News came out last week that CVS, the country’s second largest pharmacy chain, may have suffered a data breach of its photo uploading and printing website.

CVS Photo has had a message on its site since Friday that stated there was reason to believe a breach had occurred and that the site would be offline until the issue could be resolved. The message went on to reassure customers of the chain that this only applies to the photo site, not the main website or the physical stores, and to suggest that customers monitor their credit card or bank statements carefully for any suspicious activity.

Following any data breach, forensic experts work to uncover the root cause of the breach. In this case—and in so many others, like the now-famous Target data breach or the Goodwill breach—the weak link in the data protection chain appears to be a third-party company. In CVS Photo’s case, it’s believed to be PNI Digital Media, a Canadian company that handles the credit card transactions for the pharmacy’s photo uploading site.

Unfortunately, this isn’t the only instance in which PNI is believed to have been hacked. Walmart has already issued a warning that it, too, uses PNI’s services for its Canadian photo upload purchases and that it believes customers’ credit cards may have been accessed. Just like with CVS, though, Walmart assured customers that its US-based websites and main stores were not impacted.

Interestingly, in almost every major data breach, experts have traced the break in security to a third-party vendor. According to an article for Info Security Magazine by MacDonnell Ulsch, CEO and chief analyst at ZeroPoint Risk Research,  “One consistent breach finding may get their attention: Almost without exception, a third-party vendor or affiliate is involved. It may be the client, or it may be the origination point of the breach.”

Why are third-parties such a lucrative target? They carry a lot of trust with the companies they contract with, and as such, often have access to avenues of infiltration that hackers need in order to catch the bigger fish. In the case of Target’s breach, for example, the third-party contractor they used to get through the network was a heating, air conditioning, and refrigeration company in Pennsylvania. That same HVAC company has also reportedly done work for three other major retail chains in five states.

Unfortunately, as smaller companies with less manpower and tighter budgets than the corporations they’re contracting with, third-party vendors can also be somewhat of a sitting duck when it comes to keeping sophisticated cyberattacks at bay. The amount of access the company has combined with its lack of resources means vendors often end up as the door through which hackers walk on in.

While this should hopefully serve as a warning to the security industry in general, it does mean that there’s not a lot consumers can do to avoid paying through a third-party vendor. Instead, the smarter course of action is to keep tabs on your information, which is always a necessity. Read your credit card and bank statements carefully before tossing them, and make sure you’re paying close attention to how you dispose of them.