That hard truth was underscored by news this month of an alleged cyberattack targeting Luxshare, a Chinese assembly and manufacturing business used by some of the world’s biggest tech companies and embedded into the global electronics supply chain. The criminals responsible have been linked to the RansomHub group, the same network behind the notorious Change Healthcare breach in 2024.
The list of impacted companies reads like a who’s who of the tech world. It includes Apple, Nvidia, Tesla, LG and others. While skepticism is usually warranted when cybercriminals boast about stealing secrets, the fraudsters claim to have stolen confidential 3D CAD product models, engineering designs for circuit boards, internal engineering documentation, and other sensitive business materials dated from 2019 through 2025, meaning that information about future product launches could be included.
None of the companies presumed to be affected has replied to PYMNTS’ request for comment.
For consumer electronics companies, early exposure of product designs can undermine the carefully choreographed launches that businesses rely on for growth.
Unlike customer records or employee credentials, engineering documents carry a different kind of risk. A leaked CAD model or circuit board schematic does not expire when passwords are reset. Its value can persist for years, influencing competitive dynamics long after the breach fades from headlines.
If there is one takeaway from the incident, it’s not that core enterprises are doing less to protect themselves. It’s that the attack surface has expanded faster than many traditional risk models can accommodate.
See also: Third-Party Risk and AI Gave Cyberattacks the Upper Hand in 2025
Why Third Parties Are the New Perimeter
Today’s supply chain leaders face a challenging security paradox. The more they embrace strategies and solutions designed to enhance the visibility and resilience of their operations, the more potential entry points there are that may need to be safeguarded from criminals.
Global manufacturing and electronic product development are increasingly distributed by design. CAD models are shared with external manufacturers, firmware and board designs move between contractors across continents, and cloud-based project management systems host documents that multiple organizations need to access simultaneously. In this environment, third-party vendors are no longer peripheral; they are extensions of the enterprise itself.
Even if businesses maintain exemplary internal security controls, the exposure of their data through a supplier can have the same strategic impact as a direct breach.
Last year, there were over 2,000 data breach lawsuits filed, Philip Yannella, co-chair of the privacy, security and data protection practice at Blank Rome and the author of “Cyber Litigation: Data Breach, Data Privacy & Digital Rights,” 2025 edition, told PYMNTS in May.
“Data breaches are always the biggest danger…,” he said.
It’s not just the world’s biggest businesses that criminal groups are targeting. The PYMNTS Intelligence report “Vendors and Vulnerabilities: The Cyberattack Squeeze on Mid-Market Firms” found that hackers are also going after middle-market firms, which increasingly depend on cloud providers, software-as-a-service platforms, managed service and logistics providers.
Read also: Making Sense of Data Protection Assessments for B2B Firms
Treating Vendors as Extensions of the Enterprise
The structural reality of modern business means that innovation now happens across networks of partners, each adding value and risk. As core enterprises harden their defenses, attackers will continue to probe the ecosystems around them, identifying vendors whose access is broad and whose protections are uneven. The more complex and distributed the supply chain, the richer the target.
For companies at the center of innovation, this raises questions that go beyond IT departments. How much visibility is required into a supplier’s security operations? When does collaboration become overexposure? Who ultimately bears responsibility when a partner’s breach exposes crown-jewel intellectual property?
It may mean moving away from episodic vendor reviews and toward continuous, risk-based oversight that reflects how data flows through the enterprise and its partners, reframing cybersecurity as a living system rather than a static set of controls.
Artificial intelligence is beginning to make this level of vigilance economically viable. Research from the PYMNTS Intelligence report “The AI MonitorEdge Report: COOs Leverage GenAI to Reduce Data Security Losses” showed that 55% of companies are employing AI-powered cybersecurity measures.
Used responsibly, AI does not replace sound governance or accountability, but it can provide the visibility and speed that modern supply chains demand, and that traditional, checklist-driven security models may no longer be able to effectively deliver.
For all PYMNTS B2B coverage, subscribe to the daily B2B Newsletter.
