Why supply chain management and third-party visibility are essential in 2025
OpenAI this week confirmed a security breach that occurred not in its systems, but in its analytics provider Mixpanel.
An attacker managed to break into the vendor’s infrastructure and exported data such as names, emails and user IDs linked to the use of the OpenAI API.
An email sent to some users gave some clues:
No chats, API keys or sensitive documents were leaked, but the incident once again highlights a structural problem:
Your exposure to risk no longer depends only on your internal security, but on all the providers to whom you send data.
And this is where Mixpanel gives us an important lesson.
First of all: what does Mixpanel do and why can it expose more than you think?
Mixpanel is an analytics platform that monitors how users behave within an application: which screens they visit, which buttons they press, how long it takes them to complete a process, where they abandon, etc.
So far, nothing strange. The risk appears in this key detail:
Mixpanel only receives the data that a programmer decides to send it from the application.
This means that:
1️ The programmer can send data of more than
Although only a technical identifier is needed for analytics, it is not uncommon to find names, emails, locations, and even unnecessary data that violate the GDPR minimization principle.
2️ Behavioral events are mixed with personal data
A bad practice that turns an innocuous analytic into a sensitive dataset.
3️ Many companies do not have inventoried what data actually comes out.
Documentation is often outdated:
what events are sent, what fields do they carry, do they include PII, has it been reviewed after each code change?
4️ Each modification to the code can introduce new risks without supervision
A developer can add an event that sends more data than expected… and no one from security or privacy detects it.
🔍 Direct consequence
When a provider like Mixpanel suffers a breach,
the data exposed will be exactly what you sent, even if it should never have gone out.
Herein lies the heart of the problem: without visibility into what you share with third parties, you cannot assess and manage your actual risk.
Lessons from the Mixpanel-OpenAI case
Three universal lessons can be learned from this incident:
✔️ No organization is truly isolated
Even a legitimate and verified supplier can become your weakest link.
✔️ Minimizing and controlling the data you give to third parties is not optional.
It is a requirement of the GDPR, but also a matter of operational survival.
✔️ Supply chain is a priority attack vector
NIS2, ISO 27001, ENS, SOC2 and DORA have elevated it to a core requirement.
And the conclusion is inevitable:
we need tools that provide visibility, control and responsiveness.
Two essential tools for today’s world
To manage this complex ecosystem, two fundamental pieces have emerged:
the Trust Center and the Breach Manager.
What is a Trust Center?
A Trust Center is the central point where an organization documents and communicates:
- which suppliers it uses,
- what data they handle,
- what security guarantees they offer,
- how you manage privacy,
- what certifications it has,
- and what is its compliance position.
It is a tool for transparency, order and control, both for internal and external use.
In essence:
A Trust Center converts a dispersed ecosystem of providers into a governed and verifiable system.
Lets you know:
- who has access to your data,
- for what reason,
- for how long,
- under what security measures,
- and what regulatory impact it has.
What is a Breach Manager?
A Breach Manager is the tool that allows you to manage in a structured way any security incident, whether it is your own or a supplier’s incident.
Key functions:
- register alerts or suspicions,
- coordinate the investigation,
- centralize evidence,
- to evaluate the impact,
- determine legal obligations (RGPD: 72h),
- document the entire process for audits.
Its purpose:
That a breach does not turn into a crisis, and that the entire organization knows what to do, when and how.
Trust Center + Breach Manager: the answer to a hyperconnected world
The Mixpanel-OpenAI case makes it clear that:
- you cannot protect what you do not know,
- you cannot rely on what is not documented,
- cannot act without a defined process,
- and cannot be outsourced without control mechanisms.
That is why modern organizations need:
✔️ A Trust Center to know who has what and why
✔️ A Breach Manager to know what to do when something goes wrong
Together they allow:
- see your supply chain,
- control your data,
- reduce risks,
- and respond accurately to incidents.
At ithikioswe help organizations to prevent, control and act quickly in the face of any third-party risk. Our Trust Center provides visibility and order to the entire supply chain, and our Breach Manager allows you to manage incidents in a structured, documented and timely manner.
Because in a world where security also depends on your suppliers, having control and responsiveness is no longer optional: it is essential.
