In 2023, the FBI's Internet Crime Complaint Center received over 880,000 complaints with potential losses exceeding $12.5 billion — a 22% increase in losses from the year before. Yet the FBI estimates a massive number of cyber incidents still go unreported. That gap between what happens and
A single employee at MGM Resorts answered a social engineering call in September 2023, and within hours a threat actor had enough access to trigger a shutdown that cost the company over $100 million. The attacker didn't exploit a zero-day vulnerability. They exploited a person. That's
Your Board Doesn't Care About Completion Rates I sat in a meeting last year where a CISO proudly reported a 97% training completion rate. The board nodded politely. Two months later, a single phishing email led to a credential theft incident that cost the organization $2.3 million
The Email That Cost One Company $100 Million In 2019, Toyota Boshoku Corporation lost $37 million in a single business email compromise attack. A threat actor impersonated a senior executive, sent a convincing email, and an employee wired the funds. No malware. No zero-day exploit. Just one phishing email that
A Single Email Cost This Company $100 Million In 2015, Ubiquiti Networks disclosed that attackers used carefully crafted emails impersonating company executives to trick finance employees into wiring $46.7 million to overseas accounts. The attackers didn't exploit a software vulnerability. They exploited trust. That's spear
The Framework That 50% of U.S. Organizations Still Get Wrong When Colonial Pipeline went dark in 2021, it wasn't because the company lacked a security budget. It was because basic controls — like multi-factor authentication on a legacy VPN — weren't in place. A single compromised credential
In 2023, a single reused password gave threat actors access to 23andMe's credential stuffing attack, ultimately exposing the genetic data of 6.9 million users. The attackers didn't exploit a zero-day vulnerability. They didn't deploy sophisticated malware. They simply tried known username-password combinations from
One Click Cost MGM Resorts $100 Million In September 2023, a threat actor called Scattered Spider called the MGM Resorts help desk, impersonated an employee found on LinkedIn, and convinced IT staff to reset credentials. The result: ten days of operational chaos, encrypted systems, and an estimated $100 million in
A $1.3 Million Fine for Skipping the Basics In 2023, the FTC settled with Drizly and its CEO after a data breach exposed roughly 2.5 million customer records. The root cause? The company failed to implement basic security measures — including adequate employee security training. The FTC's
The Breach That Started With a Single Password In 2023, MGM Resorts lost an estimated $100 million after a threat actor social-engineered a help desk employee with a ten-minute phone call. The attackers didn't exploit some exotic zero-day vulnerability. They used basic social engineering — information scraped from LinkedIn
