Keep an eye out, breaches leave patterns
Image Source: depositphotos.com
Most major security breaches in the last five years had one thing in common. Not just unpatched vulnerabilities, but a decision someone made to live with it.
A VPN credential that never got rotated, an admin account that outlasted the employee who owned it, or a privilege elevation request approved because it was easier than asking questions.
The details change, but the pattern doesn't.
This isn't a story about sophisticated attackers. It's a story about blind spots, misplaced trust, and what happens when organizations mistake the absence of an incident for the presence of security.
The pattern hiding in plain sight
The past several years have produced breach after breach across every major industry. Energy, healthcare, financial services, government agencies, identity platforms—none have been immune.
What follows is not a list of isolated incidents. It is a pattern spanning five years, six industries, and hundreds of millions of affected individuals.
|
Year |
Sector/Incident |
Real-world impact |
Security gaps |
|
2021 |
Energy sector (US East Coast) — ransomware via leaked VPN credential IT management software supply chain — nation-state actor lateral movement Managed service provider platform — zero-day privilege cascade |
~$4.4M ransom paid. Six-day shutdown. Fuel shortages across 17 states. 18,000+ organizations affected. Estimated $40B+ in damages. $70M ransom demanded. 1,500 downstream businesses affected. |
Unchecked privileges · No MFA or Zero Trust No Zero Trust or DLP solutions · Implicit internal trust Over-privileged software access · No Zero Trust segmentation |
|
2022 |
Identity platform (third-party support) — admin privilege escalation Cab company/Ride-share giant — MFA fatigue + admin credentials in shared drive Fintech platform — insider data exfiltration post-offboarding |
366 enterprise customers affected. Downstream identity attacks. Full internal access. Employee PII, financials and source code exposed. Eight million users affected. Multiple class-action lawsuits. |
Excessive admin privileges · No Zero Trust re-verification No DLP · Unchecked privileges · No Zero Trust Off boarding failure · No DLP anomaly detection |
|
2023 |
File transfer platform — SQL injection mass exfiltration Identity platform (support system) — stolen session tokens Casino & hospitality giants — social engineering for super-admin access |
94M+ individuals. $15B+ damages. Government agencies and banks hit. All 18,000+ support users exposed. Major enterprise customers targeted. $100M+ in losses. Ransom paid. Customer SSNs and financial data stolen. |
No DLP or Zero Trust · No egress monitoring Standing privileges · No Zero Trust per session Unchecked privilege requests · No Zero Trust verification |
|
2024 |
Cloud productivity suite (state actor) — legacy test account, no MFA Healthcare payment processor — unprotected Citrix portal, no MFA Cloud data platform + telco/ticketing — MFA absent, bulk exfiltration Major insurer — all three gaps present simultaneously |
Executive and security team emails exfiltrated. Source code accessed. 100M+ patient records. $22M ransom. Nationwide payments disrupted. 165 companies. 110M+ records from telecom alone. 560M+ from ticketing. 36,000+ individuals' SSNs and personal data exposed. Second breach in 12 months. |
Legacy unchecked accounts · No Zero Trust No Zero Trust, network segmentation, or EPM No Zero Trust, network segmentation, or EPM Unchecked privileges · No DLP or Zero Trust |
|
2025 |
Treasury department — third-party vendor API key exploit Business services firm — extended privileges undetected |
3,000+ sensitive government files accessed including senior official communications. 4.3M individuals affected across multiple client companies. |
Third-party trust without Zero Trust · Privileged vendor access No DLP · Unchecked privileges · No behavioral monitoring |
|
2026 |
Developer cloud platform affected by shadow AI via infostealer malware |
Customer data breach, potential credential reuse across hundreds of organizations. |
No application control · No browser security Unchecked third-party privileges · No device control (infostealer on unmanaged endpoint) · No asset discovery (shadow AI tool unregistered) |
The industries change and the dollar figure grows, but one thing remains constant, the gaps.
Four gaps. One cascading disaster
Most organizations don't suffer breaches because they ignored security. They suffer because their security has blind spots. For example, the energy company's legacy VPN account with no MFA, the casino's super-admin credentials granted via social engineering or the fintech insider who retained access months after leaving.
In each of these cases, four interconnected failures likely made the difference between a minor incident and a catastrophic one.
Gap1: Unchecked privilege.
The problem: When user accounts carry more access than they need, a single stolen credential becomes a master key. Permissions granted for a temporary task quietly persist. An account no one's monitoring becomes an open door.
The solution: Endpoint Privilege Management (EPM) enforces the principle of least privilege. The access is scoped to role, application, and time. Elevated permissions expire when the task does. One compromised credential stays contained, rather than becoming a path through the entire network.
Gap 2: Unguarded data
The problem: Privilege controls tell you who can access what. They don't tell you where the data goes next. Even with privilege controls in place, sensitive data can leak through email, USB transfers, cloud uploads, or simple human error.
The solution: Data loss prevention (DLP) monitors how sensitive information moves across the organization and stops transfers that don't belong. Social Security numbers routed to an unknown external server. Bulk downloads at 2am. These are exactly the anomalies DLP is built to catch before the damage is done.
Gap 3: Misplaced trust
The problem: Once an attacker is past the perimeter, traditional security largely gets out of their way. Internal traffic is treated as safe by default. A compromised account moves laterally without friction. The breach that started at one endpoint quietly expands into something far worse. This is because nothing inside the network was taught to ask the right questions.
The solution: A Zero Trust framework removes that assumption entirely. Every access request is verified, not just at login, but continuously. Unusual behavior mid-session gets flagged. The attacker who slips past the front door doesn't automatically get the run of the building.
Gap 4: Unseen attack surface
The problem: Security teams are defending a perimeter that no longer matches reality. Employees adopt AI tools, browser extensions, and third-party integrations faster than anyone can formally track or approve them. Each unsanctioned tool quietly brings its own OAuth scopes, API connections, and credential access into the environment. Nobody signed off on them. Nobody is watching them and attackers have started looking there first.
The solution: Application Control and Asset Discovery work together to close the shadow AI blind spot. Asset Discovery ensures your security team's view of the environment matches what actually exists inside it and Application Control enforces policy against unsanctioned software before it can establish a foothold. Together, they ensure that what your security team can see is what actually exists. Ensuring nothing operates in the shadows long enough to become a liability.
Separately, each of these measures strengthens an organization's defenses. Together, they form a security posture that's genuinely difficult to breach and even harder to exploit quietly.
What could this have meant?
Imagine any of the organizations in this timeline with all four controls in place. The attacker still makes an attempt. But what happens next is fundamentally different.
Take the 2022 cab company breach. An attacker used MFA fatigue to push through authentication, then found admin credentials sitting in a shared drive. From there, the entire network was open. Employee PII, financials and source code—all of it.
Now imagine that same organization with the respective controls in place.
With EPM enforcing least privilege, those admin credentials would have had scoped, time-bound access and not access to everything. With DLP monitoring data movement, bulk access to source code and financials would have triggered an alert before exfiltration completed. With Zero Trust continuously verifying behavior, the anomalous session would have been flagged and shut down in hours, not discovered weeks later.
The attacker still gets in. But they find walls where they expected open corridors.
Breaches become incidents. Not a headline.
The question isn't whether you'll be targeted...
Inside every organization that was targeted, someone made a call. Maybe they meant to rotate that credential and didn't get around to it. Maybe approving the access request felt easier than pushing back. Maybe the offboarding checklist was mostly done and close enough felt fine. These are human decisions. Pretty normal ones. But that's what makes them dangerous.
Cybercriminals don't work that way, they don't discriminate. If your organization holds employee records, customer information, financial details, you are a target. The only variable is whether your defenses are built to tackle the attacks that actually happen.
But here's what the timeline in this article keeps pointing back to. The most damaging breaches weren't sophisticated operations. They were the downstream consequences of ordinary decisions.
A credential left unrotated. An offboarding checklist no one followed through. An access request approved because denying it felt like more work.
Security doesn't fail all at once. It fails in the small moments where convenience wins.
The good news is that the fix doesn't require rebuilding from scratch either. It requires the same thing the breaches came down to, a decision. The difference is that this time, you're the one making it first. Stop treating the absence of an incident as evidence of safety. Start asking whether your current posture reflects how attacks actually unfold, not just how they're imagined to.
The doors in every case study here were already open. Someone, at some point, chose to leave them that way.The question worth sitting with isn't whether your defences are sophisticated. It's whether the decisions being made inside your organization today are the kind that show up in next year's timeline.