Fiserv's breach took days to source because its supply chain ran through years of acquisitions. 30% of breaches involve third parties, yet most companies still can't see them. As a result, breaches take days to source across a supply chain nobody fully mapped.
When Fiserv disclosed a breach earlier this year, the detail that stood out was the timeline. A company with 40,000 employees and decades of security investment needed three to four days just to trace where the breach had entered its systems.
That’s a story about the complexity of a supply chain built through years of acquisitions, integrations, and legacy technology that was never fully mapped.
The M&A dynamic nobody talks about in security briefings
Fiserv has been on an acquisition run for years. So has Global Payments, which recently acquired WorldPay. So has Shift4. These are not unusual moves in FinTech; consolidation is how the largest payment processors grow. The security problem is that each acquisition brings with it a digital supply chain the acquirer has never fully examined.
Jordan Lawrence, a twenty-year veteran of the FinTech space, put it directly in our recent conversation on the All Things Cyber podcast:
"They know what they're buying from a due diligence perspective, but they don't know what they're buying from a cybersecurity perspective."
Jordan Lawrence, CEO, Damisa
What that means in practice is that every acquisition brings a new set of third-party connections, legacy infrastructure, and forgotten endpoints that now sit inside the acquiring company's perimeter, connected to its core systems, assessed by nobody.
A breach can enter through any of them. When it does, the first challenge is not remediation. It is finding the entry point in a supply chain that was never fully mapped.
The problem is structural, not accidental
30% of all confirmed data breaches now involve a third party, according to the Verizon DBIR 2025, and that’s double the figure from the previous year. This exposure extends well beyond cybersecurity into operational, financial, compliance, and reputational risk. Because it lies in the ecosystem, not just the perimeter.
The Equifax breach followed a similar logic. A vulnerability in a third-party library that Equifax used, which was not patched, that nobody had caught in a routine review. The breach compromised the personal data of 147 million people. The entry point was a dependency that was present in the infrastructure but not actively managed.
Fiserv's situation is structurally similar, scaled up by the complexity that comes with decades of acquisitions and the technology debt that accumulates in companies that have grown faster than their security programs.
The knock-on effect of supply chain breaches
The cascading effect of a breach in connected digital ecosystems is often larger than the original breach. The Fiserv breach impacts every company in their ecosystem. Merchants, payment processors, banks, FinTechs relying on Fiserv infrastructure, faced the same question when the breach was disclosed: am I impacted by this?
That is the question that arrives in security teams on a Tuesday morning when a major vendor announces an incident. Most teams cannot answer it quickly, because answering it requires understanding the full scope of how that vendor sits in their digital supply chain.
- What data passes through Fiserv?
- Which systems connect to it?
- What would break, or be exposed, if that connection were compromised?
This is the core challenge ThingsRecon was built to address, allowing companies to maintain a living map of their supply chain to understand exposure before the phone starts ringing.
What companies should take from this
The Fiserv breach is a useful point of reference not because it is exceptional but because it is representative. Large FinTechs with mature security programs, years of compliance investment, and dedicated teams still find themselves in a position where a breach takes days to source and the response timeline is driven by the complexity of a supply chain nobody fully mapped.
The question for any FinTech operating at scale is straightforward: if something similar happened to you today, how long would it take to trace the source? If the honest answer is more than a few hours, the supply chain map is the gap.
Acquisitions are not going to slow down. The payment infrastructure is going to continue consolidating. Every merger brings a new layer of third-party exposure. The companies that build visibility into that exposure before a breach happens are the ones that will be able to respond when it does.
Watch the full conversation: All Things Cyber Ep.6. Robin de Vries and Jordan Lawrence on stablecoins, supply chain risk, and the cyber blind spots in FinTech.
