Data Breach Examples: What Recent Trends Reveal

The Breach That Cost MGM Resorts Over $100 Million

In September 2023, a threat actor called Scattered Spider brought MGM Resorts to its knees — not with some exotic zero-day exploit, but with a phone call. A social engineering attack against the company's IT help desk gave attackers the foothold they needed to deploy ransomware across the organization. The result? Over $100 million in losses, days of operational chaos, and a reminder that the most devastating breaches often start with the simplest tactics.

If you're searching for data breach examples to understand what's actually happening in the threat landscape, you're in the right place. I've spent years analyzing these incidents, and the patterns are disturbingly consistent. The techniques that worked in 2023 are still working now in 2024, and without serious changes, they'll keep working for years to come. Let me walk you through the real-world breaches that matter, the patterns behind them, and what your organization needs to do differently.

Why Studying Data Breach Examples Matters More Than Ever

The IBM Cost of a Data Breach Report 2023 pegged the global average cost of a data breach at $4.45 million — an all-time high. The 2023 Verizon Data Breach Investigations Report found that 74% of all breaches involved the human element, whether through social engineering, errors, or misuse of credentials. These aren't abstract numbers. They represent real companies that lost real money, real customer trust, and in some cases, their entire business.

Studying past breaches isn't just academic. It's how you build a defense strategy that actually works. Every breach is a case study in what went wrong — and more importantly, what could have been prevented. Here are the incidents I keep coming back to when I train security teams.

MOVEit Transfer: The Supply Chain Breach That Hit Thousands

In May and June 2023, the Cl0p ransomware gang exploited a zero-day vulnerability in Progress Software's MOVEit Transfer application. The fallout was staggering. Over 2,500 organizations were affected, including the U.S. Department of Energy, Shell, British Airways, and the BBC. Tens of millions of individuals had their data exposed.

This breach is one of the most significant data breach examples in recent memory because it demonstrated the cascading risk of supply chain vulnerabilities. Your organization might have rock-solid security, but if a vendor you rely on gets compromised, you're exposed anyway.

The Lesson for Your Organization

Vendor risk management isn't optional anymore. You need to know every third-party tool that touches your data, audit their security practices, and have incident response plans that account for supply chain failures. CISA published detailed advisories on the MOVEit vulnerability — the organizations that moved fastest on those advisories suffered the least damage. You can review CISA's ongoing guidance at CISA's Known Exploited Vulnerabilities Catalog.

23andMe: When Credential Theft Goes Genetic

In October 2023, genetic testing company 23andMe confirmed that hackers accessed the personal data of roughly 6.9 million users. The attack method? Credential stuffing. Attackers used usernames and passwords stolen from other breaches to log into 23andMe accounts. Because of the platform's DNA Relatives feature, compromising one account gave attackers access to the genetic data of that user's relatives too.

This is one of those data breach examples that should make every security professional uncomfortable. The initial compromise wasn't sophisticated. It was the reuse of stolen credentials — something that happens billions of times a year across the internet.

Why Multi-Factor Authentication Could Have Changed Everything

At the time of the breach, 23andMe did not require multi-factor authentication. After the incident, they made it mandatory. That single control could have stopped the credential stuffing attack in its tracks. If your organization still treats MFA as optional, you're essentially leaving the front door unlocked and hoping nobody tries the handle.

I mentioned MGM earlier, but the full picture is even more alarming. The same threat actor group, Scattered Spider, also hit Caesars Entertainment around the same time. Caesars reportedly paid approximately $15 million in ransom. MGM refused to pay but absorbed massive operational losses instead.

Both attacks started with social engineering — specifically, vishing (voice phishing) calls to IT help desks. The attackers gathered employee information from LinkedIn and other public sources, then called in pretending to be those employees to reset credentials. From there, they escalated privileges and deployed BlackCat/ALPHV ransomware.

What This Means for Security Awareness

Technical controls matter, but they can't stop an employee from being manipulated over the phone. This is why cybersecurity awareness training is non-negotiable. Your help desk staff, your IT team, and every employee who picks up a phone or opens an email needs to understand how social engineering works. Not in theory — in practice, with realistic scenarios they'll actually face.

What Is the Most Common Cause of Data Breaches?

According to the 2023 Verizon Data Breach Investigations Report, stolen credentials are the single most common initial access vector in confirmed breaches. Phishing is the primary method attackers use to steal those credentials. This has been consistent for years, and there's no sign it's changing in 2024.

Here's the chain: a phishing email lands in an employee's inbox. It looks legitimate — maybe it mimics a Microsoft 365 login page or a DocuSign request. The employee enters their credentials. The attacker now has valid access. From there, they move laterally, escalate privileges, exfiltrate data, or deploy ransomware.

Breaking that chain at the phishing stage is the highest-leverage intervention most organizations can make. That's why I recommend running regular phishing awareness training and simulations — not once a year during compliance season, but consistently, so employees build the reflex to question suspicious messages.

T-Mobile: The Company That Can't Stop Getting Breached

T-Mobile disclosed yet another data breach in January 2023, this time affecting approximately 37 million customer accounts. Attackers exploited an API vulnerability to access customer names, billing addresses, emails, phone numbers, and account details. This came after a 2021 breach that exposed data on over 76 million people and resulted in a $350 million class-action settlement.

T-Mobile's repeated breaches are among the most cited data breach examples in the industry, and for good reason. They illustrate what happens when an organization fails to learn from past incidents. The FTC and state attorneys general have taken notice — T-Mobile agreed to invest $150 million in cybersecurity improvements as part of its settlement. You can track FTC enforcement actions at FTC's Cases and Proceedings page.

APIs are the connective tissue of modern applications, and they're increasingly the target. If your organization exposes APIs — and in 2024, almost every organization does — you need to inventory them, authenticate them properly, rate-limit them, and monitor them for anomalous access patterns. An unauthenticated or poorly monitored API is an open invitation to a threat actor.

Okta: When Your Identity Provider Gets Compromised

In October 2023, Okta disclosed that attackers had accessed its customer support management system. The breach affected all customers who had ever opened a support ticket — approximately 134 organizations initially, later revised to include all support system users. Attackers stole session tokens and cookies uploaded as part of support cases, which they then used to impersonate legitimate users.

When your identity and access management provider gets breached, the blast radius is enormous. This incident reinforced the importance of zero trust architecture — never assume any session, token, or identity is trustworthy without continuous verification.

The Pattern Behind Every Major Breach

After reviewing hundreds of breach reports and incident disclosures, here's the pattern I see repeated:

Initial access through humans: Phishing, vishing, credential stuffing, or social engineering — the entry point is almost always a person, not a firewall.
Credential reuse or weak authentication: Stolen passwords, no MFA, overly permissive access controls.
Lateral movement through poor segmentation: Once inside, attackers move freely because networks are flat and monitoring is minimal.
Slow detection: IBM reports the average time to identify and contain a breach is 277 days. That's nine months of an attacker living in your environment.
Inadequate incident response: Many organizations discover they don't have a real incident response plan until they need one.

Every one of these failure points is addressable. Not with a single product or a one-time audit — with sustained effort, training, and a security-first culture.

What Your Organization Should Do Right Now

Don't wait for your company to become the next data breach example. Here's what I recommend based on what these incidents teach us:

1. Deploy Multi-Factor Authentication Everywhere

Not just for VPN. Not just for email. Every application, every admin account, every remote access point. Phishing-resistant MFA (FIDO2/WebAuthn) is the gold standard. NIST's Digital Identity Guidelines at NIST SP 800-63-3 provide the framework.

2. Train Your People — Then Train Them Again

Annual compliance training doesn't change behavior. Consistent, scenario-based security awareness training does. Enroll your team in comprehensive cybersecurity awareness training that covers social engineering, phishing, pretexting, and credential hygiene. Supplement it with ongoing phishing simulations that test real-world scenarios.

3. Implement Zero Trust Principles

Assume breach. Verify every access request. Segment your network so a single compromised account doesn't give an attacker the keys to everything. Monitor continuously for anomalous behavior.

4. Audit Your Vendors and APIs

Know who has access to your data. Review third-party security practices. Inventory and secure every API endpoint. The MOVEit and T-Mobile breaches both stemmed from vulnerabilities that better oversight would have caught.

5. Build and Test Your Incident Response Plan

A plan that lives in a binder on a shelf isn't a plan. Run tabletop exercises. Simulate breach scenarios. Make sure everyone from the CISO to the communications team knows their role when — not if — something goes wrong.

The Real Cost of Doing Nothing

Every data breach example I've covered in this post shares a common thread: the organizations involved had the ability to prevent or significantly mitigate the damage. They had the technology available. They had access to the threat intelligence. What they lacked was execution — the discipline to implement controls, train people, and maintain vigilance.

The FBI's Internet Crime Complaint Center (IC3) reported over $12.5 billion in losses from cybercrime complaints in 2023. That number grows every year. Your organization doesn't have to contribute to next year's statistics.

Start with what you can control. Train your people. Enforce strong authentication. Monitor your environment. And treat every breach you read about not as someone else's problem, but as a preview of what could happen to you.