SupplyChainBrain Think Tank blog post by Steve Durbin (SCB Contributor) highlights how recent cyberattacks on widely distributed networks are shaking industries that previously considered themselves immune to such threats. For both manufacturers and retailers, these incidents underscore the reality that the threat is pervasive across all industry categories. The technological revolution in supply chain management is opening new security vulnerabilities. According to a 2024 report, 35.5% of all data breaches are attributed to third-party threats—up from 29% a year earlier. United Natural Foods Inc. (UNFI), the primary distributor for Amazon-owned Whole Foods, was hit by a cyberattack that threw Whole Foods' operations into chaos. UNFI supplies over 30,000 stores and detected unauthorized activity on its computer network on June 5, 2025, subsequently taking certain systems offline. The attack severely hampered UNFI's ability to ship and deliver, leaving Whole Foods with empty shelves. Sensata Technologies, a leading manufacturer of sensors and electrical components used by the automotive and aerospace industries, was hit by a ransomware attack in March that resulted in the exfiltration of employee personal information and caused disruptions to shipping, production, and other operations.
From a supply chain perspective, Steve Durbin is CEO of the Information Security Forum (ISF)—an independent organization based in London, UK, that develops global cybersecurity standards. UNFI (Providence, Rhode Island), under CEO Sandy Douglas, is the largest food wholesaler in the U.S., holding a long-term strategic distribution agreement with Whole Foods Market (Austin, Texas; Amazon-owned; CEO Jason Buechel). Sensata Technologies (Attleboro, Massachusetts), led by CEO Stephan von Schuckmann, is a global manufacturer of sensors and controls serving the automotive, aerospace, industrial, and HVAC sectors. Other significant recent supply chain cyberattack incidents include Colonial Pipeline (May 2021; DarkSide ransomware), JBS Foods (June 2021; REvil), SolarWinds Orion (December 2020; APT29/Cozy Bear), Kaseya VSA (July 2021; REvil), MOVEit Transfer (May 2023; Cl0p), Change Healthcare (February 2024; BlackCat/ALPHV), CDK Global (June 2024; BlackSuit), and UnitedHealth Group.
From a supply chain perspective, the global cybersecurity ecosystem includes leading providers such as Microsoft Defender, CrowdStrike Falcon (CEO George Kurtz; Austin, Texas), Palo Alto Networks (CEO Nikesh Arora), Fortinet, Check Point, Cisco Talos, SentinelOne, Trend Micro, Sophos, Bitdefender, Kaspersky, ESET, McAfee, Symantec (Broadcom), Mandiant (Google Cloud), FireEye (Trellix), Rapid7, Tenable, Qualys, Splunk (Cisco), Datadog, Cloudflare, Akamai, Zscaler, Okta, CyberArk, Snyk, Wiz, Lacework, and Orca Security. The Third-Party Risk Management (TPRM) software category includes leading providers such as BitSight, SecurityScorecard, RiskRecon (Mastercard), Black Kite, Panorays, OneTrust, ProcessUnity, LogicGate, Archer, and ServiceNow GRC. Key frameworks include SBOM (Software Bill of Materials), SLSA (Supply-chain Levels for Software Artifacts), and NIST SP 800-161. Primary U.S. cybersecurity actors include CISA (Cybersecurity and Infrastructure Security Agency), the NSA, and the FBI Cyber Division.
From a supply chain perspective, the five risk mitigation approaches highlighted by Steve Durbin are: (1) third-party risk assessment—continuous evaluation of supplier cybersecurity posture; (2) zero trust architecture, identity and access management (IAM), and privileged access management (PAM); (3) incident response plan and tabletop exercise; (4) endpoint detection and response (EDR), extended detection and response (XDR), and security information and event management (SIEM); (5) employee training and phishing simulation. NIS2 (Network and Information Security Directive 2)—effective in the EU in 2024—imposes cybersecurity obligations. DORA (Digital Operational Resilience Act) came into force for the EU financial sector in January 2025. In the U.S., Executive Order 14028 (May 2021) raised federal cybersecurity standards. In conclusion, the UNFI-Whole Foods and Sensata Technologies incidents serve as concrete evidence of the operational, financial, and reputational impacts of supply chain cyber risks—making it structurally clear that manufacturers and retailers must treat third-party risk management capabilities as a strategic priority.
Key Takeaways:
1. Steve Durbin (ISF) emphasizes pathways to mitigate supply chain cyber risks.
2. According to 2024 data, 35.5% of all data breaches are attributed to third-party threats.
3. UNFI halted Whole Foods distribution following the June 5, 2025 cyberattack.
4. Sensata Technologies experienced operational disruption from a March 2025 ransomware attack.
5. Zero trust, EDR/XDR/SIEM, and employee training are key mitigation tools.
