Top 10 Best-Known Cybersecurity Incidents and What to Learn from Them

Insiders with legitimate access can cause even more damage than external hackers. According to the 2025 Cost of Insider Risk Global Report by Ponemon Institute, the total average annual cost of insider security incidents is $17.4 million.

The good news is that by learning from major cybersecurity incidents that have hit other organizations, you can enhance your own defenses. In this article, we analyze 10 recent cyberattacks on well-known companies so you can prevent similar ones in your organization.

Key takeaways:

• Cybersecurity incidents caused by insiders affect even major organizations, resulting in massive data leaks and reputational damage.
• Common causes include phishing, weak credentials, and misconfigured systems. Human error and privilege misuse remain leading risk factors.
• Multiple vendor-related breaches underscore the importance of third-party security monitoring solutions.
• Modern privileged access management (PAM) platforms with built‑in insider threat detection and response (ITDR) capabilities can help you granularly control privileged access, continuously monitor user activity within systems, detect identity‑driven threats, and respond to incidents in real time.

What is a cyberattack, and how does it become an incident?

A cyberattack is any attempt by a malicious actor to gain unauthorized access to systems, disrupt operations, or steal data. Attacks can take many forms: phishing emails that trick users into revealing passwords, exploitation of software vulnerabilities, or misuse of legitimate credentials.

Motivations for these attacks vary. Some attackers may seek financial gain through fraud. Others aim to carry out espionage or intellectual property theft. In many modern cases, however, the entry point is surprisingly simple: weak access controls, unprotected privileged accounts, exposed credentials, and human error.

But not every cyberattack becomes a cybersecurity incident immediately.

An attack attempt becomes an incident when it results in real impact, such as unauthorized access, data breach, service disruption, regulatory exposure, etc. In other words, a cyberattack is an action; a cybersecurity incident is the consequence.

In practice, most modern cyberattacks follow a similar pattern:

• Initial access — Attackers can obtain credentials (via social engineering, malware, brute force, etc.) or exploit a misconfiguration to gain access to your IT environment.
• Privilege escalation and lateral movement — Once inside, they try to expand their access by compromising privileged accounts, moving laterally between systems, and targeting administrative or service accounts.
• Malicious actions — Finally, they exfiltrate data, modify configurations, or silently maintain long‑term access to commit fraud.

Understanding how cyberattacks evolve into full-scale incidents helps organizations focus on the right defenses. With that in mind, let’s examine ten high-profile cybersecurity incidents and what they can teach us about modern identity security risks.

10 infamous cybersecurity incidents 

Below, we review notorious examples of cyberattacks targeting major organizations across different industries. Examining these cases can be highly useful in defending your company against insider threats and identity‑driven attacks.

Case #1: PowerSchool — Credential theft 

In late December 2024, attackers used a stolen account to gain access to PowerSchool’s customer support portal. Because the compromised account lacked multi-factor authentication, they bypassed the portal’s defenses and downloaded massive datasets of student information. Reports indicate the breach impacted over 62 million students and 9.5 million teachers nationwide. The attackers even demanded a ransom of $2.85 million to delete the stolen data. PowerSchool notified impacted individuals in January 2025.

What can we learn from this incident?

The root cause of this breach was weak access control over a critical support account. The compromised credentials were not protected by multi-factor authentication (MFA), even as the organization maintained multiple third-party and vendor accounts with elevated access.

First and foremost, MFA must be enforced on all support, vendor, and administrative portals without exception. A single unprotected account can undermine an otherwise secure environment.

Second, organizations should regularly review, rotate, and revoke credentials, especially for long-unused or vendor-used accounts. Dormant or orphaned accounts are prime targets for attackers. Regular privileged account discovery can significantly reduce this risk.

Third, excessive privileges amplify breach impact. Implementing robust privileged access management (PAM) helps minimize standing access, enforce least privilege, and limit what a compromised account can actually do.

Finally, access controls alone are not enough. Continuous monitoring of data transfers and receiving real-time alerts on unusual activity (such as mass downloads from support portals) can help detect and prevent exfiltration early on — before millions of records leave your network.

Case #2: Marks & Spencer — Ransomware via social engineering

In April 2025, the “Scattered Spider” gang targeted M&S using a clever social-engineering ploy. One attacker impersonated an M&S employee and phoned the retailer’s third-party IT help desk, convincing them to reset a corporate admin password. Using that reset, the hackers accessed the Active Directory database and then quietly deployed “DragonForce” ransomware across M&S’s network. This crippled online checkout and logistics; M&S suspended digital services for several days. By September, it was reported that the attack cost M&S about £300 million in lost profit.

What can we learn from this incident?

The attackers exploited a human trust gap, bypassing technical defenses by manipulating a help-desk employee into resetting a high-privilege password. This highlights the fact that identity-based attacks often target people before they target systems. To prevent this, conduct regular training sessions to make sure your employees are aware of different types of social engineering attacks and know how to safeguard their corporate accounts. 

In addition, strict identity verification procedures must be enforced for any password reset request — especially for administrative or high-privilege accounts. High-privilege account resets should require additional approval (such as manager validation or multi-party authorization).

If hackers gain access to high-privilege accounts, the consequences for an organization’s security and reputation can be devastating. For M&S, enforcing MFA on all administrative logins would have blocked the use of a new password. Furthermore, continuous monitoring of AD could have caught the attack early.

Case #3: Coinbase — Insider data breach via bribed agents

In May 2025, Coinbase revealed that a criminal group had bribed a small number of its overseas support agents to exfiltrate customer data. The attackers offered cash to agents in India, who then used their legitimate access to copy customer names, addresses, masked IDs, account balances, transaction histories, and even government ID images from Coinbase’s user base. The hackers then approached Coinbase, demanding $20 million to keep the data from being released.

What can we learn from this incident?

This was a classic malicious insider case. The attackers exploited trusted employees rather than external hacking. 

As a first defense, access to sensitive customer data must be strictly limited. Support agents should only be able to see the information necessary to perform their tasks and nothing more. Applying the principle of least privilege reduces the potential damage any single insider can cause.

Second, access should not only be limited — it should be time-bound. Just-in-time (JIT) access ensures that elevated permissions are granted only when needed and automatically revoked afterward. This significantly narrows the window of opportunity for abuse.

Third, continuous and real-time monitoring of user activity is crucial. Security systems should flag unusual patterns and respond immediately, even when the user has legitimate credentials.

Finally, you should require strict background checks, regular access reviews, and audit logging for all employees and contractors with access to customer data.

Case #4: Qantas Airways — Third-party breach

In early July 2025, Qantas confirmed that a flaw in its third-party contact-center platform had exposed the personal information of millions of passengers. Over the period July 2–9, around 5.7–6 million Qantas customers’ data was inadvertently made accessible. The compromised data included names, contact details, and loyalty membership numbers. The root cause was vendor-side: the customer support system did not properly isolate Qantas’s data, so a single vendor vulnerability was enough to spill data on a massive scale.

What can we learn from this incident?

When choosing a third-party vendor, pay attention to their cybersecurity policies and the laws and regulations they comply with. If a potential subcontractor or a service provider is unfamiliar with your vital cybersecurity measures, consider adding a corresponding requirement to your service-level agreement. 

Limit each subcontractor’s access to your critical data and systems to the extent necessary for their job. To enhance the protection of your most critical assets, implement additional cybersecurity measures like two-factor authentication, manual login approvals, and just-in-time privileged access management. 

Regular audits of API security can help identify vulnerabilities and weaknesses in API implementation. This way, you can minimize the risks stemming from integrations with third-party services. Deploying monitoring solutions can help you see who does what with your critical data, while keeping third-party user activity records enables fast and thorough cybersecurity audits and incident investigations.

Case# 5. Salesforce —  Software supply chain attack 

In 2025, attackers gained unauthorized access to Salesforce environments via compromised third-party OAuth tokens, particularly those from integrations such as Salesloft and Gainsight. Attackers also used voice phishing to trick Salesforce employees into installing tampered utilities. This enabled access to Salesforce data across dozens of companies, leading to the exfiltration of up to 70 million records from Workday and 2.5 million records from Google Ads.

What can we learn from this incident?

To reduce the risk of similar attacks, treat SaaS integrations and OAuth apps as privileged identities with their own access lifecycle. You should also periodically review scopes, tokens, and permissions granted to them.

It is important to monitor not only human users but also service accounts, API keys, and machine identities, thus ensuring your strategies extend to SaaS ecosystems, not just on‑prem infrastructure.

Visibility also must extend beyond human users. Monitoring should include service accounts and machine identities. Unusual off-hour access, mass data exports, or suspicious file uploads should trigger real-time alerts. 

Case #6: Change Healthcare — Ransomware attack via stolen credentials

In February 2025, attackers breached Change Healthcare’s systems using valid credentials to a Citrix remote access portal that lacked MFA. Once inside, they exfiltrated sensitive data and then deployed ransomware that halted operations across the U.S. healthcare system. Investigations later revealed a 9-day visibility gap during which attackers moved freely within the network.

What can we learn from this incident?

The breach was possible due to basic security gaps. The Citrix access gateway lacked MFA, allowing attackers to exploit a single set of stolen credentials to get inside. Once inside, the intruders encountered insufficient network segmentation and outdated systems, enabling lateral movement across servers.

The first and most critical lesson is that critical infrastructure, especially in healthcare environments, must be isolated so that access to one system does not mean automatic access to others. 

In addition, this cyberattack example shows that visibility gaps are dangerous. The reported nine-day window during which attackers moved undetected demonstrates the importance of continuous monitoring and identity-based threat detection. Deploying an identity threat detection and response (ITDR) solution can help flag suspicious behavior, such as unusual login patterns, privilege escalation, lateral movement attempts, or abnormal data access.

The incident also highlights that patch and update management still matters. While identity was the entry point, outdated systems made persistence and lateral movement easier. Regular updates reduce exposure to known exploits and help prevent post-compromise expansion.

Case #7: SK Telecom — Privileged access abuse and long-term data exfiltration

Attackers infiltrated SK Telecom’s network using malware as early as 2021–2022 and went undetected until April 2025. During that time, they moved laterally across systems and exfiltrated highly sensitive USIM data, potentially affecting up to 25–27 million subscribers.

Weak credential management practices allowed the breach to remain undetected for so long. Administrative passwords were stored in plaintext, lacked encryption, and were not rotated, allowing attackers to maintain persistent access and repeatedly authenticate to critical systems.

What can we learn from this incident?

This case is a reminder that some breaches are not explosive — they are silent, patient, and strategic. The most alarming detail is not just that data was stolen, but that attackers lurked inside the network for years without detection.

At the heart of this incident was poor privileged access hygiene. Storing administrative passwords in plaintext and failing to rotate them provided attackers with long-standing access. Sensitive information must always be encrypted — if attackers gain access to storage systems, encryption ensures the data can’t be exploited. 

Equally important is lifecycle control of privileged credentials. Administrative passwords should expire automatically, rotate frequently, and be protected with MFA. 

However, password encryption and rotation alone are not enough. Visibility is key. Continuous monitoring of privileged sessions and behavioral anomalies is essential to detect threats early.

Case #8: CrowdStrike — Insider threat

In November 2025, a CrowdStrike employee was found sharing internal screenshots with the hacking group “Scattered Lapsus$ Hunters”. The hackers paid $25,000 to the insider for screenshots of SSO authentication credentials and employee Okta dashboards on Telegram. Although CrowdStrike detected the activity before a full system compromise, this incident shows that even sophisticated security companies can be targets of insider threats. 

Even organizations built around threat detection can face threats when a trusted employee decides to monetize access. Every company must treat each privileged user session as potentially high-risk, monitor user activity within it, and set alerts for suspicious events. Additionally, access governance must be dynamic. You should regularly review roles and permissions to ensure users retain access to only what they need to perform their responsibilities. 

Most importantly, security teams must be able to act in real time. Detecting suspicious behavior is only valuable if organizations can react quickly — whether by terminating sessions, revoking user access, or launching immediate investigations.

Case #9: Rippling vs. Deel — Corporate espionage 

In early 2025, Rippling discovered that an internal employee was feeding corporate data to Deel. For months, a global payroll compliance manager had been exploiting legitimate access to extract confidential files (across Slack, Salesforce, and Google Drive) unrelated to their role. This case was one of 2025’s most striking cybersecurity incident examples of corporate espionage.

What can we learn from this incident?

Protecting your intellectual property begins first and foremost with identifying your most valuable IP, where it’s located, and who truly needs to access it. 

When it comes to tech specialists, you can’t avoid giving them access to relevant resources. However, you should only grant them the exact access rights they need to do their job. Consider using advanced access management solutions to prevent unauthorized personnel from accessing your intellectual property. 

You can turn to robust ITDR solutions to reinforce the protection of your organization’s intellectual property. Such tools can help you detect suspicious activity within your network, ensure a prompt response to security incidents, and gather detailed evidence for further investigations. 

Additionally, consider deploying a USB management solution that makes it impossible for employees to copy sensitive data or use unapproved USB devices.

Case#10: Coupang — Privileged access misuse by a former employee

In early January 2026, Coupang, South Korea’s e-commerce giant, disclosed a massive data breach affecting 33.7 million customer accounts, representing up to 65% of the country’s population. Former employee retained an internal signing key after leaving the company and generated valid authentication tokens to bypass standard login controls and misuse privileged database access. From mid-2025 until detection, he repeatedly queried customer records and accessed their names, contact details (email and phone numbers), delivery addresses, and complete order histories. 

What can we learn from this incident?

The Coupang breach is a clear example of how poor offboarding and insufficient privileged access controls can lead to severe consequences. This incident reinforces the importance of immediate credential revocation when an employee leaves your organization or changes roles. Additionally, sensitive data like customer PII should never be accessible without two-factor authentication and strict access controls.

The incident also shows the need for continuous monitoring of privileged sessions to get real-time visibility into what trusted users are doing with your most sensitive data. This way, you can catch privileged access abuse before data is lost.

Common patterns across major cyberattacks

Despite the variety of industries and breach methods, most major cyberattacks share a familiar set of root causes:

• Social engineering — many attacks begin with convincing phishing campaigns designed to steal credentials or MFA codes.
• Weak identity verification methods — privileged accounts can be compromised due to weak or inconsistent MFA, making it easier for attackers to turn stolen credentials into full access.
• Over‑privileged accounts — attackers frequently target accounts with excessive permissions, enabling lateral movement and access to sensitive data.
• Human error — misconfigured systems, standing privileges, and other related vulnerabilities may expose your sensitive data without the need for a sophisticated attack.
• Insider threats — employees or partners with legitimate access can quietly steal vast amounts of sensitive data to carry out fraud, espionage, or other malicious activity.​
• Third‑party and supply‑chain compromise — vendors and integrations can become avenues for attacking otherwise well‑defended organizations.
• Lack of post‑login visibility and detection — in many of the cases above, attackers operated within networks for extended periods because their activity after login was not continuously monitored or analyzed in real time.

These patterns point to a clear conclusion: modern cyber risk is identity‑driven. Credentials, tokens, privileged accounts, and integrations are now the primary targets — and traditional perimeter defenses cannot address what happens after users are authenticated.

Organizations need:

• Strong, granular PAM controls for identities
• Full‑session visibility into what privileged users and vendors actually do during their sessions
• Built‑in ITDR that flags abnormal or risky actions in real time
• Automated incident response to block or contain threats before they escalate

These are the precise needs Syteca is designed to cover.

Prevent cybersecurity incidents with Syteca

Syteca is a future-proof privileged access management (PAM) platform built to address today’s identity-related cybersecurity challenges. It’s designed to secure not just who gets in, but what they do once inside. With built-in identity threat detection and response (ITDR), Syteca continuously monitors user activity, detects suspicious actions in real time, and enables immediate incident response. 

With broad platform support across Windows, Linux, macOS, UNIX, Citrix, X Window System, and VMware, Syteca helps you protect and monitor your most critical endpoints while meeting strict privacy, compliance, and operational requirements.

Make a shift to identity security 

As cyberattacks evolve, one key message becomes increasingly clear: identity is the new perimeter. The most damaging breaches no longer rely on sophisticated malware or zero-day vulnerabilities. Instead, they exploit stolen credentials, misused privileges, insider access, and the lack of visibility after login.

By learning from these examples of cybersecurity incidents and strengthening your defenses with solutions like Syteca, your organization can stay one step ahead. With granular privileged access controls, deep visibility into user activity, and real-time threat detection and response, Syteca empowers you to prevent, detect, and contain identity-driven attacks instantly.

It’s time to rethink access. Secure every session. Monitor every action. And enhance protection where it matters most — at the identity level.