In January 2022, the International Committee of the Red Cross disclosed that a sophisticated cyberattack compromised the personal data of more than 515,000 vulnerable people — including refugees, detainees, and missing persons. The attackers exploited an unpatched vulnerability in a single system. One missed update. Half a million of the world's most vulnerable people exposed. If you're searching for data breach examples to understand what goes wrong and how to prevent it, you're asking the right question. The patterns behind every major breach are remarkably consistent, and the lessons are ones your organization can act on right now.
I've spent years analyzing breaches, running incident response, and training organizations on what actually stops these attacks. The truth is uncomfortable: most breaches aren't the work of genius hackers. They exploit human error, poor hygiene, and predictable gaps. Let's walk through the most instructive data breach examples from the last several years and extract what you can actually use.
The $4.88M Pattern Behind Every Data Breach
IBM's 2021 Cost of a Data Breach Report pegged the average cost of a breach at $4.24 million — the highest in 17 years of the report. The Verizon 2021 Data Breach Investigations Report (DBIR) found that 85% of breaches involved a human element, and 61% involved credentials. Those two numbers tell you almost everything you need to know about where to focus your defenses.
The data doesn't lie. Threat actors follow the path of least resistance. That path almost always runs through people — specifically, through social engineering, phishing, and credential theft. The breach examples below prove it over and over again.
SolarWinds: When Your Supply Chain Becomes the Attack Surface
The SolarWinds breach, disclosed in December 2020, remains one of the most consequential cyberattacks in history. A threat actor — attributed to a nation-state group — compromised the Orion software build process and inserted malicious code into updates pushed to roughly 18,000 organizations, including U.S. federal agencies and Fortune 500 companies.
What makes this data breach example so important isn't just scale. It's the attack vector. SolarWinds wasn't breached through a phishing email aimed at an intern. The attackers compromised the software supply chain itself, turning a trusted product into a weapon.
What This Means for Your Organization
You probably aren't running a software company with 300,000 customers. But you are using third-party software, SaaS platforms, and managed services. Every one of those is a potential supply chain risk. The lesson: you need to evaluate your vendors' security posture, not just your own. A zero trust approach — verifying every access request regardless of source — has become essential, not optional.
Colonial Pipeline: Ransomware Meets Critical Infrastructure
In May 2021, the Colonial Pipeline ransomware attack shut down the largest fuel pipeline in the United States for six days. The DarkSide ransomware group gained access through a single compromised VPN credential — a legacy account that wasn't protected by multi-factor authentication. Colonial paid a $4.4 million ransom (the FBI later recovered about $2.3 million of it).
One password. No MFA. Fuel shortages across the Eastern Seaboard. That's the reality of credential theft in 2022.
The Single Control That Could Have Stopped It
Multi-factor authentication. That's it. The VPN account used by the attackers had a reused password found in a previous breach dump. If MFA had been enabled, the stolen credential alone wouldn't have been enough. I've said it a hundred times: MFA is the single highest-impact control most organizations still haven't fully deployed.
Microsoft Exchange Server: Zero-Days at Massive Scale
In early March 2021, Microsoft disclosed four zero-day vulnerabilities in Exchange Server being actively exploited by a threat actor group known as Hafnium. Within weeks, an estimated 250,000 servers worldwide were compromised. Attackers installed web shells, exfiltrated email, and in many cases laid the groundwork for future ransomware deployment.
This data breach example is critical because it hit organizations that thought on-premises email was safer than the cloud. Many of the victims were small and mid-sized businesses that lacked dedicated security teams — and lacked the patching discipline to respond to emergency advisories within hours.
Patch Management Is Not Optional
CISA issued Emergency Directive 21-02 ordering federal agencies to patch immediately. But thousands of private organizations lagged behind by days or weeks. If your patch cycle is measured in weeks, you're leaving windows open that threat actors actively scan for. The Hafnium campaign proved that mass exploitation of known vulnerabilities happens within hours of disclosure.
T-Mobile: 54 Million Records and Counting
In August 2021, T-Mobile confirmed a breach exposing personal data of more than 54 million people — including Social Security numbers, driver's license information, and dates of birth. The attacker, a 21-year-old, claimed T-Mobile's security was "awful" and that he had accessed an unprotected router to pivot into internal systems.
This wasn't T-Mobile's first breach. Or second. The company had disclosed breaches in 2018, 2019, and 2020 as well. The FTC and state attorneys general have taken increasing interest in companies that suffer repeated breaches without demonstrable improvement in security controls.
Repeated Breaches Signal Systemic Failure
When the same organization gets breached year after year, the problem isn't bad luck — it's cultural. Security awareness, proper network segmentation, and basic access controls weren't in place. If your organization has experienced an incident before, the question isn't if it will happen again. It's whether you've actually changed anything since last time.
What Is the Most Common Cause of Data Breaches?
According to the Verizon 2021 DBIR, the most common cause of data breaches is social engineering, followed closely by basic web application attacks using stolen credentials. Phishing accounts for 36% of breaches. Credential theft — through phishing, brute force, or credential stuffing from previous breaches — is involved in 61% of incidents. In short, attackers target people first and systems second. The most effective defense combines security awareness training with technical controls like MFA and endpoint detection.
The Phishing Problem Isn't Slowing Down
The FBI's Internet Crime Complaint Center (IC3) reported that phishing was the number one reported cybercrime in 2021 by volume, with IC3 receiving over 323,000 phishing complaints. Business email compromise (BEC) — a more targeted form of phishing — accounted for nearly $2.4 billion in adjusted losses, making it the costliest cybercrime category by far.
I've run phishing simulations for organizations of every size. The first round always shocks leadership. Click rates of 25-40% on the initial test are common. After consistent training, those rates drop to 2-5%. That's the difference between an organization that gets breached and one that doesn't.
Building a Phishing-Resistant Culture
Running a single annual training module and calling it done is security theater. Effective phishing defense requires ongoing simulated attacks, immediate feedback when employees fail, and reinforcement of what good reporting looks like. If you want to build a phishing simulation program for your organization, our phishing awareness training for organizations gives you the framework and tools to get started.
Practical Steps to Learn from These Data Breach Examples
Every breach above shares common threads. Here's what you should actually do about them.
- Deploy multi-factor authentication everywhere. Start with email, VPN, and any system with access to sensitive data. No exceptions for legacy accounts.
- Patch aggressively. Build a process that gets critical patches deployed within 48 hours. CISA's Known Exploited Vulnerabilities Catalog is your priority list.
- Train your people continuously. Annual compliance training doesn't change behavior. Monthly phishing simulations and short awareness modules do. Our cybersecurity awareness training course covers the fundamentals every employee needs.
- Adopt zero trust principles. Stop assuming anything inside your network is safe. Verify identity, check device health, and enforce least-privilege access for every request.
- Evaluate your vendors. The SolarWinds breach proved that your security is only as strong as your weakest vendor. Ask for SOC 2 reports. Review their incident response history.
- Monitor for credential exposure. Use threat intelligence services to check whether your organization's credentials appear in breach dumps. Reused passwords are the single most exploitable weakness in credential theft.
- Have an incident response plan — and test it. A plan you've never rehearsed is just a document. Run tabletop exercises quarterly.
Why Studying Data Breach Examples Matters Right Now
We're in February 2022, and the threat landscape is intensifying. Nation-state activity is elevated. Ransomware gangs are more professionalized than ever. The Log4Shell vulnerability disclosed in December 2021 is still being actively exploited across thousands of organizations that haven't fully remediated it.
Studying real data breach examples isn't academic — it's the fastest way to understand where your own gaps are. Every breach I've described above was preventable with controls that are available today. Not expensive controls. Not exotic controls. Basic, proven controls that most organizations simply haven't fully implemented.
The Gap Between Knowing and Doing
Here's what I see constantly: security teams know what needs to happen. Leadership approves it in principle. But execution stalls. MFA rollout takes 18 months. Phishing training gets deprioritized. Patching gets deferred because "it might break something." Meanwhile, threat actors don't wait.
The organizations that avoid becoming the next data breach example are the ones that treat security as an operational priority, not a project. They train their people. They enforce their controls. They assume they'll be targeted and prepare accordingly.
Your Next Move
If you've read this far, you already understand the stakes. The question is what you do next. Start with the two things that address the root cause of most breaches: people and credentials.
Get your team enrolled in structured cybersecurity awareness training that covers social engineering, credential hygiene, and threat recognition. Then launch an ongoing phishing awareness program that tests and reinforces those skills every month.
The breaches I've outlined above didn't happen to careless organizations. They happened to the Red Cross, to federal agencies, to one of the largest telecom companies on earth. If it can happen to them, it can happen to you. The difference is whether you've learned from their mistakes before you have to learn from your own.