflict damage to a company by exploiting vulnerabilities in its supply chain network. A supply chain attack entails continuous network hacking or infiltration processes to gain access to a firm’s network in order to cause disruptions or outages, which ultimately harm the target company.

Interconnectivity of supply chains is raising risk. In 2020, Accenture indicated that 40% of cyberattacks originated from the extended supply chain.

Key Takeaways

  • A supply chain attack seeks to infiltrate and disrupt the computer systems of a company's supply chain in order to harm that target company.
  • The idea is that key suppliers or vendors of a company may be more vulnerable to attack than the primary target, making them weak links in the target's overall network.
  • Supply chain attacks can be more commonplace than attacks on primary targets, and originate via hacking attempts or through inserting malware.

Understanding Supply Chain Attacks

The supply chain network is a frequent targets for cyber crimes, as a weak link in the supply chain can grant the cyber criminals access to the larger organization in custody of the data sought after. Supply chain attacks expose a conundrum in a company’s supply network which discloses that an organization’s cyber security controls are only as strong as that of the weakest party on the chain.

The adoption of various forms of emergent technology has brought about an enormous amount of data in various forms. Through resources like the internet, cell phones, and cloud computing, companies can now electronically obtain data and share it with their partners and third party vendors. Entities like individuals, businesses, and governments believe that that relevant information that can be mined from the data set can be used to better improve their operations and processes, and thus, improve their customer engagement. But the exchange of data conducted among various companies brings with it a certain level of risk which entails cyber theft. Sophisticated cyber criminals also realize the importance of the data held by companies and device strategies to gain access to the sensitive data. 

The drive to minimize operational costs through technological progress brought about the need for a supply network. A company’s supply network usually consists of third party entities like manufacturers, suppliers, handlers, shippers, and purchasers all involved in the process of making products available to the end consumers. Because the target company may have a security system that may be impenetrable for even the sophisticated cyber criminals, supply chain attacks are carried out on the third party businesses on the chain who are deemed to have the weakest internal measures and processes in place. Once one member’s security protocols are found to be weak, the member’s vulnerabilities become the target company’s risk.

Another way a supply chain can be attacked is through malicious software, popularly known as malware. By embedding malware such as worms, viruses, spyware, Trojan horses, along with counterfeit components that modify the source codes of a manufacturer’s software, cyber attackers can gain entry into the target company’s files and steal its proprietary information.

Example of Supply Chain Attacks

There are several ways a supply chain can be attacked. Theft of a vendor’s credentials can lead to the infiltration of the companies affiliated with the vendor. For example, Target was the victim of a supply chain attack in 2013. Its security measures were breached when one of its third-party’s security credentials was compromised. The credentials typically included login, passwords, and network access to Target’s computer. The vendor’s questionable security practices allowed hackers to gain entry into Target’s system resulting in the theft of 70 million customers’ personally identifiable information. The aftermath of the breach led to the CEO’s resignation and enormous costs for the company which topped $200 million.

Article Sources
Investopedia requires writers to use primary sources to support their work. These include white papers, government data, original reporting, and interviews with industry experts. We also reference original research from other reputable publishers where appropriate. You can learn more about the standards we follow in producing accurate, unbiased content in our editorial policy.
  1. Accenture. "Securing the Supply Chain." Accessed Feb. 11, 2021.

  2. United States Senate, Committee on Commerce, Science, and Transportation. "A 'Kill Chain' Analysis of the 2013 Target Data Breach," Page 2. Accessed Feb. 11, 2021.

  3. Star Tribune. "Target Sues Insurer for Up to $74 Million in 2013 Data Breach Costs." Accessed Feb. 11, 2021.