The history of cybersecurity is the history of breaches.

Target: Iranian uranium-enrichment program (Natanz)

Cost: Estimated 1,000+ IR-1 centrifuges damaged

Computer worm targeting industrial control systems via Windows + Siemens Step7 software. The first publicly-documented case of a cyber weapon causing physical destruction of industrial equipment. Manipulated PLC code to degrade centrifuges while reporting normal operation to monitoring systems. Discovered when the worm escaped Iran and infected systems globally. Widely attributed in declassified reporting to a joint US-Israeli operation under the codename Olympic Games. Never officially claimed.

Impact: Established cyber as a weapon capable of kinetic effects. Reshaped doctrine globally. Every offensive cyber program post-2010 cites Stuxnet as ancestor.

Target: Target Corporation retail point-of-sale systems

Cost: ~40M credit/debit cards + 70M PII records · $292M+ in direct breach costs

Attackers obtained credentials through Target's HVAC vendor (Fazio Mechanical), pivoted through Target's network, deployed memory-scraping malware on POS terminals. Card data exfiltrated over 19 days during peak holiday shopping. Established supply-chain attacks as a top-tier vector and remains the textbook case for vendor risk management.

Impact: Pushed PCI-DSS toward chip-and-PIN. CISO role became board-level conversation. Established third-party vendor as the dominant breach origin.

Target: Sony Pictures Entertainment

Cost: ~100 TB exfiltrated · 4 unreleased films leaked · multiple lawsuits

Attackers released internal emails, executive personal information, salary data, and unreleased films. Followed The Interview release controversy. Treasury Department sanctioned North Korea in January 2015 based on attribution. One of the first major public examples of state-actor reprisal against a US private company over content.

Impact: Established that nation-states will retaliate against private companies over content. Self-censorship discussions across Hollywood.

Target: US Office of Personnel Management

Cost: 21.5M federal employee records · including SF-86 background investigation forms with fingerprints

Sustained intrusion exfiltrating personnel records of essentially every federal employee plus contractors plus family members on background investigations. SF-86 forms include foreign contacts, financial records, mental health history. Attributed by US government to Chinese state actors. The single most consequential US government data breach by counterintelligence value.

Impact: Reformed federal cybersecurity governance. Created the Cybersecurity and Infrastructure Security Agency (CISA, 2018). Years of counterintelligence damage estimated.

Target: Equifax credit reporting agency

Cost: 147M US consumers' PII · $1.4B+ in fines and settlements

Attackers exploited an unpatched Apache Struts vulnerability (CVE-2017-5638) disclosed two months prior. Maintained access for 76 days. Exfiltrated names, SSNs, DOBs, addresses, driver's license numbers, credit card numbers. Four PLA officers indicted by DOJ in February 2020.

Impact: Patch management failures became board-level liability. State data-breach notification laws expanded. SEC began requiring material breach disclosure within 4 business days (effective 2023).

Target: Initially Ukraine via M.E.Doc tax software; cascaded globally

Cost: Estimated $10B+ in damages · Maersk: $300M · Merck: $870M · FedEx TNT: $400M

Destructive malware disguised as ransomware (encryption was irrecoverable). Spread via compromised Ukrainian tax-accounting software M.E.Doc. Attributed by US, UK, Canadian, Australian, and Five Eyes governments to Russian GRU. The largest documented cyber-attack economic impact in public reporting. Demonstrated that even non-Ukrainian businesses with any tangential Ukrainian exposure could become collateral.

Impact: Cyber-insurance war-exclusion clauses began excluding nation-state attacks (Mondelez v. Zurich, 2018, settled 2022). Supply-chain risk in upstream software became board-level.

Target: SolarWinds + ~18,000 downstream customers including US federal agencies

Cost: Estimated $100B+ in remediation costs across affected organizations

Software supply-chain compromise: attackers inserted SUNBURST backdoor into SolarWinds Orion network-monitoring product updates. ~18,000 customers received the backdoored update. Selective post-compromise activity targeted US Treasury, Commerce, State, DHS, Energy, parts of DoD, Microsoft, FireEye (which discovered the compromise), and others. Attributed by US government to Russian SVR. Triggered the Biden administration's Executive Order 14028 on Improving the Nation's Cybersecurity.

Impact: Software supply-chain became a category-one threat in federal doctrine. SBOM (Software Bill of Materials) requirements expanded. The 2023 National Cybersecurity Strategy explicitly addresses this lineage.

Target: On-premises Microsoft Exchange Server worldwide

Cost: Tens of thousands of organizations compromised before patches available

Four zero-day vulnerabilities (CVE-2021-26855, -26857, -26858, -27065) exploited by Chinese state-sponsored actors Microsoft attributes to HAFNIUM. Initial exploitation began in early January 2021; Microsoft patched March 2; mass-exploitation by multiple groups followed. FBI subsequently used court order to remove malicious web shells from victim systems — an unprecedented active cyber operation on US private infrastructure.

Impact: Patch-availability gaps in critical infrastructure became central concern. Federal authority for active defense expanded by precedent.

Target: Largest fuel pipeline operator in the eastern US

Cost: $4.4M ransom paid · 6-day pipeline shutdown · fuel shortages across SE US

Ransomware attack via compromised single-factor VPN credentials. Pipeline operator shut down operations as a precaution after IT systems were encrypted (not OT systems directly). Attributed to DarkSide (Russia-based criminal group). FBI recovered ~$2.3M of the ransom from a tracked Bitcoin address. Pushed TSA toward mandatory cybersecurity directives for pipeline operators.

Impact: Federal cybersecurity directives expanded to critical infrastructure outside of traditional regulation. MFA on remote access became a baseline for critical infrastructure.

Target: Kaseya MSP software + ~1,500 downstream organizations

Cost: ~$70M in ransoms demanded · Sweden's Coop grocery closed 800 stores

REvil ransomware group exploited a zero-day in Kaseya's VSA remote-management software, used by managed service providers (MSPs) to administer client networks. Compromised one MSP, distributed ransomware to that MSP's customers. Cascaded across ~1,500 organizations. FBI obtained the decryptor and shared it with victims; Russian authorities later arrested REvil members (Jan 2022, later proceedings unclear).

Impact: MSP-as-vector category solidified as top threat. Federal scrutiny on the MSP industry's own security posture intensified.

Target: Progress Software MOVEit · downstream effects across 2,500+ organizations

Cost: ~95M records affected · 2,500+ organizations confirmed compromised

Cl0p ransomware group exploited a zero-day SQL injection in MOVEit Transfer (CVE-2023-34362). Mass-exploitation between May 27 and June 1, 2023. Affected organizations included British Airways, BBC, Boots, US Department of Energy, NY Department of Motor Vehicles, university systems, and many more. Single largest breach by organizational count in the modern era.

Impact: Re-centered focus on file-transfer software as a high-value target category. Vendor security testing requirements expanded.

Target: US critical infrastructure (telecom, transportation, water, energy)

Cost: Pre-positioning detected before disruptive action

Joint CISA/NSA/FBI/Five Eyes advisory disclosing China-state-sponsored campaign of pre-positioning in US critical infrastructure for potential disruptive operations in a future crisis. Living-off-the-land techniques (no malware, just legitimate-tools-used-malicious) made detection difficult. Subsequent disclosures through 2024-2025 expanded the scope. The publicly stated assessment is that Volt Typhoon is positioning for sabotage, not espionage collection.

Impact: Reframed China cyber threat from espionage to pre-position-for-sabotage. Critical-infrastructure threat hunting became federal priority.

Target: UnitedHealth Group subsidiary processing ~1/3 of US healthcare claims

Cost: $22M ransom confirmed paid · estimated 100M+ individuals affected · ~$2.5B+ in total response costs

ALPHV/BlackCat ransomware attack disrupted billing across thousands of providers. UnitedHealth confirmed payment of $22M ransom in subsequent congressional testimony. Notification of affected individuals continued through 2024-2025 with estimates exceeding 100M people. The largest US healthcare data breach by individuals affected.

Impact: Healthcare third-party-risk regulation accelerated. Industry-concentration risk in healthcare claims processing became national-security framing.

Target: US telecommunications carriers (AT&T, Verizon, Lumen confirmed)

Cost: Compromise of lawful-intercept systems · scope of intelligence loss still being assessed

China-state-sponsored compromise of US telecommunications carriers including access to lawful-intercept systems — the same systems used by US law enforcement for court-authorized wiretaps. Considered one of the most consequential US telecommunications intrusions in public reporting. Government communications including phones of senior officials reportedly affected. Disclosed by FBI/CISA late 2024.

Impact: Telecommunications-sector security regulation accelerating in 2025. End-to-end encryption advocacy strengthened in policy circles.

Target: Snowflake customer accounts (AT&T, Ticketmaster/Live Nation, Santander, others)

Cost: AT&T: ~110M customer records · Ticketmaster: ~560M · Santander: 30M

Credential-stuffing attacks against Snowflake customer accounts that lacked MFA. Stolen credentials sourced from prior infostealer-malware infections. Multiple high-profile customer data breaches resulted. UNC5537 (Mandiant attribution) was the primary actor. Pushed Snowflake to require MFA for all customer accounts by default.

Impact: Cloud-tenant MFA defaults became table-stakes. Infostealer-malware market and credential broker economy got renewed federal attention.