Last Updated on May 7, 2026 by Arnav Sharma
I’ve been working in security long enough to remember some of these incidents in real time, and looking back across two decades brings back a lot of memories, not all of them pleasant.
This isn’t a blow-by-blow recap. What I want to do is step back and look at what this history actually tells us, what patterns keep showing up, what lessons we apparently needed to learn more than once, and why some of these incidents hit harder than their technical write-ups suggest.
1. Stuxnet (2010): The First Shot Heard Around the OT World
Most people who weren’t in ICS/OT security in 2010 heard about Stuxnet the same way they heard about other interesting malware: a conference talk, a blog post, a Wired feature. It seemed almost science fiction. A worm that crossed air gaps via USB drives, hunted for specific Siemens PLCs, and quietly sabotaged uranium centrifuges at Natanz by making them spin out of spec while reporting normal readings to operators.
Four zero-days. In one piece of malware. That detail alone tells you this wasn’t some ransomware crew looking for a payout. This was state-level engineering.
What Stuxnet actually proved wasn’t just that you could build a cyber weapon. It proved that air-gapped OT networks were not the safety blanket operators thought they were. The delivery mechanism, reportedly via USB introduced by a contractor, bypassed every perimeter control Natanz had. The malware then sat quietly and damaged equipment for months before anyone noticed centrifuge failure rates were climbing.
I’ve talked to OT security teams since then who still treat Stuxnet as the benchmark for what a sophisticated threat looks like. The interesting thing is how long it took the broader industry to absorb the IT/OT convergence problem. We’re still having that conversation in 2026.
2. The RSA SecurID Breach (2011): When the Lock Itself Gets Picked
In March 2011, RSA Security disclosed that attackers had broken into its systems and stolen data related to its SecurID two-factor authentication tokens. The initial entry point was a spear-phishing email with a malicious Excel attachment. One employee opened it. That was enough.
What made this one sting was the downstream effect. RSA’s SecurID tokens were used by tens of thousands of organisations, including defence contractors. Once attackers had the seed values that underpin how those tokens generate codes, they had a skeleton key. Two months later, Lockheed Martin, one of the US’s largest defence contractors, was hit. Northrop Grumman and L-3 Communications were targeted too. RSA ended up spending $66 million in remediation and had to offer token replacements to high-risk customers.
The lesson, which still applies today, is about trust hierarchies. When a security product itself becomes the attack vector, every customer who relied on that product inherits the exposure. Nobody had really stress-tested what happens when the authentication infrastructure fails.
3. Anonymous and the Rise of Hacktivism (2008–2012)
The rise of Anonymous deserves more credit for shifting how the public understood cyber threats. Between roughly 2008 and 2012, Anonymous and later LulzSec turned hacking into something visible and political. They weren’t stealing data quietly. They were publishing it, defacing websites, taking down PlayStation Network and government sites, and doing press interviews.
Whether you agreed with their targets or not, they made cyber incidents front-page news for people who had never thought about network security. They also showed that you didn’t need nation-state resources to cause real disruption. Some of the most embarrassing breaches of that era came from small groups with basic tooling and a lot of patience.
The hacktivism era created a threat category that many organisations hadn’t modelled: ideologically motivated attacks where the goal is embarrassment and disclosure, not financial gain. A lot of corporate risk frameworks quietly added “reputational damage via data leak” as a threat scenario after this period.
4. The Target Breach (2013): Supply Chain Risk Goes Mainstream
The Target breach doesn’t get enough credit for how much it changed executive attitudes toward security spending. Yes, it was a data breach. But the entry point was an HVAC vendor’s credentials. A third-party refrigeration contractor handed attackers access to the payment card data of 40 million customers.
Before Target, the standard enterprise security conversation was mostly about your own perimeter. After Target, supply chain risk and third-party access controls became boardroom topics. Not because executives suddenly cared about security theory, but because they watched a CEO and CIO lose their jobs over it.
The attacker path, from a vendor with network access to POS terminals, was a chain of failures: compromised contractor credentials, no network segmentation between HVAC and payment systems, alerts that fired and went uninvestigated. Target paid hundreds of millions in settlements.
5. The Yahoo Breach (2013–2014): Three Billion Accounts and Years of Silence
The Yahoo disclosures are their own kind of story. Breaches in 2013 and 2014 that affected three billion accounts, disclosed years later during an acquisition. Verizon reportedly knocked $350 million off the purchase price when the breaches came to light. That’s one of the cleaner examples of how security posture translates directly into balance sheet risk, though most boards still needed it spelled out.
The delayed disclosure was its own controversy. Years passed between the breach and the public knowing about it. Regulatory frameworks at the time didn’t mandate timely disclosure the way they do now. The Yahoo case was one of the catalysts for tightening disclosure obligations in subsequent years.
6. The Sony Pictures Hack (2014): Nation-States Target the Private Sector
On 24 November 2014, employees at Sony Pictures showed up to find a red skull on every screen and a message from a group calling itself the Guardians of Peace. What followed was 22 days of data dumps: unreleased films, executive salary spreadsheets, embarrassing internal emails, and personal data on thousands of employees.
The FBI attributed the attack to North Korea, linking the operation to Sony’s planned release of The Interview, a comedy depicting the assassination of Kim Jong-un. Regardless of where you land on attribution, the incident was the first time a US president formally attributed a cyberattack to a nation-state in public.
The Sony hack made something viscerally clear to private sector organisations: you don’t need to be a defence contractor to end up in the crosshairs of a state actor. Cultural output, business decisions, political satire, any of these can be enough if someone with state resources decides to make an example of you.
7. The Ashley Madison Breach (2015): When Data Becomes a Weapon
The Ashley Madison hack is the breach that most clearly showed the industry the difference between data being stolen and data being weaponised against the people it belongs to.
In July 2015, a group calling itself the Impact Team broke into Ashley Madison’s systems and stole around 60 gigabytes of data covering roughly 36 million user accounts, including names, addresses, sexual preferences, and credit card transaction records. When the site’s owner refused to shut down, the attackers dumped everything publicly.
What followed wasn’t just reputational fallout. People lost marriages. There were confirmed suicides linked to the exposure. Years of extortion campaigns followed, with attackers mining the breach data to send personalised blackmail emails demanding Bitcoin payments.
Ashley Madison made something concrete that the industry had treated abstractly: the harm from a data breach isn’t always financial, and some data carries consequences that can’t be measured in credit card fraud. Privacy risk started getting the weight it deserved in breach impact assessments after this.
8. The Shadow Brokers and EternalBlue (2016–2017): When NSA Weapons Go Public
In 2016, a group called the Shadow Brokers began leaking what it claimed were NSA offensive hacking tools. The leaks were staggered and dramatic, and came with auction attempts. Most of the cybersecurity community watched with a mix of fascination and dread.
The most consequential item in those leaks was EternalBlue, an exploit targeting a vulnerability in Windows SMB. Microsoft had patched it in March 2017. Six weeks later, WannaCry used it to spread across 200,000 machines in 150 countries. Six weeks after that, NotPetya used it to tear through infrastructure globally.
EternalBlue lingered in the wild for years. Organisations that hadn’t patched SMBv1 kept getting hit with it long after WannaCry was old news. The Shadow Brokers episode also opened a serious policy debate about vulnerability stockpiling: holding offensive capabilities for years creates compounding risk when those tools eventually leak.
9. The Mirai Botnet (2016): Your DVR Is Now a Weapon
In October 2016, a botnet built almost entirely from compromised consumer IoT devices launched a DDoS attack against Dyn, a DNS provider used by a large chunk of the internet. Traffic peaked at around 1.2 Tbps. Twitter, Netflix, Amazon, Spotify, PayPal, and GitHub all went down or became intermittently unreachable for hours.
The botnet was called Mirai. It spread by scanning for IoT devices still running factory default credentials and logging in. No exploit. No zero-day. Just default usernames and passwords.
What Mirai exposed was a systemic failure in the consumer device market. Manufacturers had been shipping devices with hardcoded or default credentials for years, with no update mechanism and no security baseline. The IoT security conversation still happening in 2026 traces a direct line back to that Friday morning when a chunk of the internet went dark because someone’s security camera was doing the attacking.
10. WannaCry (2017): Ransomware at Scale
WannaCry in May 2017 was a turning point. Before it, ransomware was mostly a nuisance targeting individual machines or small businesses. WannaCry used EternalBlue to spread automatically across networks without any user interaction. No phishing link. No attachment. Just port 445 exposed, and you were done.
The UK’s NHS got hit hard. Hospitals cancelled appointments, surgeries were postponed, staff reverted to pen and paper. Estimated global cleanup costs reached $8 billion.
The kill switch story is one of my favourite moments in modern security history. Marcus Hutchins, a 22-year-old researcher working from his bedroom, found a hardcoded domain in the malware. He registered it for about $10. The ransomware phoned home, got a response, and stopped spreading. A $10 domain registration stopped a global worm.
The patch that would have stopped WannaCry had been available for 58 days before it hit.
11. NotPetya (2017): The Most Expensive Cyberattack in History
WannaCry was stopped. NotPetya, which followed six weeks later, was not ransomware in any meaningful sense. It was a wiper dressed up to look like ransomware. Russian military intelligence targeted Ukrainian businesses via a poisoned update to a Ukrainian tax accounting platform called M.E.Doc, then watched it spread through multinational networks to more than 60 countries.
The decryption key was fake. There was no getting files back. Maersk lost somewhere between $250 and $300 million and had to reinstall 45,000 PCs and 4,000 servers across 130 countries in ten days. FedEx’s TNT division lost $400 million. Merck filed a $1.4 billion insurance claim. The White House called it the most destructive and costly cyberattack in history.
NotPetya also sparked a long-running legal dispute about whether cyber insurance policies cover state-sponsored attacks under war exclusion clauses. That argument is still being resolved in courts.
12. The Equifax Breach (2017): A Known Vulnerability, Left Unpatched
Equifax in 2017 exposed the data of 147 million people. Social Security numbers, birth dates, addresses. The kind of data that doesn’t expire and can’t be changed.
The breach came down to a known Apache Struts vulnerability, CVE-2017-5638, that Equifax hadn’t patched. A fix had been available for months. The damage was so permanent and widespread that Equifax paid $700 million in settlements. Several executives sold stock before the breach was disclosed publicly. The CIO and CSO both resigned. The CEO testified before Congress.
What made Equifax different from most breaches was the irreversibility. You can cancel a credit card. You can’t cancel your Social Security number. Millions of affected people were left with a permanent exposure that no settlement could fully address.
13. The Marriott/Starwood Breach (2018): M&A Due Diligence Failures
In late 2018, Marriott disclosed that attackers had been inside the Starwood guest reservation system since 2014. The breach exposed data on up to 500 million guests, including passport numbers, travel dates, and payment card details.
The complicating factor: Marriott had acquired Starwood in 2016. The attackers were already inside when the acquisition closed. The security team that understood the Starwood environment was let go as part of post-merger restructuring. The compromised system kept running, infected, for two more years before anyone found it.
Investigators later pointed to indicators suggesting Chinese state-sponsored actors were behind the breach, likely as part of a broader intelligence-collection operation targeting travel patterns of government officials and executives.
The Marriott case became the textbook example for why cybersecurity due diligence in mergers and acquisitions isn’t optional. Buying a company means buying its threat actors too, if they’re already inside.
14. The SolarWinds Compromise (2020): The Attack That Came from Inside the Update
The SolarWinds compromise, discovered in late 2020, was something different. Not ransomware. Not an opportunistic breach. A patient, methodical supply chain operation attributed to Russian intelligence that inserted malicious code into the Orion software update pipeline.
Around 18,000 customers downloaded the compromised update. That included the US Treasury, the Department of Justice, the Department of Homeland Security, and dozens of Fortune 500 companies. The attackers then selectively activated access on high-value targets and spent months moving quietly through networks.
What still bothers me about SolarWinds is the trust model it exploited. Organisations spent years telling users not to click unknown links, not to run unsigned binaries, not to trust unexpected downloads. Then the attacker got to the source. A signed, vendor-distributed update. Defences didn’t even blink.
Post-SolarWinds, the concept of a Software Bill of Materials (SBOM) went from academic discussion to executive requirement. Executive Order 14028 in 2021 made it a federal mandate for software sold to US government agencies.
15. Colonial Pipeline (2021): The Password That Cost $4.4 Million
May 2021. The DarkSide gang hit Colonial Pipeline, which carries about 45% of the East Coast’s fuel supply, through a single compromised VPN account with no multi-factor authentication. One forgotten credential. The pipeline shut down for six days. Petrol stations across the south-eastern US ran dry. Price spikes, panic buying, a federal emergency declaration.
Colonial paid $4.4 million in Bitcoin. Law enforcement later recovered roughly half of it.
What I keep coming back to is how straightforward the entry point was. Not a sophisticated zero-day. A legacy VPN account without MFA. I’ve been in conversations where people have dismissed MFA as an inconvenience. Colonial Pipeline is the example I reach for when that comes up.
16. The Microsoft Exchange Hafnium Attacks (2021): Zero-Days Before the Patch
In March 2021, Microsoft disclosed four zero-day vulnerabilities in on-premises Exchange Server being actively exploited by a Chinese threat group called Hafnium. The attack chain let attackers authenticate without valid credentials, execute code remotely, and drop web shells for persistent access.
Within days of the disclosure, tens of thousands of organisations had already been compromised. The attack had been running for weeks before Microsoft released patches. Even after patches were available, unpatched Exchange servers remained in the wild for months.
The Hafnium campaign was an uncomfortable demonstration of how exposed on-premises email infrastructure is at scale. It also reignited the debate about whether cloud migration, despite its own risk profile, was preferable to running internet-facing servers that become targets within hours of a vulnerability going public.
17. The Kaseya VSA Attack (2021): Ransomware Through the MSP Channel
In July 2021, the REvil ransomware group exploited a zero-day in Kaseya’s VSA remote monitoring and management software to push ransomware through managed service providers to their customers. The blast radius was approximately 1,500 businesses across 17 countries, in a single weekend.
The attack was grim in its elegance. MSPs use VSA to manage client systems. Compromise VSA, and you’ve compromised every downstream client the MSP manages. One entry point, multiplied hundreds of times over.
REvil demanded $70 million in Bitcoin for a universal decryptor. Kaseya ultimately obtained one without paying, reportedly through law enforcement channels. A few months later, REvil’s infrastructure went dark and several members were arrested across Eastern Europe in a rare instance of coordinated law enforcement action.
The Kaseya attack confirmed that the ransomware-as-a-service model, where developers license the malware to affiliates who conduct the attacks, was now the dominant operational structure. It’s a franchise model for extortion, and it’s proven difficult to dismantle.
18. Log4Shell (2021): A Single Library, Everywhere at Once
In December 2021, a remote code execution vulnerability was disclosed in Log4j, a Java logging library so widely used it turned up in everything from enterprise software to games consoles to industrial control systems. The vulnerability, CVE-2021-44228, was trivial to exploit. You sent a specially crafted string in a log message, and you could get the server to execute code you controlled remotely.
The scramble to identify every system running Log4j was unlike anything I’ve seen in incident response. The library was so deeply embedded, often three or four layers down in software dependencies, that many organisations genuinely didn’t know where to start. CISA called it one of the most serious vulnerabilities they had encountered.
Log4Shell accelerated the SBOM conversation that SolarWinds had started. You can’t patch a library you don’t know you’re running. Organisations with clear software inventories responded in days. Those without spent weeks.
19. The MOVEit Campaign (2023): Mass Exploitation, No Encryption Required
In May 2023, the Cl0p ransomware group exploited a SQL injection vulnerability in MOVEit Transfer, a widely used managed file transfer product, and began pulling data from hundreds of organisations that hadn’t yet patched. The campaign affected over 2,700 organisations across government agencies, financial institutions, healthcare systems, universities, and major corporations.
What made MOVEit different from most ransomware campaigns was the approach. Cl0p didn’t bother encrypting files. They took the data and threatened to publish it unless victims paid. No ransomware deployment, no network disruption, just exfiltration and extortion. Cleaner, faster, and harder to detect until it was too late.
MOVEit reinforced that file transfer software is extremely high-value attack surface. These tools are internet-facing, process sensitive data, and are trusted by default. Several similar managed file transfer products had vulnerabilities disclosed around the same time, suggesting the category had been systematically underexamined for years.
20. ChatGPT and AI-Assisted Attacks (2022–Present): The Barrier Problem
ChatGPT launched in November 2022 and reached 100 million users in two months. The security implications were obvious almost immediately.
The conversation initially focused on defenders. Could AI help triage alerts faster? Could it write detection rules? Could it explain code to junior analysts? All valid questions. But the more uncomfortable conversation was about what it handed to attackers.
Writing convincing phishing emails used to require reasonable English and social engineering skills. Generating basic exploit code required programming knowledge. Creating malware variants to evade signature detection required experience. All of those barriers got lower. Not gone, but meaningfully lower.
I’ve seen phishing simulations where AI-generated lures consistently outperform human-written ones on click rates. The spelling errors and awkward phrasing that used to be a reasonable heuristic for spotting malicious email are far less reliable now.
The deeper concern is speed. AI-assisted attack tooling compresses the time between vulnerability disclosure and working exploit. Defenders’ response windows, which were already tight, are getting tighter. The gap between what nation-states can do and what organised criminal groups can attempt is narrowing in specific areas.
The Pattern That Runs Through All of It
Looking across these twenty events, a few things stand out.
- Known problems, left unactioned. WannaCry, NotPetya, Equifax, Hafnium: all exploited vulnerabilities for which fixes existed. Patch management is unsexy. It’s also where a huge proportion of successful attacks begin.
- Third-party access is your attack surface too. Target in 2013. SolarWinds in 2020. Kaseya in 2021. MOVEit in 2023. The supply chain is part of your environment whether you’ve modelled it that way or not.
- Credentials are cheap. Colonial Pipeline. The RSA breach. Countless others. Compromised credentials, often through phishing or credential stuffing against reused passwords, sit at the front of the attack chain across a striking number of these incidents. MFA is not perfect. It’s also not optional anymore.
- Attacker goals have diversified. Early in this period, the dominant threat was financial: steal card data, sell it. The incidents above include destruction, disruption, intelligence collection, coercion, and reputational damage. The defence posture that handles one doesn’t necessarily handle the others.
I help organisations secure their cloud infrastructure and stay ahead of evolving cyber threats. Microsoft MVP and Certified Trainer, author of Mastering Azure Security, and founder of arnav.au — a platform for practical Cloud, Cybersecurity, DevOps and AI content.