The Breach That Cost Change Healthcare $22 Million in Ransom
In February 2024, the ransomware group ALPHV/BlackCat crippled Change Healthcare — a company that processes roughly one-third of all U.S. healthcare claims. The attack disrupted pharmacies, hospitals, and billing systems nationwide for weeks. UnitedHealth Group, Change Healthcare's parent company, confirmed paying a $22 million ransom. The root cause? A compromised credential on a Citrix remote access portal that lacked multi-factor authentication.
That single incident is one of the most devastating cybersecurity incident examples in recent history. And it's far from alone. I've spent years analyzing breaches, and the patterns are shockingly consistent. The same mistakes — weak credentials, absent MFA, untrained employees — show up over and over again.
This post walks through real-world cybersecurity incident examples, breaks down what actually went wrong, and gives you specific steps to avoid becoming the next case study. No theory. Just what happened, why, and what you should do about it.
Why Studying Cybersecurity Incident Examples Matters Now
The 2024 Verizon Data Breach Investigations Report found that 68% of breaches involved a non-malicious human element — someone clicked a phishing link, reused a password, or misconfigured a server. That number hasn't budged much in years, and it tells you everything about where defenses keep failing.
Reading about breaches isn't morbid curiosity. It's professional development. Every cybersecurity incident example contains a lesson about a control that was missing, a process that broke down, or a warning sign that was ignored. When I train security teams, I start with real incidents because nothing drives the point home faster than seeing a $100 million loss traced back to one employee clicking a link.
Here are the incidents that I think every security professional and business leader should study in 2025.
MOVEit Transfer: The Supply Chain Attack That Hit Thousands
In May 2023, the Cl0p ransomware gang exploited a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer file-sharing tool. The blast radius was extraordinary. Over 2,600 organizations and more than 77 million individuals were affected, according to tracking by Emsisoft. Victims included the U.S. Department of Energy, Shell, British Airways, and hundreds of others.
What Went Wrong
This was a supply chain attack. Organizations trusted MOVEit as a secure file transfer solution, and the threat actor exploited that trust. Many victims had no direct relationship with Progress Software — they were downstream customers of managed service providers who used MOVEit.
The lesson here is brutal: your security posture is only as strong as your weakest vendor. If you're not assessing third-party risk continuously, you're gambling. Zero trust principles demand that you verify every connection, every transfer, every integration — even from "trusted" tools.
MGM Resorts: A 10-Minute Phone Call That Cost $100 Million
In September 2023, the Scattered Spider threat actor group — working with ALPHV/BlackCat — brought MGM Resorts to its knees. Slot machines went dark. Hotel key cards stopped working. Reservation systems crashed. MGM disclosed roughly $100 million in losses from the incident.
The Social Engineering Playbook
The attackers didn't use some exotic zero-day exploit. They used social engineering. Reports indicate that Scattered Spider called MGM's IT help desk, impersonated an employee they found on LinkedIn, and convinced the help desk to reset credentials. That's it. A phone call.
This is one of those cybersecurity incident examples that should be required reading for every help desk team in the country. I've seen organizations spend millions on firewalls and endpoint detection while their help desk will reset a domain admin password based on a caller knowing someone's employee ID and birthday.
If your organization doesn't conduct regular phishing awareness training for organizations, you're leaving the front door wide open. Social engineering attacks don't just come through email — they come through phone calls, text messages, and even in-person visits.
SolarWinds: The Espionage Campaign That Rewrote the Rules
Discovered in December 2020, the SolarWinds Orion compromise remains one of the most significant cybersecurity incident examples in the history of nation-state espionage. Russian state-sponsored threat actors inserted a backdoor (SUNBURST) into SolarWinds' Orion software update process. Approximately 18,000 organizations downloaded the poisoned update, and at least nine federal agencies and around 100 private companies were directly compromised.
Why This Still Matters in 2025
SolarWinds fundamentally changed how the U.S. government approaches software supply chain security. It led directly to Executive Order 14028 on Improving the Nation's Cybersecurity, which mandated software bills of materials (SBOMs), zero trust adoption across federal agencies, and enhanced logging requirements.
For your organization, the takeaway is this: trust but verify is dead. Zero trust means assume breach, verify explicitly, and enforce least-privilege access at every layer. If a monitoring tool with privileged access to your entire network gets compromised, you need segmentation, anomaly detection, and incident response capabilities to limit the damage.
Colonial Pipeline: When Ransomware Hits Critical Infrastructure
In May 2021, the DarkSide ransomware group attacked Colonial Pipeline, which supplies roughly 45% of the fuel consumed on the U.S. East Coast. Colonial paid a $4.4 million ransom (the DOJ later recovered about $2.3 million in Bitcoin). The attack caused fuel shortages, panic buying, and temporary gas station closures across the Southeast.
One Compromised Password
The initial access vector was a compromised password on a legacy VPN account that didn't use multi-factor authentication. The account wasn't even actively used by an employee — it was an orphaned credential. One password. No MFA. That's all it took to disrupt fuel supply for millions of people.
CISA issued multiple advisories after the Colonial Pipeline attack, reinforcing that ransomware prevention starts with basic cyber hygiene: MFA everywhere, patch management, network segmentation, and offline backups.
What Do These Incidents Have in Common?
After analyzing dozens of major breaches, the pattern is clear. Here's what keeps showing up:
- Credential theft or compromise — weak, reused, or stolen passwords remain the number one initial access vector.
- Missing multi-factor authentication — MFA would have stopped or significantly slowed at least three of the incidents above.
- Social engineering success — threat actors consistently exploit human trust faster than they exploit software vulnerabilities.
- Supply chain blind spots — organizations trust vendors and software without continuous verification.
- Slow detection and response — the IBM Cost of a Data Breach Report 2024 found the average breach takes 258 days to identify and contain. That's eight and a half months of an attacker living in your network.
The $4.88 Million Lesson Most Organizations Learn Too Late
That IBM report also pegged the global average cost of a data breach at $4.88 million in 2024 — an all-time high. But here's the number that should really get your attention: organizations with security awareness training programs and incident response plans cut breach costs by an average of $1.5 million compared to those without.
Training isn't a checkbox exercise. It's a measurable, cost-effective control. When your employees can spot a phishing email, question an unusual help desk call, or report a suspicious login, they become your most valuable detection layer.
That's exactly why I recommend starting with a comprehensive cybersecurity awareness training program that covers credential hygiene, social engineering tactics, and incident reporting procedures. Pair that with regular phishing simulations and you'll see measurable improvement in your human firewall.
How to Use These Cybersecurity Incident Examples in Your Organization
Build a Breach Study Program
Every month, pick one real-world breach and walk your team through it. Not just the technical details — cover the business impact, the root cause, and what controls would have prevented it. I've found this is far more effective than generic "don't click links" training.
Map Incidents to Your Own Controls
After reviewing each incident, ask: "Could this happen to us?" Check if you have MFA on all remote access. Verify that your help desk has identity verification procedures that go beyond knowledge-based questions. Audit your vendor access and software supply chain.
Run Realistic Phishing Simulations
The MGM breach started with social engineering. Your defense against it starts with phishing simulations that mimic real threat actor tactics. Don't just send a fake "package delivery" email once a year. Simulate vishing (voice phishing) calls. Test pretexting scenarios. Make it realistic and measure the results.
Implement MFA Everywhere — No Exceptions
Colonial Pipeline, Change Healthcare — both compromised through accounts without MFA. In 2025, there's no acceptable reason for any remote access portal, email system, or admin account to lack multi-factor authentication. None.
Adopt Zero Trust Architecture
NIST Special Publication 800-207 provides the zero trust architecture framework that federal agencies are mandated to follow. Private organizations should study and adapt it. The core principle: never trust, always verify — regardless of whether the request comes from inside or outside your network.
What Is Considered a Cybersecurity Incident?
A cybersecurity incident is any event that compromises the confidentiality, integrity, or availability of an information system or the data it holds. This includes ransomware attacks, data breaches from credential theft, phishing campaigns that lead to unauthorized access, denial-of-service attacks, insider threats, and supply chain compromises. The FBI IC3 2023 Internet Crime Report documented over 880,000 complaints with adjusted losses exceeding $12.5 billion — a 22% increase over the prior year. Every one of those complaints represents at least one cybersecurity incident.
Your Incident Is Already In Progress
Here's what I tell every executive I advise: assume you're already compromised. The question isn't whether a threat actor will target your organization. The question is whether you'll detect them in time, respond effectively, and limit the damage.
The cybersecurity incident examples above aren't just cautionary tales for Fortune 500 companies. Small and mid-size businesses are targeted at disproportionate rates because attackers know their defenses are thinner. The Verizon DBIR consistently shows that smaller organizations face the same threat actors using the same tactics — just with less resources to defend against them.
Start with what you can control today. Roll out MFA. Train your people with structured cybersecurity awareness training. Audit your vendors. Build an incident response plan and actually test it. Every breach I've analyzed had at least one moment where a different decision, a better control, or a more alert employee could have changed the outcome.
Don't wait for your own incident to become someone else's case study.