There is a moment in every significant data breach where the organisation affected must explain to its employees, customers, or regulators exactly how their data left its possession. And increasingly, that explanation involves a version of the same sentence: we trusted a vendor, and the vendor failed.