10 min read

On 11 April 2026, the hacking group ShinyHunters announced they had breached Rockstar Games the studio behind Grand Theft Auto, one of the most valuable entertainment franchises in history. They set a deadline of 14 April: pay the ransom, or the data goes public.

Rockstar did not pay. The data is now public.

78.6 million records were stolen. Revenue metrics, player behaviour tracking, in-game economy data, fraud detection systems, customer support insights operational intelligence from GTA Online and Red Dead Online.

But here is the detail that matters most for every business reading this, not just the ones making video games: ShinyHunters did not hack Rockstar directly. They hacked a third-party vendor called Anodot — a billing analytics app that had deep read access to Rockstar’s Snowflake cloud environment. The attackers extracted authentication tokens from Anodot and walked through the front door as a legitimate service.

The weakest link was not Rockstar. It was a vendor they trusted.

This is not an isolated incident. This is a pattern.

ShinyHunters is the same group behind the 2024 Snowflake breach wave that hit over 160 organisations including AT&T (110 million customer records), Ticketmaster, Santander, LendingTree, and Neiman Marcus. They have previously breached Google, Microsoft, Gucci, Louis Vuitton, IKEA, Adidas, McDonald’s, and Walgreens.

Their method is consistent and devastatingly effective. They do not break down the front door. They find a side door, a third-party integration, a vendor with deep cloud access, a SaaS tool that holds authentication tokens — and walk through it. In the Snowflake wave, stolen credentials from infostealer malware (some dating back to 2020) were sufficient because multi-factor authentication was not enforced.

The Rockstar breach follows the same playbook. Anodot is not the only vendor targeted — TechCrunch reports that over a dozen companies are now facing extortion after ShinyHunters compromised Anodot. The group has also exploited other SaaS integrations in separate campaigns, including Gainsight and Salesloft. All of these tools have deep integration into customer cloud infrastructure, making them high-value targets.

The supply chain numbers are stark

This is not a niche risk. It is now mainstream:

• 30% of all data breaches now involve third-party compromise — a 100% year-over-year increase.
• 136 major supply chain breaches in 2025 affected 719 publicly named companies and an estimated 26,000 downstream victims.
• 70% of organisations experienced at least one third-party security incident in 2025.
• The average cost of a supply chain breach is $4.91 million — higher than almost any other breach type.
• It takes an average of 267 days to identify and contain a supply chain breach — 63 days longer than average.

And here is the paradox: supply chain attacks account for less than 5% of all data compromises, yet they affect nearly 47% of all individuals impacted by breaches. Fewer incidents, but vastly larger blast radius. One vendor compromise cascades across dozens of customer organisations.

Why this matters for Scottish SMEs

It would be easy to look at the Rockstar breach and think: that is an enterprise problem. We are not Rockstar Games. Nobody is targeting us with that level of sophistication.

That misses the point.

ShinyHunters did not target Rockstar specifically. They targeted Anodot, the vendor. And Anodot serves businesses of all sizes. When a SaaS vendor that your business relies on gets breached, the size of your business is irrelevant. You are in the blast radius because of the relationship, not because of your profile.

The UK data paints a concerning picture for SMEs:

• 73% of UK SMEs lack formal vendor risk assessments despite regulatory compliance requirements.
• Very few UK businesses set minimum security standards for suppliers.
• SMEs are particularly vulnerable to malicious code injection through third-party tools.
• Many SMEs view security certification as unaffordable, creating a gap between awareness and action.

The NCSC’s 12 Principles of Supply Chain Security, updated in October 2025, provide a framework. But the gap between knowing the framework exists and actually implementing vendor risk assessments remains wide.

Scotland’s own Strategic Framework for a Cyber Resilient Scotland 2025-2030 emphasises supply chain security for public sector organisations and supporting SME suppliers. The Scottish Government’s supplier cyber security guidance and the NCSC Cyber Advisor scheme offer practical support to help SMEs improve their security posture and pursue Cyber Essentials certification. The support exists. The question is whether SMEs are using it before, rather than after, something goes wrong.

Rockstar said it was “non-material.” That framing deserves scrutiny.

Rockstar’s official statement read:

“A limited amount of non-material company information was accessed in connection with a third-party data breach. This incident has no impact on our organization or our players.”

78.6 million records. Revenue metrics. Player behaviour tracking. Fraud detection systems. In-game economy balancing data. All leaked seven months before GTA VI launches on 19 November 2026 a game projected to generate $3 billion in first-year sales and $1 billion in pre-orders alone.

Calling that “non-material” is a choice. It may be technically accurate if the data does not include direct player personal information. But it illustrates a broader pattern in breach response: downplay the significance, emphasise what was not taken, and move on quickly.

For SMEs watching this unfold, the lesson is not about Rockstar’s PR strategy. It is about what “non-material” looks like when it happens to you. Operational data, financial metrics, customer analytics, internal processes, this is the kind of information that lives in the SaaS tools every business uses. And when a vendor with access to that data gets breached, deciding what counts as “material” becomes someone else’s problem.

Three things every Scottish SME should do now

1. Know who has access to your data

Every SaaS tool, every integration, every vendor with API access to your cloud environment is a potential entry point. Most SMEs could not produce a complete list of which vendors have access to what data if asked today. Start there.

• Audit every third-party tool connected to your Microsoft 365, CRM, finance, and cloud environments.
• Map what data each vendor can access and why they need it.
• Remove access that is no longer required. Revoke tokens for tools no longer in use.

2. Enforce MFA on everything

The entire Snowflake breach wave of 160+ organisations, 500+ million individuals affected could have been prevented by multi-factor authentication. Snowflake did not enforce it by default until late 2024, and many customers had not enabled it.

MFA is not a silver bullet. But it eliminates the most common attack vector: stolen credentials from infostealer malware used to log in without any additional verification.

• Enforce MFA on all cloud services, all admin accounts, all vendor access portals.
• Use conditional access policies to block logins from unexpected locations.
• Prefer hardware security keys or authenticator apps over SMS where possible.

3. Require security standards from your suppliers

If you are not asking your vendors about their security posture, you are trusting them by default. The NCSC’s Cyber Essentials Supply Chain Playbook provides a practical framework.

• Require Cyber Essentials or IASME Cyber Assurance certification from vendors handling your data.
• Include security incident notification clauses in vendor contracts — you need to know when something goes wrong, not discover it on social media.
• Go beyond self-reported questionnaires. Ask for independent audit evidence.
• Review vendor access quarterly. If a tool is no longer actively used, revoke its access.

The Rockstar breach is a reminder that security is not just about your own systems. It is about every system that touches yours. And for most SMEs, that list is longer than they think.