You wouldn’t hand your office keys to a stranger, but every time our university uses a third-party vendor or software service, we’re essentially doing the digital equivalent. Today, let’s talk about one of the fastest-growing threats to higher education: supply chain attacks.

What Is a Supply Chain Attack?

A supply chain attack happens when cybercriminals compromise a trusted vendor, software provider, or service that our university relies on. Instead of attacking us directly, they break into a company we trust—then use that trusted relationship as a backdoor into our systems.

Think of it like this: if a thief can’t break into your house, they might trick the plumber you invited inside. The danger is that these attacks often happen completely behind the scenes. You might never see anything suspicious, but our university’s data could still be at risk.

Recent Wake-Up Calls

This isn’t theoretical. Major supply chain attacks have rocked organizations worldwide in recent years:

• Change Healthcare (2024): A ransomware attack on one of the world’s largest health payment processors compromised up to 6 terabytes of patient data from millions of people. Healthcare providers across the country experienced massive disruptions to payment processing and operations.
• US Department of the Treasury (December 2024): Chinese state-sponsored hackers compromised BeyondTrust, a remote tech support provider, to access Treasury Department systems. The attackers gained a security key and used it to override security controls and access sensitive government workstations—all through a trusted vendor’s product.
• CDK Global (2024): A ransomware attack on this software provider paralyzed nearly 15,000 North American car dealerships. Dealerships were forced to use pen and paper for days or even weeks, with financial losses exceeding $1 billion. This shows how one vendor compromise can cascade across an entire industry.
• Snowflake (2024): A breach of this cloud data platform exposed sensitive information from 165 major organizations. Attackers didn’t hack each organization individually—they compromised the single vendor they all trusted.
• Polyfill.io (July 2024): After this domain was acquired, attackers altered the code loaded by approximately 385,000 websites, including those of Warner Bros, Hulu, and Mercedes-Benz, redirecting users to malicious sites.
• SolarWinds (2020): Hackers compromised a widely used IT management platform, affecting thousands of organizations, including government agencies and universities. Users saw nothing unusual, but attackers had access to sensitive systems for months.
• MOVEit Transfer (2023): A vulnerability in this popular file transfer tool was exploited to steal data from hundreds of organizations, including multiple higher education institutions. Universities lost sensitive student and employee records.

According to recent cybersecurity research, supply chain attacks surged by 25% from 2024 into 2025, with attacks through third-party vendors doubling between 2023 and 2024. Supply chain attacks hit 22 of 24 tracked industry sectors in the first five months of 2025 alone.

The Higher Education Target

Universities are particularly attractive to supply chain attackers. We use dozens of third-party services: learning management systems like Canvas or Blackboard, student information systems, research collaboration platforms, grant management tools, library services, financial aid processors, and countless cloud applications. Each one represents a potential entry point.

Our research data, student information, intellectual property, and financial systems are all valuable commodities. Worse, the open and collaborative nature of higher education can make it harder to spot when something’s wrong.

What This Looks Like in Practice

Supply chain compromises don’t always announce themselves. Here are scenarios to be aware of:

• SCENARIO 1: The Invisible Breach. You use a vendor portal for grant management every day. Everything looks normal. But behind the scenes, the vendor was compromised three months ago, and attackers have been slowly extracting university financial data. You’d never know until the vendor or our OIT team discovers the breach.
• SCENARIO 2: The Suspicious Request You receive an email from your student advising software vendor asking you to “verify your credentials” by clicking a link or requesting that you temporarily disable multi-factor authentication for “system maintenance.” The email looks legitimate and comes from their domain. This could be a compromised vendor account being used to phish our community.
• SCENARIO 3: The Urgent Update. A vendor you’ve worked with for years suddenly sends an urgent software update outside their normal schedule. The update could be legitimate—or it could be malware being distributed through a compromised vendor system.
• SCENARIO 4: The Changed Terms A vendor emails requesting access to additional university systems or data they’ve never needed before, claiming it’s for “enhanced features” or “improved service.” This could be a legitimate business need or a compromised vendor account being used to expand access.

What You Can Do

Supply chain security is everyone’s responsibility. Here’s how you can help protect our university:

1. Report Vendor Concerns to the OIT Help Desk. If something feels off about a vendor interaction, trust your instincts. Contact the OIT Help Desk immediately if you notice:
   • Unusual requests for credentials or access
   • Unexpected software updates or system changes
   • Strange emails or communications from vendors
   • Requests to disable security features
   • Vendors asking for access to systems or data outside their normal scope
2. Review Vendor Communications Carefully Before acting on any vendor request, especially urgent ones:
   • Verify the sender’s email address carefully (not just the display name)
   • If in doubt, contact the vendor through a known phone number or website—not by replying to the suspicious email
   • Be skeptical of urgent requests that pressure you to act quickly
   • Know Your Vendor Contracts. If you manage vendor relationships:
   • Understand what data the vendor has access to
   • Know who at the university is authorized to communicate with the vendor
   • Review security requirements in your contracts
   • Ensure vendors notify you of security incidents promptly
3. Maintain Strong Authentication. Always use strong passwords and multi-factor authentication (MFA) for vendor systems. Never disable security features, even if asked by a vendor—contact OIT first.
4. Stay Informed Pay attention to security communications from OIT about vendor issues or compromises affecting higher education.

The Bottom Line

Supply chain attacks are sophisticated and often invisible. A vendor you’ve trusted for years could be compromised tomorrow, and you might never see any warning signs on your end. That’s why it’s crucial to stay vigilant and report anything unusual to the OIT Help Desk.

The statistics are sobering: 75% of software supply chains reported attacks in 2024, and researchers predict these attacks will continue to rise. But awareness is our first line of defense.

Remember: You’re not being paranoid or difficult by questioning vendor requests or reporting concerns. You’re being a good steward of our university’s data and our community’s trust. When in doubt, report it. False alarms are better than missed threats.