Q3 2025 had one defining story underneath all the individual incidents: the integration layer is now the attack surface. The ITRC tracked 835 separate data compromises in Q3, resulting in around 23 million victim notices. The quarter's most damaging breaches didn't come through firewalls or brute-force attacks — they came through OAuth tokens, SaaS integrations, and phishing campaigns that exploited the trust relationships between platforms your vendors use. Attacks on professional services firms increased 39% year over year and 162% over a five-year period. You are not a bystander in this threat landscape. You are the target.
"The quarter's most damaging breaches didn't come through firewalls. They came through the integration layer between your platforms."
On July 28, 2025, attackers exploited weaknesses in third-party Salesforce integrations to breach TransUnion, exposing the personal data of more than 4.4 million U.S. consumers including names, Social Security numbers, dates of birth, and support ticket details. The attack did not exploit a flaw in Salesforce itself — it relied on voice phishing, where attackers impersonated internal IT staff, tricked employees into approving a malicious connected app in Salesforce's setup, then slowly exported data to avoid detection. The breach was part of a multi-company campaign by ShinyHunters targeting OAuth tokens across the Salesforce ecosystem, hitting Adidas, Allianz, Cisco, and others in the same window.
Most professional services firms run some version of this stack — a CRM, a client portal, a document management system, each with connected apps and OAuth integrations. You almost certainly don't have a complete inventory of what those apps can access or export. This is not a firewall problem. It is a permissions and integration governance problem. If someone called your staff today impersonating your IT vendor, would they know what to approve and what to refuse?
A ransomware attack on Marquis Software Solutions — a compliance and marketing vendor serving financial institutions — affected at least 400,000 consumers across more than 70 banks and credit unions when it hit on August 14, 2025. The root cause was a vulnerability in a SonicWall firewall, exploited by the Akira ransomware group. Court filings in related lawsuits confirm that Marquis paid a ransom after detecting the attack — and that stolen data later appeared on criminal marketplaces anyway, suggesting the containment assurances given to client institutions were incomplete.
Marquis is a compliance and marketing vendor — the type that appears routinely in professional services vendor stacks. The 70+ institutions affected were not breached directly. Their vendor was. And paying the ransom did not stop the data from being sold. When you sign a vendor contract, you inherit their security posture. When did you last review whether your compliance or practice management software vendor has documented, verifiable security controls?
The Canadian Investment Regulatory Organization — the national self-regulatory body overseeing investment dealers and mutual fund dealers across Canada — experienced a significant data breach in August 2025 following a phishing attack. Approximately 750,000 Canadian investors had sensitive personal and financial information compromised, including social insurance numbers, government-issued ID numbers, investment account numbers, annual income data, and account statements. The breach forced systems offline for weeks. A forensic investigation required more than 9,000 hours to complete.
If the regulator watching your industry can be taken down by a phishing email, that is not irony — it is a data point. Regulatory bodies aggregate some of the most sensitive financial and personal data in the economy, including registration records for individual advisors and affiliated firms. Their breach means that data about your clients, your firm's registration, and individual advisor profiles may now be in criminal hands. For U.S. firms, FINRA and the SEC hold equivalent data. This incident is a preview, not an outlier.
The ITRC's Q3 analysis confirmed what threat actors have known for some time: professional services firms are increasingly being used as stepping stones into larger targets. Attacks on the sector increased 39% year over year and 162% over five years. Law firms, CPA practices, and consultants hold trusted access to their clients' systems, communications, and financial data. Compromising a professional services firm is often an easier path to a bank, a family office, or a corporation than attacking those institutions directly.
Your clients are beginning to scrutinize their professional services vendors the way they scrutinize their own systems. In 2025, more than a third of legal clients said they were willing to pay a premium for firms with stronger documented cybersecurity. Your security posture is now a competitive differentiator — and your lack of one is a competitive liability. Firms that can demonstrate an audited privacy and risk program will win engagements that firms without one will lose.
The ITRC flagged a worsening transparency problem in Q3: 71% of breach notices issued during the quarter contained no information about how the incident occurred — up from 68% in Q1 2025. Regulators on both sides of the border have identified this as a compliance failure, not just an informational gap. The FTC Safeguards Rule, which applies directly to CPA firms and tax preparers handling consumer financial data, requires not just breach notification but documented evidence of reasonable security controls — a written information security program, a vendor risk assessment, and a data inventory. Firms that cannot produce this documentation face enforcement exposure that extends well beyond the breach itself.
Bottom line: Notification without explanation is no longer acceptable to regulators. If your firm experienced an incident and couldn't describe how it happened or what controls were in place, that documentation gap is itself a compliance problem.
Q3's story is integration risk. The breaches that did the most damage this quarter didn't exploit your systems directly — they exploited the connected apps, OAuth tokens, and trusted vendor relationships that sit between your platforms and your data. Most professional services firms have no inventory of these connections, no review process for third-party app permissions, and no internal protocol for verifying IT requests that arrive by phone. All three of those are fixable without an enterprise security budget.
If you can't name every vendor that touches your client data and describe what they can access — you don't actually know your exposure.