The $65 Million Misconfiguration Nobody Saw Coming In March 2023, Toyota disclosed that a cloud misconfiguration had exposed vehicle data on 2.15 million customers for over a decade. A single cloud storage bucket, left publicly accessible, quietly leaked data from 2012 to 2023. Nobody noticed for ten years. That&
The App Your Marketing Team Installed Last Tuesday Could Cost You Millions In 2022, a mid-size healthcare company discovered that an employee had been syncing patient records to a personal Dropbox account for three years. No malicious intent — they just wanted to work from home more easily. The resulting HIPAA
The Salesforce Instance Nobody Knew About In 2022, a mid-size healthcare company discovered that one of its marketing teams had been running an entirely separate Salesforce instance — for eleven months. Patient-adjacent data sat in an environment with no encryption at rest, no access controls, and no logging. The IT security
The Breach That Started With a Single SaaS Login In January 2023, Mailchimp disclosed its second major breach in less than a year. The cause? A threat actor used social engineering to trick an employee into handing over credentials to an internal tool. That single compromised SaaS login exposed 133
In March 2023, Samsung employees accidentally leaked sensitive source code and internal meeting notes by pasting proprietary data into ChatGPT — on their mobile devices. No malware was involved. No sophisticated threat actor broke through a firewall. Employees simply used their phones in ways the company's mobile device security
In January 2023, T-Mobile disclosed that a threat actor had stolen data on 37 million customer accounts — and the intrusion reportedly exploited an API accessible from systems that included employee-used devices. It wasn't a sophisticated zero-day. It was a gap in how endpoints and access were managed. If
A Single Text Message Cost One Company $20 Million In August 2022, a Twilio employee received a text message that looked like it came from IT. It said the employee's password had expired and offered a helpful link. That single tap led to a breach that cascaded across
In January 2022, the FBI issued a public warning that the cybercriminal group FIN7 had been mailing malicious USB drives to U.S. companies — disguised as packages from Amazon and the U.S. Department of Health and Human Services. The drives, once plugged in, deployed ransomware onto corporate networks. This
In January 2023, a journalist walked into a government building in the Netherlands, plugged a small device into an exposed network port under a conference room table, and had access to the internal network within seconds. No hacking. No malware. No phishing email. Just a physical door that was unlocked
In 2019, a man wearing a reflective vest and carrying a clipboard walked into a secure data center in Atlanta, unplugged a server, tucked it under his arm, and walked right back out the front door. Nobody stopped him. Nobody questioned him. A $2.5 million client database left the
