Breach Library

The Marriott-Starwood breach is the canonical case of inherited M&A cyber risk and the foundational precedent for treating forensic threat hunting as a required component of cyber due diligence rather than a premium add-on. When Marriott closed its $13.6 billion acquisition of Starwood on September 23, 2016, Chinese state-sponsored attackers had already been operating continuously inside Starwood's reservation database for over two years. They continued operating inside what was now Marriott's network for two more years before discovery. The combined cost — regulatory penalties, settlements, remediation, and the 20-year FTC consent order extending Marriott's compliance obligations through 2044 — exceeded $170 million across three separate breaches affecting 344 million guests globally. The case establishes three operating principles for every subsequent PE acquisition in technology, hospitality, healthcare, financial services, retail, and any other data-rich sector: pre-acquisition diligence based on target self-disclosure cannot find breaches the target itself does not know about, the post-closing detection capability of the acquirer determines how long an inherited breach persists, and regulatory consent orders inherit forward through change-of-control transactions.

The Facebook-Cambridge Analytica incident reset the global regulatory treatment of consumer data exposure in three irreversible ways: the FTC began enforcing consent failures with penalties orders of magnitude larger than any prior consumer-protection action, the European Union accelerated the General Data Protection Regulation's adoption and enforcement posture, and U.S. state legislators introduced and passed the California Consumer Privacy Act and its successors. The $5 billion FTC settlement in July 2019 was the largest consumer-protection penalty in U.S. history at the time of imposition and remains the structural reference point for every subsequent privacy enforcement action against major U.S. platforms. The case established that consent-based data exposure — data collected through legitimate API access that was nonetheless used outside the scope users would have understood — is a regulatory category equivalent to technical breach, and that platforms enabling that exposure are accountable for the downstream uses regardless of whether they directly executed them. The total disclosed cost across regulatory penalties, class action settlements, and securities enforcement exceeded $5.7 billion.

Yahoo's breach disclosures in 2016 and 2017 reset the U.S. regulatory and corporate-governance treatment of cybersecurity incidents in three irreversible ways: the SEC began enforcing cybersecurity disclosure obligations as material securities-law violations, public-company boards began clawing back executive compensation tied to breach response, and private equity sponsors and strategic acquirers began conducting cyber-specific diligence with the explicit understanding that cybersecurity incidents can re-price billion-dollar transactions. The total disclosed scope across the two breaches reached every Yahoo account in existence at the time — 3 billion in the larger 2013 breach and 500 million in the related 2014 incident. The disclosure failure cost Yahoo a $350 million reduction in its Verizon acquisition price, a $35 million SEC penalty, $117.5 million in class-action settlements, and the forfeit of executive equity compensation that became the template for post-breach board action ever since.

The Norton LifeLock credential stuffing attack of January 2023 affected approximately 925,000 customer accounts, with attackers using credentials stolen from other breached services to attempt logins against Norton accounts. The breach was notable not only for its scale but for what attackers were trying to reach: Norton Password Manager vaults containing every stored password of affected users.

The Rackspace Hosted Exchange ransomware attack of December 2022 took down the hosted email service used by thousands of small and mid-market businesses over the holiday period, demonstrating the cascading impact when a managed service provider's core infrastructure is hit with ransomware and the unique legal and contractual challenges when customers' own data is compromised through their service provider.

In January-February 2023, the Cl0p ransomware group exploited a zero-day vulnerability in Fortra's GoAnywhere Managed File Transfer software, compromising over 130 organizations in a campaign that directly preceded and presaged their MOVEit attack three months later. The GoAnywhere and MOVEit attacks together established Cl0p's strategy of mass exploitation of managed file transfer vulnerabilities as a core business model.

The Kronos/UKG ransomware attack of December 2021 disrupted payroll processing for thousands of employers across the United States during the holiday period, preventing companies from paying their employees accurately and on time through the HR systems they depended on — demonstrating that HR technology ransomware attacks can have direct employee compensation consequences across an entire customer ecosystem.

The CNA Financial ransomware attack of March 2021 resulted in the largest known ransomware payment in history — $40 million paid to the Evil Corp-affiliated Phoenix ransomware group — and raised significant concern because CNA is itself a major cyber insurance underwriter, meaning the company that helps other organizations manage cyber risk had paid an unprecedented ransom to resolve its own attack.

In April 2026, the ShinyHunters threat group claimed responsibility for a major breach of Adobe's systems, exposing 13 million customer support tickets, 15,000 employee records, internal company documents, and submissions from Adobe's bug bounty program. The breach was accessed via a third-party entry point — AppsFlyer, a marketing analytics partner — making it the most significant enterprise software supply chain breach of 2026 so far.

The Frontier Communications ransomware attack of April 2024 disrupted operations at one of the largest US internet service providers, with the RansomHub ransomware group stealing sensitive data on approximately 750,000 customers including Social Security numbers. The attack demonstrated that internet infrastructure companies are high-value ransomware targets whose compromise can have cascading effects on the customers and businesses that depend on their connectivity services.

The SEC's cybersecurity disclosure rules, effective December 2023, require public companies to disclose material cybersecurity incidents within 4 business days of determining materiality, and to provide annual disclosures about cybersecurity risk management and governance. The rules fundamentally changed the relationship between cybersecurity and public company disclosure obligations — making CISO decisions about incident response part of the SEC's regulatory purview for the first time.

The Royal and BlackSuit ransomware operations represent the evolution of Conti ransomware through a succession of rebranding and restructuring that followed Conti's February 2022 dissolution. Royal emerged in mid-2022 as a sophisticated, highly targeted ransomware operation that explicitly avoided the RaaS model, operating as a private group with handpicked team members. In 2023, Royal rebranded as BlackSuit, continuing operations under new branding while maintaining the same core team and techniques.

The LoanDepot ransomware attack of January 2024 exposed the sensitive personal and financial information of approximately 16.9 million customers of one of the largest US nonbank mortgage lenders. The attack disrupted LoanDepot's online services, loan processing systems, and customer-facing platforms for weeks, demonstrating the operational and reputational consequences of ransomware against financial services companies processing sensitive consumer mortgage data.

Business Email Compromise (BEC) is the single largest category of cybercrime financial loss, generating more than $50 billion in global victim losses since 2013 and consistently outpacing ransomware as the highest-dollar cybercrime category in FBI IC3 reporting. Unlike ransomware, BEC requires no malware, no technical exploitation, and no data breach — only a convincing impersonation of a trusted party combined with a wire transfer request or payment redirection.

Blue Shield of California disclosed in April 2025 that it had been sharing protected health information for approximately 4.7 million members with Google Ads and Google Analytics for nearly three years, from April 2021 through January 2024. The disclosure was not triggered by an external breach — it was triggered by an internal review that discovered the organization had configured its website analytics in a manner that transmitted health information to Google's advertising platforms without member consent or HIPAA authorization.

Blue Shield is one of the largest health insurers in the United States. The scale of inadvertent health data disclosure — 4.7 million members, three years, to an advertising platform — makes this one of the most significant HIPAA violations in the history of the regulation.

In early 2025, Oracle Health — the healthcare division of Oracle formed through its $28 billion acquisition of Cerner — disclosed a breach of its legacy Cerner data migration servers that exposed patient health data from dozens of US hospital systems. The breach highlighted a specific and underappreciated risk in major M&A transactions: the security posture of legacy systems during data migration is often significantly weaker than either the acquiring company's production environment or the target's pre-acquisition systems.

On February 21, 2025, the Lazarus Group — North Korea's premier cybercrime unit — stole approximately $1.5 billion in Ethereum from Bybit, one of the world's largest cryptocurrency exchanges. It was the single largest theft in the history of cryptocurrency, and it was executed not through a vulnerability in Bybit's own systems but through a compromise of Safe{Wallet}, the third-party multi-signature wallet infrastructure Bybit used to manage cold storage transfers. The attack demonstrated that supply chain compromise of wallet infrastructure represents an existential risk for any cryptocurrency exchange, regardless of the security of the exchange's own systems.

In March 2026, Stryker Corporation — one of the world's largest medical device companies — was hit by a cyberattack carried out by Handala, an Iran-linked hacktivist group. Unlike ransomware attacks focused on financial gain, the attack appeared designed for maximum operational disruption and public embarrassment: employees watched in real time as company computers were remotely wiped, forcing offices across the globe to shut down while security teams worked to contain the damage.

Stryker confirmed system outages and launched an investigation with third-party cybersecurity experts. The attack illustrated the growing threat of Iranian hacktivist groups targeting Western healthcare and defense-adjacent companies as geopolitical tools.

In early 2026, the ShinyHunters threat group — which had breached Match Group's family of dating applications including Tinder, Hinge, and OkCupid — claimed to possess millions of user records and began attempting extortion. Match Group characterized the incident as a security incident under investigation, consistent with the group's typical handling of breach disclosures. ShinyHunters cited AppsFlyer — a third-party mobile analytics provider — as the entry point, mirroring the same approach used in the Adobe breach of April 2026.

The Match Group breach demonstrates ShinyHunters' systematic targeting of high-value consumer data platforms via shared third-party analytics infrastructure.

The December 2023 Comcast Xfinity breach exposed personal data for approximately 35.9 million Xfinity customers via the Citrix Bleed vulnerability (CVE-2023-4966) — a critical flaw in Citrix NetScaler that Comcast had not patched within the disclosed remediation window. The exposed data included contact information, account credentials, partial Social Security numbers, dates of birth, and security questions and answers. The case is a direct precedent for executive accountability on patch management timelines under the 2023 SEC Cybersecurity Disclosure Rules.

On May 3, 2026, the ShinyHunters extortion group claimed responsibility for breaching Instructure, the parent company of Canvas — the learning management system used by 41 percent of higher education institutions in North America. The group claimed theft of 275 million user records and 3.65 terabytes of data spanning 8,809 schools, universities, and education platforms. On May 7, after Instructure publicly stated the incident was “resolved,” ShinyHunters re-compromised Canvas, redirecting university Canvas pages — including Harvard's, Penn's, Duke's, and the University of Wisconsin's — to a new ransom message setting a May 12 deadline. Forty minutes later, Instructure replaced the active ransom message with a fake “Canvas is currently undergoing scheduled maintenance” page during finals week. The status page would not be quietly updated to acknowledge the incident until twenty-one minutes after that.

In October 2021, an anonymous attacker leaked 125GB of internal Twitch data on 4chan, including the entire Twitch source code, three years of creator payout reports, internal cybersecurity tooling, and an unreleased Steam competitor. Twitch attributed the breach to a "server configuration change" that allowed unauthorized external access to an internal Git server. The case is the canonical example of cloud configuration error as breach vector — and a study in disclosure language carefully chosen to minimize specific commitments about user data exposure.

The European Commission disclosed in February 2026 that a cyberattack had compromised staff data through its mobile device management infrastructure — exploiting a vulnerability in Ivanti Endpoint Manager Mobile (EPMM) that had been disclosed by Ivanti in January 2026. The Commission contained the incident within nine hours but confirmed that staff names and mobile phone numbers may have been accessed by the attackers. The attack was part of a broader wave of Ivanti EPMM exploitation that affected government agencies across Europe and the United States in early 2026.

The JPMorgan Chase 2014 breach exposed contact information for 76 million U.S. households and 7 million small businesses — at the time, the largest theft of customer data from a U.S. financial institution. The attack was part of a broader criminal enterprise that breached at least 12 financial firms to support a pump-and-dump securities fraud operation. The breach is the canonical case study in inconsistent control deployment: JPMorgan had two-factor authentication on most of its servers, but not on the one the attackers found.

Between April 14 and 16, 2026, Microsoft tracked a large-scale credential theft campaign that targeted more than 35,000 users across 13,000+ organizations in 26 countries. The attackers used a sophisticated combination of code-of-conduct-themed phishing lures and legitimate email services to direct targets to attacker-controlled domains, where they harvested authentication tokens. The campaign was notable for its scale, precision, and the sophistication of its evasion — using trusted email infrastructure to bypass email security controls and legitimate-looking pages to steal tokens rather than passwords.

Healthcare and life sciences organizations (19% of targets) were the primary sector targeted, followed by financial services and technology companies. 92% of targets were located in the United States.

REvil — also known as Sodinokibi — was the dominant ransomware threat of 2019-2021, responsible for attacks on JBS Foods, Kaseya VSA, Acer, and dozens of other high-profile organizations. The group pioneered aggressive extortion tactics and operated the most professionally organized ransomware-as-a-service platform of its era. REvil was disrupted twice by law enforcement — in mid-2021 and early 2022 — when the US, Russia, and allies coordinated arrests of multiple members.

The Boeing LockBit attack of October 2023 was one of the highest-profile ransomware incidents of the year, with the LockBit ransomware group initially claiming a $200 million ransom demand against one of the world's largest defense contractors before publishing stolen data when Boeing did not pay. The attack targeted Boeing's global services and parts distribution business rather than aircraft manufacturing or defense systems.

The CDK Global ransomware attack in June 2024 crippled car dealerships across North America for nearly two weeks, preventing tens of thousands of dealers from processing sales, accessing vehicle inventory, or managing service operations. CDK Global provides dealer management software (DMS) to approximately 15,000 North American automotive dealerships. When ransomware actors took CDK's systems offline, those 15,000 dealerships lost the digital infrastructure running their entire operations — from inventory management and finance and insurance (F&I) processing to parts ordering and service scheduling.

CDK Global is particularly relevant for private equity audiences because the automotive dealership sector is a significant PE investment category, and because the incident illustrates how a single software vendor's security failure can simultaneously disrupt thousands of small and mid-market businesses that represent portfolio companies or acquisition targets.

The PowerSchool breach of December 2024–January 2025 exposed the personal records of an estimated 60 million students and 10 million teachers across 18,000 school districts in the United States and Canada — making it the largest breach of K-12 education data in history. The attacker accessed PowerSchool's Student Information System (SIS) — the administrative platform that tracks student enrollment, grades, attendance, and sensitive family information — using compromised credentials on a customer support portal.

What made the breach particularly damaging was the subsequent extortion campaign: after school districts paid ransom to prevent data publication, PowerSchool's threat actor returned with fresh extortion demands directly against individual districts months later, demonstrating that ransom payments had not produced data deletion.

The LockBit ransomware group was the most prolific and damaging ransomware operation in history, responsible for more confirmed attacks than any other ransomware group across 2022 and 2023. A profile of LockBit's operations provides essential context for understanding the modern ransomware threat landscape, the Ransomware-as-a-Service model, and the law enforcement operations that ultimately disrupted the group in 2024.

The Conti ransomware group was the most destructive ransomware operation of 2020 and 2021, responsible for hundreds of millions in ransom payments and the functional destruction of Ireland's National Health Service. A unique window into Conti's operations was opened in February 2022 when a Ukrainian security researcher, following Russia's invasion of Ukraine, leaked over 160,000 internal Conti chat messages and the group's complete ransomware source code — the most detailed inside view of a major ransomware operation ever made public.

ALPHV/BlackCat was the most technically sophisticated ransomware-as-a-service operation of 2022-2024, responsible for the Change Healthcare breach, the MGM Resorts attack, and hundreds of other high-profile incidents. The group traced its lineage to DarkSide — the Colonial Pipeline attackers — through the BlackMatter RaaS, establishing BlackCat as the third-generation evolution of one of the most historically significant ransomware operations. The group's 2024 exit scam effectively ended the operation after a $22 million Change Healthcare ransom payment.

Scattered Spider — also known as UNC3944, Muddled Libra, and Octo Tempest — is a loosely organized threat group of primarily English-speaking young adults who executed some of the most financially damaging social engineering attacks in enterprise history during 2022–2023. The group's targets included MGM Resorts, Caesars Entertainment, Okta, Twilio, Cloudflare, and dozens of others. Their weapon of choice was not malware but the telephone.

The MailChimp breach of January 2023 was the third breach of the email marketing platform in eight months, with an attacker using social engineering against a MailChimp employee to gain access to an internal tool used to support customer accounts — and then using that access to export email lists for cryptocurrency and Web3 companies specifically targeted for downstream phishing campaigns against their subscribers.

The SEC's 2023 enforcement action against SolarWinds Corporation and its Chief Information Security Officer Timothy Brown was the most consequential individual accountability action in cybersecurity history — the first time the SEC charged a CISO personally with securities fraud and internal controls violations related to cybersecurity disclosures. The charges alleged that SolarWinds and Brown had known about significant security vulnerabilities and misrepresented the company's security posture to investors in the years before the SUNBURST breach was discovered.

The 3CX supply chain attack of March 2023 was the first documented case of one supply chain attack being used to enable a second supply chain attack — North Korean Lazarus Group operators compromised a 3CX employee's personal computer through a malicious trading software package, then used that access to trojanize 3CX's legitimate desktop application, which was installed by hundreds of thousands of businesses worldwide.

Volt Typhoon is the designation assigned by Microsoft, CISA, and US intelligence agencies to a Chinese state-sponsored threat actor pre-positioning within US critical infrastructure networks — not to steal data, but to establish persistent access capable of disrupting energy, water, communications, and transportation at a moment of geopolitical conflict. The campaign, disclosed in May 2023, represents a fundamentally different threat from financially motivated cybercrime: patient, stealthy intrusion with a strategic military purpose.

Caesars Entertainment paid a $15 million ransom to Scattered Spider in September 2023 — quietly, discreetly, and without the operational disruption that characterized the simultaneous MGM breach. The Caesars payment is significant not primarily as a ransomware event but as a data point in the economics of extortion: paying the ransom is sometimes the rational financial decision, does not prevent data exposure, and does not prevent the attacker from claiming success and applying the same technique to the next target.

The Caesars breach also provides the clearest documented example of the Scattered Spider identity attack methodology in action against an organization that chose to pay rather than resist — offering a useful comparison point against MGM, which did not pay and suffered operational disruption, to evaluate the actual consequences of each response strategy.

The Snowflake customer breach campaign of 2024 was the most consequential cloud data warehouse attack in history. A threat actor group used credentials stolen by information-stealing malware to access dozens of major companies' Snowflake environments — including AT&T, Ticketmaster, Advance Auto Parts, and Santander Bank — resulting in the theft of data affecting hundreds of millions of individuals across multiple high-profile incidents.

The Twilio breach of 2022 is the most documented example of smishing as a corporate attack vector. Attackers sent SMS messages to Twilio employees impersonating IT, directing them to phishing pages that stole credentials. The breach cascaded to Twilio customers including Signal and Authy, demonstrating how a communications platform breach amplifies impact across the companies that depend on it.

The AT&T data breach of 2024 was actually two separate incidents affecting nearly 110 million AT&T customers. The first, in March 2024, involved data from a 2021 database that had circulated on the dark web. The second, in July 2024, revealed that records of virtually all AT&T customer calls and texts from 2022 had been stolen from AT&T's Snowflake cloud environment — one of the most consequential telecom breaches in US history.

In June 2023, Chinese state-sponsored hackers designated Storm-0558 breached the Microsoft Exchange Online email accounts of US State Department officials, Commerce Secretary Gina Raimondo, and approximately 22 US government organizations — by forging authentication tokens using a stolen Microsoft cryptographic signing key. The breach demonstrated that cloud platform authentication infrastructure itself can be the attack target, with customers having no visibility into or control over platform-level security events.

Salt Typhoon — a Chinese state-sponsored APT group — infiltrated the systems of at least nine major US telecommunications carriers over an eight-month period, gaining access to the lawful intercept infrastructure that US law enforcement uses to conduct court-authorized wiretaps. The attackers didn't steal financial data or encrypt systems for ransom. They accessed the list of individuals under federal surveillance — providing Chinese intelligence with a real-time window into who the US government was watching, and why.

The Salt Typhoon breach is arguably the most consequential intelligence compromise in a decade. It wasn't discovered by any of the carriers. It was discovered by the FBI.

The Medibank breach of 2022 affected all 9.7 million current and former Medibank customers in Australia — the country's largest health insurer — exposing health claims data, diagnoses, and treatment information for the entire customer base. The attackers threatened to publish particularly sensitive health data about individual policyholders including claims related to substance abuse treatment, HIV status, and pregnancy terminations as extortion leverage.

The National Public Data breach of 2024 was one of the largest data breaches in US history by scope, exposing Social Security numbers, addresses, and personal information for approximately 2.9 billion individuals from a data aggregation company most people had never heard of. The breach illustrated the privacy risks of the data broker industry and the compounding harm of data aggregated without the knowledge or consent of the individuals whose information was compiled.

The Dropbox breach pattern spans more than a decade. The 2012 incident exposed credentials for 68 million users via an employee password reused from the LinkedIn breach. The 2022 incident exposed 130 GitHub repositories via phishing-driven credential compromise. The 2023 Dropbox Sign incident exposed customer data for the e-signature service. The pattern illustrates how foundational identity controls — particularly MFA deployment and credential reuse prevention — produce recurring exposure when not consistently enforced.

The 23andMe data breach of October 2023 exposed the genetic data, ancestry information, and personal details of approximately 6.9 million users through credential stuffing against user accounts whose login credentials had been compromised in unrelated breaches. The breach was uniquely significant because the data exposed included not just the account holder's information but genetic relatives' information surfaced through 23andMe's DNA Relatives feature.

The LinkedIn breach pattern spans more than a decade and illustrates two distinct categories of risk: the 2012 password breach (117 million credentials exposed via SQL injection and weak hashing), and the 2021 scraping incident (700 million profiles aggregated and sold). The 2012 breach exposed passwords protected only by unsalted SHA-1 hashes — a weakness widely understood at the time. The 2021 incident exposed how much sensitive data can be extracted from a service through legitimate API access without any technical compromise of the platform itself.

The Log4Shell vulnerability disclosed on December 9, 2021 was the most significant software vulnerability in a decade — a critical remote code execution flaw in Log4j, a ubiquitous Java logging library embedded in thousands of enterprise applications. Within hours of disclosure, attackers were exploiting it at scale.

The 2023 Okta support system breach is one of the most consequential identity security incidents in enterprise history — not because of what attackers took from Okta, but because of what Okta's position as a universal identity provider made accessible through the breach. Okta serves as the identity and access management backbone for thousands of organizations. When Scattered Spider compromised Okta's customer support system in September 2023, they gained visibility into the identity configurations of Okta's customers — turning a breach of one identity vendor into a supply chain attack on every organization that trusted Okta's support environment.

The downstream victims of the Okta breach — 1Password, BeyondTrust, Cloudflare, and MGM Resorts among them — demonstrate that the blast radius of a compromised identity provider extends far beyond the provider itself.

Operation Hafnium, disclosed in March 2021, involved Chinese state-sponsored actors exploiting four zero-day vulnerabilities in Microsoft Exchange Server — affecting hundreds of thousands of organizations globally. The attack enabled complete compromise of any organization running on-premises Exchange, including the installation of web shells that persisted even after patching. It prompted the first-ever White House attribution of a cyberattack to the Chinese Ministry of State Security.

The Ascension Health ransomware attack of May 2024 was the most disruptive healthcare cyberattack in US history, forcing Ascension — one of the nation's largest nonprofit hospital systems with 140 hospitals across 19 states — to divert ambulances, cancel surgeries, revert to paper records, and take clinical systems offline for weeks. The attack demonstrated in the most consequential terms the patient safety implications of healthcare ransomware.

On February 21, 2024, Change Healthcare — a UnitedHealth Group subsidiary that processes approximately 40% of all US healthcare claims — suffered a ransomware attack that took its payment processing infrastructure offline for weeks, disrupting care delivery across hospitals, pharmacies, and physician practices nationwide. The financial impact to UnitedHealth Group exceeded $872 million in the first quarter alone. The human impact — delayed prescriptions, disrupted billing, deferred procedures — was immeasurable. The technical cause was a single Citrix remote access portal without multi-factor authentication.

Change Healthcare is not primarily important as a ransomware event. It is important as a systemic risk event — a demonstration that a single critical infrastructure company can become a single point of failure for an entire healthcare sector, and that the attack surface protecting that infrastructure may be no more sophisticated than a missing MFA configuration.

The September 2023 ransomware attack on MGM Resorts International is the most financially damaging and strategically instructive cyberattack against a US enterprise in recent history. A single 10-minute phone call to MGM's IT help desk — preceded by a LinkedIn search — triggered a chain of events that cost the company more than $100 million, took slot machines offline for days, locked hotel room keys, and disrupted reservations across 30+ properties. The perpetrators were members of Scattered Spider, a loosely organized group of English-speaking threat actors ranging in age from 19 to 24. They used no zero-day exploits. They deployed no custom malware. They made a phone call.

The MGM breach is important not because it is unique but because it is representative — of the social engineering techniques now being used at scale against mid-market enterprises, of the inadequacy of MFA as a complete identity control, and of the catastrophic financial consequences that follow when social engineering succeeds against an organization without compensating controls.

The Kaseya VSA ransomware attack of July 4, 2021 was the most impactful ransomware supply chain attack in history — exploiting a zero-day vulnerability in Kaseya's remote monitoring and management software to push REvil ransomware to approximately 1,500 businesses through their managed service providers, on the Independence Day holiday weekend when IT staff coverage was minimal.

The MOVEit Transfer mass exploitation in May–June 2023 is the largest single vulnerability exploitation event in documented history by number of affected organizations. The Clop ransomware group exploited a SQL injection zero-day in Progress Software's MOVEit Transfer file sharing platform, compromising over 1,000 organizations and exposing data belonging to tens of millions of individuals in a single coordinated campaign. The victims ranged from Shell and British Airways to the US Department of Energy and the personal data of 101,000 Oregon DMV customers.

MOVEit represents a paradigm shift in ransomware economics: rather than compromising organizations individually, Clop identified a single vulnerability in widely-deployed managed file transfer software and simultaneously exploited every internet-accessible instance in the world. The economics of mass exploitation — one vulnerability, thousands of victims, thousands of potential ransom demands — are fundamentally more efficient than targeted attack campaigns.

The JBS Foods ransomware attack of May 2021 shut down the largest beef producer in the world for several days, demonstrating that ransomware against the food and agriculture sector can threaten national food supply chains and force government emergency responses — the same playbook that Colonial Pipeline established the month before had a direct sequel in food production.

The SolarWinds supply chain attack, disclosed in December 2020, is the most comprehensively documented nation-state cyberattack in history — and the one that most fundamentally changed how security professionals think about supply chain risk, software trust, and the limitations of endpoint security. Russian SVR intelligence unit APT29 (Cozy Bear) compromised SolarWinds' software build pipeline and inserted malicious code into the Orion IT management platform, which was then distributed to approximately 18,000 customers through a legitimate signed software update. Among those 18,000 were the US Treasury Department, the US Department of Homeland Security, the US Department of Commerce, NATO, and dozens of the world's largest technology companies — including Microsoft, Intel, and Cisco.

The attack went undetected for nine months. The detection itself was accidental — FireEye, a cybersecurity firm that was itself a victim, discovered anomalous activity in its own network and traced it to the Orion update.

The Twitter breach of July 2020 compromised the accounts of the highest-profile individuals in the world — Barack Obama, Joe Biden, Elon Musk, Bill Gates, Jeff Bezos, Apple, and dozens of others — through a targeted vishing attack on Twitter employees that provided access to internal administrative tools. The attack demonstrated that the most sophisticated social engineering can succeed against even technology-forward organizations with substantial security investment.

The Uber breach of 2022 is the definitive case study for social engineering and MFA bypass in the enterprise. Attackers with no sophisticated technical capability breached Uber's entire corporate infrastructure through a combination of purchased credentials, MFA fatigue, and vishing — then exfiltrated data from Uber's internal security tools, cloud environments, and code repositories.

The Equifax breach of 2017 exposed the personal information of 147 million Americans — including Social Security numbers, birth dates, addresses, and driver's license numbers — making it the most consequential identity data breach in US history. The breach was caused by a known vulnerability for which a patch had been available for two months.

The Capital One breach of 2019 exposed 106 million customers' financial applications through a misconfigured Web Application Firewall in Amazon Web Services. It became the defining case for cloud security misconfiguration liability and resulted in the first major CISO-level criminal indictment related to a cloud breach at a different organization.

The Colonial Pipeline ransomware attack in May 2021 shut down the largest fuel pipeline in the United States for six days, creating fuel shortages across the Eastern Seaboard, triggering a federal emergency declaration, and demonstrating to boards and executives across every sector what operational technology ransomware consequences look like at scale. The $4.4 million ransom paid to DarkSide — most of which was subsequently recovered by the FBI — was a footnote to the operational, regulatory, and reputational consequences of the event.

Colonial Pipeline is the definitive case study for board-level ransomware risk discussion because it translated cybersecurity into supply chain disruption visible to every American who drove a car that week. It moved ransomware from an IT problem to a national security problem in the public consciousness, and it accelerated federal regulatory action on critical infrastructure cybersecurity that continues to shape compliance requirements today.

The Target data breach of 2013 remains one of the most consequential retail cyberattacks in history, exposing 40 million payment cards and 70 million customer records during the peak holiday shopping season. It fundamentally changed how corporations, boards, and regulators think about third-party vendor risk and network segmentation.

The LastPass breach of 2022 is the most instructive data breach in the password security space precisely because it happened to the company that was supposed to be the answer to password security. LastPass stores the master passwords and encrypted password vaults of over 30 million users and 85,000 businesses. When attackers breached LastPass twice in 2022 — once in August, and again in November using data from the first breach — they obtained copies of customer password vaults that, if cracked, would give complete access to every password those customers had ever stored.

The LastPass breach is still unfolding. Cracking efforts against stolen vaults are ongoing. Users who reused their LastPass master password, chose a weak master password, or had weaker encryption parameters due to using LastPass under older settings remain at risk from their 2022 vault copy being cracked years after the breach.

T-Mobile has disclosed nine major data breaches since 2018 — and at least four more in the decade before — exposing more than 200 million customer records. The August 2021 breach exposed 76.6 million customers' Social Security numbers, driver's license numbers, and dates of birth. The January 2023 API breach added 37 million more. The September 2024 FCC settlement characterized T-Mobile's pre-breach security as "unjust and unreasonable" under federal communications law, requiring zero trust architecture and CISO board reporting.