third‑party vendor risk and data‑sharing security for SMBs

Over 100,000 sensitive parliamentary emails were handed to a private company that had already been hacked—turning a routine data transfer into a major cybersecurity incident. Discover how third‑party vendor risk affects Perth SMBs and learn practical steps to protect your business when sharing data with contractors.

Garry BloomGarry Bloom · Founder & Senior IT Manager
10 April 2026
5 min read
CyberSecurity
ITSupportPerth
SmallBusinessIT #ThirdPartyRisk #CloudManagedServices #PerthBusiness
Microsoft365
DigitalTransformation

Introduction

In a recent cybersecurity incident that made national headlines, more than 100,000 sensitive parliamentary emails and documents were handed over to a private company that had already been hit by a massive cyberattack. What should have been a routine transfer of information instead became a textbook case of how third‑party risk and poor data‑handling practices can silently expose confidential information.

For small‑to‑medium businesses, this story isn’t just “government drama”—it’s a warning that could easily apply to your own IT environment.


What Actually Happened

A government department sent a large batch of private emails and documents to a law firm, which was acting as a contractor for ongoing legal or investigative work. The data was transferred electronically, bundled into encrypted or password‑protected files, and handed over in what appeared to be a standard, lawful process.

The problem? The law firm had already been compromised in a prior cyberattack. That meant the sensitive communications—potentially including national‑security‑related information, internal briefings, and confidential correspondence—were now sitting in a contractor’s systems that had already been breached by overseas cyber‑criminals.

This is less of a “phishing email” incident and more of a third‑party data‑handling failure—a type of risk that grows bigger as organisations outsource more services, cloud storage, and support.


The Hidden Risk: Third‑Party Vendors

Most small and medium businesses outsource at least part of their IT—whether it’s email hosting, cloud backups, legal or accounting services, or managed‑IT support. That’s not wrong; but it does introduce a new attack surface.

When you hand data to a contractor, you’re effectively saying:

  • “We trust your security controls.”

  • “We assume your systems are not already compromised.”

  • “We believe you’ll protect our data the same way we do.”

Unfortunately, that assumption is often wrong.

In the parliamentary case, the law firm had been breached months earlier, and the level of remediation and transparency wasn’t enough to fully protect the sensitive data that arrived later.


How Your SMB Can Avoid the Same Trap

Here’s how to turn this high‑profile incident into concrete protection for your own business:

1. Vet vendors before sharing anything

Before you send any sensitive data to a third party, ask:

  • Do they have written security policies?

  • Are they insured for cyber‑related incidents?

  • Have they suffered any recent breaches you should know about?

If the answer is “no” or “we don’t know,” you should think twice before sending anything confidential.

2. Encrypt and tightly control access

When you must share data with a contractor:

  • Use encrypted transfers (encrypted email, secure portals, or S‑FTP).

  • Set time‑limited access (for example, read‑only links that expire after 7 days).

  • Avoid “unlocked” file shares or generic cloud folders where anyone on the vendor’s team can see everything.

This limits the damage if the vendor’s systems are later breached.

3. Assume your contractors are targets

Professional services firms, legal teams, and IT providers are high‑value targets because they hold data for many clients.

  • Check that they enforce multi‑factor authentication.

  • Confirm they patch systems regularly and have basic incident‑response plans.

If your vendor doesn’t treat cybersecurity seriously, you’re increasing your own risk.

4. Keep critical data in‑house where possible

For SMBs, the safest model is often:

  • Core business data and email archives stay under your own control.

  • Contractors only receive what they need, when they need it, in a controlled, time‑bound way.

This reduces the number of places where your data could be exposed if one vendor is compromised.


Why This Matters for Perth SMBs

Local Perth businesses—especially those in legal, healthcare, finance, or professional services—regularly share sensitive client information with external partners. If you email confidential documents to a law firm, accountant, or outsourced IT team without understanding their security posture, you’re running the same kind of risk the parliament did.

The good news is that small‑business‑level controls can go a long way: dedicated email security, multi‑factor authentication, and a clear vendor‑onboarding checklist can stop many of these incidents before they start.


Final Thought

No business is “too small” to be targeted, and no vendor is automatically “safe” by default. The 100,000‑email incident shows that once data leaves your own environment, it’s only as secure as the weakest link in the chain.

If you’re not sure how your current vendors handle your data—or what would happen if one of them was breached—now is the time to ask.

Want a quick check of your vendor‑security and data‑sharing policies?
Drop a comment or message us, and we’ll help you tighten up your third‑party risk the way a Perth‑based MSP would.

Garry Bloom
Written by
Garry Bloom
Founder & Senior IT Manager · 25+ years in IT

Garry founded Computer Mechanics — the business behind IT Support Perth — in 1997. With more than 25 years in IT management and support across internal and external service environments, he leads the team's technical direction and its cybersecurity and managed-IT strategy for Perth businesses.

Meet the IT Support Perth team →
Garry Bloom
10 April 2026
5 min read
CyberSecurity
ITSupportPerth
SmallBusinessIT #ThirdPartyRisk #CloudManagedServices #PerthBusiness
Microsoft365
DigitalTransformation

Stay Updated with IT Insights

Get the latest cybersecurity tips and technology insights delivered to your inbox

Related Articles

4 IT Gaps Small Businesses Overlook (and How to Close Them)

Most Perth businesses aren't undone by one huge disaster — it's the small IT gaps that stack up: missing MFA, delayed patching, old access nobody removed, and untested backups. Here's how teams under 50 users can close them. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

How to Safely Offboard an Employee (and Protect Your Company Data)

When a staff member leaves, their access is a security risk until it's properly closed off. A practical Perth-business checklist for offboarding an employee without losing data or leaving a door open. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

5 Signs Your Business Has Outgrown Your Current IT Guy

One trusted 'IT guy' works — until it doesn't. Here are five clear signs a Perth business has outgrown break-fix IT and needs a proper managed IT team. From Computer Mechanics, Perth IT specialists since 1997.

5 min read

Need Expert IT Support?

Get personalized advice from our Perth IT experts. Free consultation available.

Related Content

Continue Reading

Explore more insights and expert advice on IT support, cybersecurity, and digital transformation

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.
CyberSecurity
ITSupportPerth

Your Messages Are "Encrypted" — But the FBI Just Read Them Anyway. Here's What Every Perth Business Needs to Know.

Most small business owners believe end-to-end encryption means their messages are completely private. A recent FBI case proves that assumption is dangerously incomplete.

5 min read
4/15/2026
What’s new in SMB1001:2026?
SMB1001
SMB10012026

What’s new in SMB1001:2026?

SMB1001:2026 updates for Perth SMBs: Mandatory DMARC from Silver tier, 5 maturity levels, Essential Eight alignment. Get certified, cut insurance costs, win tenders—start your roadmap today!

5 min read
2/25/2026
Why Reinstalling Windows Won’t Fix a Hijacked Account
CyberSecurity
ITSupportPerth

Why Reinstalling Windows Won’t Fix a Hijacked Account

System got hacked & reinstated Windows, but attackers stayed logged in. Learn why fresh installs don't fix hijacked accounts and the 6-step process to secure your accounts: sign out of all devices, reset passwords, and re-register

5 min read
6/4/2026