A Single Stolen Phone Cost This Company $4.9 Million In 2023, a healthcare organization reported to the HHS that a single unencrypted mobile device — left in a rideshare — led to the exposure of over 100,000 patient records. The resulting HIPAA settlement, remediation costs, and reputational damage ran into
The Personal Phone That Took Down a Hospital Network In 2023, a nurse at a regional hospital plugged her personal phone into a workstation USB port to charge it. That phone carried malware picked up from a third-party app store. Within 72 hours, ransomware had encrypted patient records across three
The Text Message That Cost One Company $40 Million In 2024, a sophisticated smishing campaign targeted employees at several major financial institutions. Threat actors sent SMS messages impersonating IT support, directing staff to fake login portals that harvested credentials and multi-factor authentication tokens. The attackers then used those stolen credentials
In March 2024, a finance director at a mid-size logistics company received a text message that appeared to come from the CEO. It asked for a quick wire transfer to close a vendor deal. The director tapped the link, entered credentials on what looked like the company's banking
The $0.97 Device That Cost a Defense Contractor Millions In 2008, a USB flash drive infected with the Agent.BTZ worm was plugged into a U.S. military laptop at a base in the Middle East. It took the Department of Defense 14 months to clean up the damage,
In January 2024, a penetration tester hired by the Iowa State Court Administration was arrested for breaking into a courthouse — even though he had a signed contract to test physical security. The incident made national news and sparked a legal battle. But it also exposed something most organizations ignore: the
A Badge Swipe, a Smile, and a Six-Figure Data Breach In 2019, a penetration tester hired by Coalfire walked into a locked Iowa courthouse after hours — simply by following someone through a door. He and his partner were arrested, but the point was proven: physical security is often the weakest
In 2023, a Ponemon Institute study sponsored by 3M found that 91% of visual hacking attempts — someone simply looking at a screen — were successful. No malware. No zero-day exploit. No phishing email. Just a person standing in the right place at the right time, reading credentials off someone else'
In 2023, a healthcare organization in the Midwest lost over 2,000 patient records — not because a hacker exploited a zero-day vulnerability, but because an employee left printed patient lists on their desk over the weekend. A cleaning contractor photographed them. That's it. No malware, no phishing email,
The Breach That Started With a Single Slack Message In September 2022, a threat actor convinced a Uber contractor to approve a multi-factor authentication push notification. That single moment of human failure gave the attacker access to Uber's internal systems, including their Slack workspace, vulnerability reports, and financial
