The Vermont Office of the Attorney General disclosed a data breach affecting BAE Systems on December 2, 2022, stemming from unauthorized access to a third-party vendor’s systems. The intrusion was traced back to September 25, 2022, though the full scope of the breach—including the exact number of impacted individuals—remains undisclosed. The compromised data primarily includes personal information such as names and addresses, suggesting a targeted exposure of identifiable details without evidence of broader financial or sensitive data theft. The breach highlights vulnerabilities in supply chain security, as the attack vector originated from a vendor rather than BAE Systems’ direct infrastructure. While the exposed data appears limited to basic personal identifiers, the incident underscores risks associated with third-party dependencies in cybersecurity. No ransomware, financial fraud, or systemic operational disruptions were reported, but the breach necessitates monitoring for potential downstream misuse of the leaked information, such as phishing or identity-based scams. BAE Systems, a global defense and aerospace contractor, faces reputational scrutiny given its role in handling sensitive government and military projects. The lack of clarity on the affected population and the delayed detection further complicate risk assessment, though the immediate impact appears confined to non-critical personal data.