Vendor Insider Threat Risk: What the 2025 Coinbase Breach Should Tell Every Small Business Owner
The 2025 Coinbase breach did not start with a sophisticated cyberattack. It started with a handful of contracted customer support agents who were bribed to hand over customer records. No zero-day exploit. No nation-state hacking team. Just a small number of people who had legitimate access to sensitive data and decided to sell it. This is a textbook example of vendor insider threat risk – and for small business owners, it is a hidden liability that reaches far beyond crypto companies. Enterprise security teams have a name for this risk category. Most small businesses discover it only after the damage is done.
- What Actually Happened at Coinbase
- Why Contractors and Offshore Support Create a Different Risk Profile
- Your Vendor’s Vendors: The Chain You Never Vetted
- How Small Businesses Inherit This Risk
- What a Well-Run IT Relationship Has in Place
- Questions Worth Asking Your Current IT or SaaS Vendors
- Steps to Actively Reduce Your Vendor Insider Threat Risk
- The Bottom Line
What Actually Happened at Coinbase
In May 2025, Coinbase disclosed that a small group of contracted overseas support agents had been bribed by external criminals to steal customer data. The stolen records included names, addresses, phone numbers, government ID images, and partial account information. Coinbase estimated the breach could cost the company up to $400 million in remediation and customer reimbursement costs.
What made this incident significant was not its scale – Coinbase said less than 1% of monthly transacting users were affected. What made it significant was its method. The attackers did not break through a firewall. They recruited people who already had access. At its core, this was a people problem wrapped in a vendor structure that made accountability difficult to assign.
Coinbase has substantial security resources – compliance programs, internal controls, and a security budget most small businesses will never approach. They were still hit through a contracted support channel. That is the detail worth sitting with.
Why Contractors and Offshore Support Create a Different Vendor Insider Threat Risk Profile

When a company offshores or subcontracts a support function – customer service, technical helpdesk, data entry, claims processing – the people doing that work are not employees. They are not hired, trained, or managed by the company whose data they are touching. Their employment relationship is with a vendor. Their loyalty, by structure, is divided.
This creates a vendor insider threat risk profile that is fundamentally different from a threat involving a direct employee. With employees, you control the hiring process, the background check, the onboarding, the code of conduct, and the termination procedure. With contracted support staff, your vendor controls all of that. You inherit the output of their process – including whatever gaps exist in it.
The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threats as threats that originate from people with authorized access – current or former employees, contractors, or business partners. Contractors are explicitly included. The threat category does not stop at your payroll.
Bribery, as used in the Coinbase incident, is one of the oldest attack vectors in existence. It is not technical at all. It targets the human layer directly – and it is far more effective when the targets are part of a workforce that is geographically distant, less well-compensated, and less tightly integrated into the culture of the organization they serve.
Your Vendor’s Vendors: The Chain You Never Vetted
Here is where small businesses face a specific and underappreciated exposure. Most small business owners vet their primary vendors – the IT company they hire, the payroll platform they use, the CRM they subscribe to. What they rarely vet is what those vendors do with the work.
Your IT company may subcontract their after-hours helpdesk to a third-party service. Your SaaS platform may route support tickets through a contracted offshore team. Your accounting software vendor may use a third-party data center staffed by contractors. In each case, people who have never signed your acceptable use policy, never been vetted by your team, and are never visible to you on a normal business day have some degree of access to systems that touch your data.
This is not hypothetical. It is standard operating procedure across managed services, SaaS, and virtually every other vendor category that handles business data. The question is not whether it happens. The question is whether the vendor you chose has controls in place to manage it – and whether you have ever asked.
How Small Businesses Inherit This Risk
A small business does not need to be a crypto exchange to face vendor insider threat risk. Consider what your vendors can typically access:
- Your IT vendor likely holds administrative credentials to your systems, your email environment, and possibly your file storage.
- Your payroll platform holds Social Security numbers, banking information, and compensation data for every employee.
- Your CRM holds years of customer contact data, deal history, and possibly sensitive communications.
- Your cloud storage vendor – or the IT vendor who manages it – can often access files directly, depending on how permissions are configured.
- Your backup platform holds copies of nearly everything, which makes it especially attractive as a target.
Now ask yourself: do you know whether each of those vendors subcontracts any of their support or operations functions? Do you know where those subcontracted workers are located? Do you know what background screening the subcontractor uses? Do you know whether your vendor even has a vendor management policy of their own?
Most small business owners cannot answer those questions. That is not a criticism – vendor risk management has historically been an enterprise discipline. But the threat environment has changed. Attackers know that small businesses connect to the same vendor ecosystems as large ones. That makes the supply chain a reliable attack surface regardless of the size of the ultimate target.
What a Well-Run IT Relationship Has in Place
A well-run IT relationship – the kind that has produced zero client breaches across every client served since 2004, as Xact IT Solutions can demonstrate – is not just about the technology stack. It is about the structure of the relationship, the visibility the client has into who touches their environment, and the controls that exist at every layer of the vendor chain.
Here is what that looks like in practice for a mature cybersecurity and managed IT program:
- Least-privilege access architecture: no vendor technician – staff or contractor – gets more access than the specific task requires, and that access is time-limited where possible.
- Multi-factor authentication on all administrative accounts, including those used by vendor staff, so a bribed or compromised contractor cannot simply log in with stolen credentials.
- Session logging and privileged access monitoring, so that what vendor staff do inside your environment is recorded and reviewable – not invisible.
- Vendor due diligence documentation: a well-run IT firm should be able to tell you who has access to your environment, under what conditions, and what vetting those individuals went through.
- Written subcontractor policies: if your IT vendor uses subcontractors for any function, those subcontractors should be bound by the same data handling and access control standards as the primary vendor’s own staff.
- Annual review cycles: vendor relationships should not be set and forgotten. The risk profile of a vendor can change – new ownership, new subcontractors, staff turnover in sensitive roles.
None of this is exotic. These are mature, auditable controls. The problem is that most small businesses have never asked their vendors whether these controls exist – and most vendors have never volunteered the information.
Questions Worth Asking Your Current IT or SaaS Vendors
You do not need to become a security auditor to protect your business from vendor insider threat risk. You need to ask the right questions and pay attention to how vendors respond – including whether they answer directly or deflect.
- Do you use any subcontractors or third-party staff who have access to our data or systems? If so, who are they and what do they access?
- What background screening applies to those subcontracted individuals, and who runs that process – you or the subcontractor?
- How is privileged access to our environment managed? Is it logged? Who reviews those logs?
- What is your incident response procedure if one of your staff or contractors is found to have misused access to a client’s data?
- Have you had any data incidents – breaches, unauthorized access events, or insider conduct issues – in the past three years?
- Do you hold any third-party security certifications or undergo regular audits? If so, by whom?
A vendor who answers these questions clearly, specifically, and without hesitation has thought about these risks and built controls around them. A vendor who gets defensive, vague, or pivots to talking about their technology products instead of their people controls is telling you something important.
For reference, the NIST Cybersecurity Framework includes supply chain risk management as a core function – meaning the framework that guides mature security programs explicitly recognizes that your risk does not stop at your own front door. It extends through every vendor relationship you maintain.
Steps to Actively Reduce Your Vendor Insider Threat Risk
Understanding vendor insider threat risk is the first step. Acting on it is the second. Here is a practical framework for small businesses that want to reduce their exposure without overhauling their entire vendor stack.
Start with an access inventory. List every vendor that has any form of access to your systems, data, or network. Include your IT provider, payroll platform, CRM, cloud storage, backup service, and any SaaS tool where support staff could theoretically reach your data. A spreadsheet is sufficient. The goal is visibility – you cannot manage what you have not mapped.
Request subcontractor disclosures. For each vendor on your list, formally ask whether they use subcontractors or third-party staff in any role that touches your environment. Document the response. Vendors that refuse to answer or cannot answer are flagging a risk.
Review contractual protections. Your vendor agreements should require the vendor to apply the same data handling and access control standards to any subcontractors they use. If your current contracts do not include this language, raise it at your next renewal. For guidance on what strong contractual protections look like, the managed IT services team at Xact IT Solutions can walk you through what to look for.
Implement conditional access where possible. Work with your IT provider to ensure that any vendor accessing your systems must authenticate through multi-factor authentication. Where your systems support it, implement conditional access policies that restrict administrative logins to known devices and locations.
Schedule annual vendor reviews. Vendor insider threat risk is not static. Vendors change ownership, add subcontractors, experience staff turnover, and shift their operations models. An annual review – even a brief one – ensures that the vendor relationship you entered two years ago still reflects current reality.
These steps do not require a large security budget. They require attention and the willingness to ask direct questions. Small businesses that build this habit are substantially better positioned than those that treat vendor relationships as a one-time procurement decision.
The Bottom Line
The Coinbase breach will be filed away as a crypto story. The actual lesson has nothing to do with crypto. It is a story about what happens when access to sensitive data passes through a vendor layer that nobody vetted deeply enough – and how straightforward it is for an external actor to exploit that layer by simply paying someone inside it.
Small businesses are not exempt from vendor insider threat risk. In many ways they are more exposed than large enterprises, because they have fewer internal resources to audit the vendor relationships they depend on every day. The answer is not to avoid vendors – it is to choose vendors who hold their own supply chain to the same standard they claim to hold yours.
The firms that have stayed breach-free for two decades have done so not by being lucky, but by being deliberate: deliberate about access controls, deliberate about who touches client environments, and deliberate about the accountability structure surrounding every person – staff or contractor – who operates inside a client’s world. That deliberateness is not something you see in a product demo. You discover it when you ask the right questions and listen carefully to the answers.
If you want to know how your current vendor relationships hold up under that lens, Book a Free Cybersecurity Strategy Call with the Xact IT Solutions team. It is a 20-minute conversation – no sales pressure, no obligation – and you will leave with a clear picture of where your exposure actually sits.
Let’s Talk About Your IT Strategy
If anything in this post raised a question about your own environment, the fastest path to an answer is a 20-minute strategy call. We’ll look at your specific situation and tell you what we’d actually do about it.