Close
Press May 19, 2025

98% of France’s Largest Companies Affected by Third-Party Breaches, New SecurityScorecard Report Finds

PARIS — 14th May 2025 — SecurityScorecard today published its 2025 France Cybersecurity Report, which found that 98 of the country’s 100 largest companies experienced at least one third-party breach in the past 12 months. The report assesses the external cyber risk posture of France’s top firms by market capitalization and highlights persistent exposure across critical supply chain dependencies.

The report, now in its second year, draws on SecurityScorecard’s proprietary data and examines key risk factors such as network security, endpoint hygiene, patching cadence, application vulnerabilities, and DNS health. While some firms have improved internal defenses, the data shows that most breaches are now entering through vendors, not enterprise infrastructure.

Key Findings:

  • 98% of France’s top 100 companies were affected by at least one third-party breach in the past year.
  • 100% had at least one breached fourth-party supplier.
  • Direct breaches dropped slightly—from 7% last year to 4% this year—with insider threats and malware as the primary causes.
  • The top 25 companies experienced over twice the number of third-party breaches as the bottom 25.
  • 94% of companies with an “A” security rating had no known breaches.
  • 29% of companies were rated “C” or lower, down from 40% in last year’s report.

“Direct breaches are down, but third-party exposure now affects nearly every major French company,” said Corian Kennedy, Senior Manager of Threat Insights & Attribution at SecurityScorecard. “Internal controls are no longer enough. Without visibility into vendors and their dependencies, the breach path remains wide open.”

Sector Highlights:

  • Construction & Infrastructure: All evaluated companies were rated “C” or below and experienced third-party breaches, indicating a high level of risk.
  • Industrial: This sector showed notable improvement, with only 13% of companies rated “C” or lower, down from 42% last year.
  • Financial: This sector reported the lowest level of third-party breach exposure, with 93.75% of companies affected—still high, but below the national average.

Recent Incidents Underscore the Stakes:

In August 2024, RansomHouse targeted the University of Paris-Saclay, extracting sensitive academic records and disrupting operations. During the 2024 Summer Olympics, the Grand Palais Museum Network experienced a ransomware attack that forced a shutdown of internal systems. These cases demonstrate how digital risks can extend beyond the private sector, affecting public institutions and critical events.

International Comparison:

France’s supply chain breach exposure (98% third-party, 100% fourth-party) surpasses that of neighboring countries. By comparison, companies rated “C” or below represent 24% in the UK, 34% in Germany, and 41% in Italy. Scandinavian firms lead with only 20% rated at this level. The results point to the need for improved supply chain governance and vendor accountability in France.

Recommendations:

To strengthen digital supply chain resilience, SecurityScorecard recommends that organizations:

  • Improve visibility into third- and fourth-party relationships.
  • Prioritize application and network security as foundational defenses.
  • Replace periodic vendor assessments with continuous monitoring.
  • Require secure-by-design practices in vendor contracts and procurement.
  • Apply strong access controls, multi-factor authentication, and timely patching.

France’s cyber risk posture reflects a global reality in which digital supply chains have become the primary attack surface.Adversaries are exploiting indirect paths at scale, and traditional controls are no longer sufficient. Security now demands real-time, evidence-based oversight across the entire vendor ecosystem. That includes fourth-party relationships. Anything less leaves critical systems exposed.

Read the full report and access data by sector here.

About SecurityScorecard

SecurityScorecard created Supply Chain Detection and Response (SCDR), a new model for protecting against supply chain attacks. Its platform combines industry-leading security ratings, real-time monitoring, and proprietary threat intelligence. The MAX platform provides breach prediction, prioritized risk insights, and recommended actions to strengthen organizational resilience across internal and third-party environments.

SecurityScorecard is trusted by over 3,000 organizations globally, including two-thirds of the Fortune 100. The company is recognized as a trusted resource by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) and supported by leading global investors.

Learn more at securityscorecard.com or follow us on LinkedIn.