{"id":990,"date":"2026-01-14T11:33:07","date_gmt":"2026-01-14T11:33:07","guid":{"rendered":"https:\/\/www.securesteps.tn\/64-percent-of-third-party-apps-access-sensitive-data-unjustly\/"},"modified":"2026-01-14T11:33:07","modified_gmt":"2026-01-14T11:33:07","slug":"64-percent-of-third-party-apps-access-sensitive-data-unjustly","status":"publish","type":"post","link":"https:\/\/www.securesteps.tn\/ar\/64-percent-of-third-party-apps-access-sensitive-data-unjustly\/","title":{"rendered":"64 Percent of Third Party Apps Access Sensitive Data Unjustly"},"content":{"rendered":"

**64 Percent of Third-Party Apps Access Sensitive Data Unjustly**<\/p>\n

**Introduction**<\/p>\n

What if two-thirds of the applications connected to your enterprise systems had access to sensitive data they don\u2019t need \u2014 and you didn\u2019t know it? According to new research featured in [The Hacker News](https:\/\/thehackernews.com\/2026\/01\/new-research-64-of-3rd-party.html), 64% of third-party applications request or retain access to sensitive enterprise data beyond their core functional requirements. That includes data like customer records, employee information, financial data, and proprietary IP.<\/p>\n

That\u2019s an alarming number, especially when these third-party tools \u2014 often productivity boosters like CRMs, HR platforms, or collaboration tools \u2014 are granted access during onboarding and rarely reviewed again. For today\u2019s CISOs, CEOs, and information security teams, this highlights a silent risk vector that bypasses traditional security perimeters.<\/p>\n

In this post, we\u2019ll explore why this over-access occurs, how it creates real risk to your organization, and what you can do right now to reduce your exposure. Whether you oversee security strategy or drive digital transformation, the implications are the same: access without limits is access without control.<\/p>\n

Let\u2019s unpack the findings, share real-world examples, and lay out a practical framework to regain control of your data.<\/p>\n

—<\/p>\n

**Why Are So Many Third-Party Apps Overstepping Their Bounds?**<\/p>\n

The appeal of third-party apps is their ready-made utility\u2014tools that save development time, improve user experience, and offer targeted functionality. But as organizations increasingly rely on SaaS ecosystems and integrations, many apps are quietly requesting access to more data than they need.<\/p>\n

Several key reasons drive this data overreach:<\/p>\n

– **Overgenerous permissions by default**: Many applications request broad API scopes like \u201cread\/write all files\u201d or \u201caccess all user records\u201d during setup\u2014permissions that may never get reviewed.
\n– **Lack of visibility** into how apps actually use the data they request. Once an app is approved, there\u2019s little transparency unless actively monitored.
\n– **Speed over scrutiny**: IT teams under pressure to enable tools prioritize productivity over precise access controls.<\/p>\n

Here\u2019s a concrete example: A marketing automation platform needs access to customer email lists. But its API request may include permissions to read all customer histories, purchase behavior, and even internal sales notes. If granted, that app is now a data insider\u2014whether it uses the data or not.<\/p>\n

According to the report referenced in [The Hacker News](https:\/\/thehackernews.com\/2026\/01\/new-research-64-of-3rd-party.html):<\/p>\n

– 64% of third-party apps request sensitive data they don\u2019t need.
\n– 30% retain access even after being inactive for 30+ days.
\n– Less than 15% of security teams review app permissions quarterly.<\/p>\n

This isn\u2019t just a paper risk. It\u2019s an expanding threat surface hidden behind everyday business tools.<\/p>\n

**What\u2019s at Stake: The Risks of Unjustified Data Access**<\/p>\n

When third-party apps have unrestricted access to sensitive information, they create multiple points of failure\u2014some technical, others human.<\/p>\n

Let\u2019s break down the risk profile:<\/p>\n

1. **Data leaks and breaches**: If an app with broad data permissions is compromised, it acts as an exfiltration point. Think OAuth token theft or server-side vulnerabilities used to siphon data.<\/p>\n

2. **Shadow IT amplification**: Business units independently install tools without involving security. These apps operate outside documented workflows, making them hard to monitor.<\/p>\n

3. **Compliance violations**: Excessive access may breach internal policies, sector-specific regulations (like HIPAA or PCI-DSS), or data residency rules. Regulators won\u2019t accept \u201cwe didn\u2019t know\u201d as a valid defense.<\/p>\n

Back in 2023, a financial services firm experienced a breach when a compromised third-party project management tool exported thousands of client details. The platform had been granted \u201cread all user accounts\u201d access for ease of integration. No one flagged that those rights remained even after the project ended.<\/p>\n

To limit exposure, we need to start treating third-party access with the same sobriety we apply to hiring external contractors. You wouldn’t give a one-time advisor a master key to your office \u2014 so why do we let temporary or niche apps read our core datasets?<\/p>\n

**How to Regain Control Over Third-Party Data Access**<\/p>\n

Reducing unjustified third-party access doesn\u2019t require reinventing your tech stack. It starts with visibility, policy, and routine oversight.<\/p>\n

Here\u2019s how CISOs and IT leaders can begin to take back control:<\/p>\n

– **Audit current integrations**
\n Create a central inventory of all third-party tools connected to your systems. Identify what data each app can access versus what it actually uses. Tools like CASBs, cloud security posture management (CSPM), or built-in audit logs from providers like Microsoft or Google can help here.<\/p>\n

– **Enforce least privilege policies**
\n Require that app permissions align only with specific job functions. For example, a scheduling tool might need calendar read access but not email content. Set those rules in identity providers or app marketplaces where possible.<\/p>\n

– **Automate lifecycle management**
\n Deactivate or restrict apps that haven\u2019t been used for a defined period (e.g., 30-60 days). Use scripting or automation platforms to regularly flag outdated authorizations.<\/p>\n

– **Implement regular reviews**
\n Schedule quarterly or bi-annual reviews of app access. Involve application owners, not just IT teams. Define clear KPIs: number of apps reviewed, revoked, or adjusted.<\/p>\n

– **Use access monitoring tools**
\n Invest in tools that show how apps interact with data over time. This helps detect \u201cpermission creep\u201d where access requests evolve beyond the original scope.<\/p>\n

A cybersecurity firm recently implemented a quarterly audit process and discovered that 20% of connected applications hadn\u2019t been used in over three months, yet still had full access to HR and finance data. That audit led to immediate permission revocation and improved overall posture.<\/p>\n

—<\/p>\n

**Conclusion**<\/p>\n

Sensitive data access shouldn\u2019t be a passive grant \u2014 it\u2019s a responsibility that must be actively managed. As the research from [The Hacker News](https:\/\/thehackernews.com\/2026\/01\/new-research-64-of-3rd-party.html) reveals, 64% of third-party tools are navigating our enterprise systems with more access than they need, and our oversight has not kept pace.<\/p>\n

For CISOs, CEOs, and security teams, the path forward is clear. We need more than reactive policies. We need a living discipline of access governance \u2014 one that aligns app permissions with actual business needs, monitors their use over time, and prunes unnecessary connections regularly.<\/p>\n

Now is the time to ask: Which tools have the keys to your most valuable data \u2014 and why?<\/p>\n

Start by auditing your connected apps today. Build the practice into your security program. And insist on transparency, from vendors and your own internal teams alike.<\/p>\n

The data belongs to your business. Let\u2019s keep it that way.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

**64 Percent of Third-Party Apps Access Sensitive Data Unjustly** **Introduction** What if two-thirds of the applications connected to your enterprise systems had access to sensitive data they don\u2019t need \u2014 and you didn\u2019t know it? According to new research featured in [The Hacker News](https:\/\/thehackernews.com\/2026\/01\/new-research-64-of-3rd-party.html), 64% of third-party applications request or […]<\/p>\n","protected":false},"author":2,"featured_media":991,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_joinchat":[],"footnotes":""},"categories":[37],"tags":[],"class_list":["post-990","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-information-security-fr"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts\/990","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/comments?post=990"}],"version-history":[{"count":0,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/posts\/990\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/media\/991"}],"wp:attachment":[{"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/media?parent=990"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/categories?post=990"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.securesteps.tn\/ar\/wp-json\/wp\/v2\/tags?post=990"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}