.png?width=220&height=44&name=Nuc-logo-sketched-1%20(1).png "Nuc-logo-sketched-1 (1)"){kind=logo}
.png?width=2240&height=1260&name=Untitled%20design%20(29).png)
So far in 2026, the pattern has been hard to ignore. Across North America, attackers have repeatedly hit software vendors, benefits administrators, and outsourcing firms that thousands of organizations depend on. The businesses whose data was exposed did not get hacked themselves. Their vendors did.
A fintech vendor breach exposed financial data for 672,000 people across multiple banks and credit unions. A healthcare revenue cycle vendor was compromised through stolen credentials, affecting 140,000 patient records. A benefits administrator API exposure put 2.7 million people at risk. In Canada, Telus Digital confirmed a significant data theft from its outsourcing operations.
The common thread is that none of these vendors were the intended target. Their clients were.
What You Can Take From This
These incidents point to a few things that every business leader should be thinking about right now.
Map your data exposure. Know where your data actually lives. Not just which platforms your team uses, but which vendors have access to sensitive information on your behalf. If you cannot answer that question clearly, that is the first thing to fix.
Raise the bar at renewal. A vendor having a certification is a starting point. What matters more is how they manage access, how quickly they notify you when something goes wrong, and whether their security controls are independently verified.
Build a verification culture. Treat email with more skepticism than feels comfortable. Business email compromise losses averaged over $160,000 per incident this past year, according to FBI data. AI is making these attacks harder to spot because they match the tone and context of real business communications. Building a culture where verification is expected, not awkward, is one of the most practical defenses available.
Size is not a shield. 88% of ransomware incidents involve small and mid-sized businesses. Fewer than half of Canadian SMBs say they are prepared for a cyberattack. Attackers are not choosing targets based on brand recognition. They are scanning for weak points, and automation makes it easy to find them. LINK: Cybersecurity Services Page
How Nucleus Is Built for This
We are part of your supply chain, and we think about that constantly.
Nucleus does not host your data. Your data lives in the platforms you own or license, whether that is Microsoft 365, your practice management system, or another platform you own or license. What we have is delegated access to manage those systems on your behalf, and we treat that access with the discipline it requires.
That means just-in-time access rather than standing administrative privileges. It means SOC 2 Type II certification as independent proof that our controls around that access are working overtime, not just designed well on paper. And it means we hold ourselves to the same standard we encourage you to apply to every vendor in your ecosystem.
The breaches from earlier this year happened to organizations holding large volumes of client data. That is a different model from an MSP with time-limited, scoped access to systems you control. But any provider with access to your environment is still a link in the chain, and every link should be able to answer the hard questions.
Those questions have good answers. We are happy to walk through them.
If you want to talk about your vendor risk posture or how we manage access on your behalf, reach out to your account team or visit yournucleus.ca.
