These Breaches Cost Billions - Don't Be Next

Real-world examples of breaches and major cybersecurity report findings (2017-2026)

May 2026

Verizon 2026 DBIR

Software Vulnerabilities, Ransomware, & Credentials
Vulnerability exploitation becomes the #1 initial access vector (31%)

Impact: Comprehensive threat assessment of 31,000+ incidents and 22,000+ confirmed breaches.

The Verizon 2026 DBIR highlighted that exploitation of vulnerabilities is now the most common initial access vector for breaches, at 31%. Credential abuse remains important, representing 13% as an initial access vector and appearing in 39% of breach progression when counted across the full path. Organizations struggled to remediate vulnerabilities, with only 26% of CISA Known Exploited Vulnerabilities fully remediated in 2025 and the median time to fully remediate rising to 43 days. For SMBs, about 96% of ransomware victims (where organization size was known) were SMBs.

March 2026

Cisco Secure Firewall Management Center

Exposed firewall management plane
Unauthenticated remote root code execution

Impact: Zero-day exploitation by Interlock ransomware (CVE-2026-20131)

A critical vulnerability in Cisco Secure Firewall Management Center (CVE-2026-20131) was exploited by the Interlock ransomware group as a zero-day before public disclosure, allowing unauthenticated remote root code execution. Amazon Threat Intelligence reported that exploitation began in January 2026, more than a month before public disclosure. Firewall management consoles control core security infrastructure; when reachable from the internet, a single edge vulnerability can become a direct route into the business network.

October-November 2025

Global RDP Botnet & RansomHub Campaign

Exposed RDP Servers
Ongoing campaign damages

Impact: 100,000+ IP addresses, multiple organizations compromised

Massive RDP botnet targeting 100+ countries with timing attacks and login enumeration. Coordinated campaign with identical TCP fingerprints led to RansomHub ransomware deployment through password spray attacks. Attackers spent hours attempting logins before successfully compromising credentials.

August-September 2025

Jaguar Land Rover (JLR)

SAP NetWeaver Visual Composer
£1.9B ($2.4B) - UK's most expensive cyber incident

Impact: Five-week global production shutdown, 5,000 vehicles/week production loss

CVE-2025-31324 vulnerability in exposed SAP NetWeaver servers allowed attackers to upload webshells and gain remote code execution. Lack of IT/OT segmentation enabled lateral movement from business systems to manufacturing controls, forcing complete shutdown of facilities in UK, Slovakia, Brazil, China, and India.

June 2024

Indonesian National Data Center

Administrative Systems
$8M ransom demanded

Impact: 210 state institutions disrupted

Brain Cipher ransomware exploited exposed administrative systems, affecting public services and immigration processes nationwide.

February 2024

Change Healthcare

Citrix Remote Access
$2.87B total estimated cost

Impact: 192.7M individuals affected

ALPHV/BlackCat exploited Citrix remote access without MFA. Most consequential healthcare breach in U.S. history.

November 2023

Boeing Parts & Distribution

Citrix NetScaler
Extensive remediation costs

Impact: 43GB data leaked

LockBit exploited Citrix Bleed (CVE-2023-4966) vulnerability, bypassing MFA to hijack legitimate sessions.

November 2023

ICBC (Industrial & Commercial Bank of China)

Citrix NetScaler
$9B in unsettled trades

Impact: U.S. Treasury market disruption

Citrix Bleed exploitation forced ICBC to inject $9 billion and send settlement details via USB messenger.

May-December 2023

MOVEit Transfer Mass Breach

Managed File Transfer
$9.9-65B estimated total

Impact: 2,700+ organizations, 95M+ individuals

Cl0p exploited SQL injection vulnerability in MOVEit Transfer, affecting Shell, BBC, British Airways, and 2,700+ organizations.

December 2021

Log4Shell (Apache Log4j2)

Vulnerable Applications
Billions globally

Impact: 93% of cloud environments affected

Critical remote code execution vulnerability in Apache Log4j2, discovered November 2021, affected millions of applications worldwide.

July 2021

Kaseya VSA Supply Chain

Remote Management Software
$70M ransom demanded

Impact: 1,500+ organizations, 1M+ systems

REvil exploited authentication bypass in Kaseya VSA, weaponizing software updates to deploy ransomware through supply chain.

May 2021

Colonial Pipeline

Legacy VPN Account
$4.4M ransom + $30M+ total impact

Impact: 5-day U.S. East Coast shutdown

Compromised VPN password found on dark web allowed DarkSide ransomware access. Legacy account lacked MFA despite not being used.

March 2021

Microsoft Exchange ProxyLogon

Outlook Web Access
Massive remediation costs

Impact: Thousands of organizations

HAFNIUM APT exploited SSRF vulnerability in Exchange OWA, achieving remote code execution before patches were available.

April 2021

Pulse Connect Secure Zero-Day

VPN Appliances
Multiple high-value breaches

Impact: Defense, government, finance compromised

Authentication bypass vulnerability exploited by APT groups, allowing remote code execution on VPN appliances.

July 2020

MongoDB Ransomware Campaign

Exposed Databases
Data loss + $137 ransom each

Impact: 22,900 databases wiped

Automated campaign targeting unsecured MongoDB instances, deleting contents and leaving ransom notes threatening GDPR violations.

June 2017

NotPetya (Global)

SMB Protocol
$10+ billion total global damage

Impact: 200+ countries, critical infrastructure

NotPetya used EternalBlue to spread via SMBv1, destroying data at Maersk ($250-300M), Merck ($870-915M), FedEx ($400M), and Mondelez.

May 2017

WannaCry (Global)

SMB Protocol
$4-8 billion global damage

Impact: 300,000+ computers, 200+ countries

WannaCry exploited EternalBlue SMBv1 vulnerability, spreading worm-like to infect hospitals, government agencies, and corporations worldwide.

Key Findings - 9+ Years of Evolving Entry Vectors

This comprehensive timeline spans from 2017-2026, showing how entry vectors have evolved. The Verizon 2026 DBIR notes that exploitation of vulnerabilities is now the most common initial access vector for breaches, at 31%. Credential abuse remains critical, representing 13% of initial access vectors and appearing in 39% of breach progression across the full path.

Furthermore, remediation speed is declining: only 26% of CISA Known Exploited Vulnerabilities were fully remediated in 2025, and the median time to fully remediate rose to 43 days. Breaches with third-party involvement reached 48% of total breaches, and ransomware remains a major threat, appearing in 48% of breaches. For SMBs, about 96% of ransomware victims (where organization size was known) were SMBs.

Highest Impact by Cost: NotPetya ($10B+), MOVEit ($65B estimated), WannaCry ($4-8B), Change Healthcare ($2.87B), JLR (£1.9B).

AISMOND Visibility: AISMOND helps teams see and prioritize exposed services, risky assets, abuse signals, geo changes, and listed CVE information where available, helping teams identify vulnerabilities before they are exploited.

Ready to See and Prioritize Your External Exposures?

AISMOND helps teams see and prioritize exposed services, risky assets, abuse signals, geo changes, and listed CVE information where available. Start monitoring your attack surface today.