London Daily

Focus on the big picture.
Thursday, Oct 02, 2025

In a decade of cybersecurity alarms, these are the breaches that actually mattered

In a decade of cybersecurity alarms, these are the breaches that actually mattered

Of the trillions of threats this decade, and the billions of breaches, and the thousands of those breaches that actually made it to the news, here are the six incidents that really mattered.

The 2010s were the decade when cybersecurity incidents became commonplace.

Almost daily, we hear about another privacy “incident,” or an “exposure” of information. Among the billions of these incidents that took place over the decade - the vast majority of which were either undetected or unreported - only a handful can legitimately be called security “breaches”: that is, non-theoretical events that actually harmed people or equipment, or sowed real chaos.

These incidents do not include the well-known violations of privacy, like Facebook allowing Cambridge Analytica to collect information from unwitting consumers. Nor does it include theoretical nation-state risks of a high level, like those alleged by U.S. intelligence agencies against China’s Huawei.

Of the trillions of threats this decade, and the billions of breaches, and the thousands of those breaches that actually made it to the news, here are the six incidents that really mattered.


2010: Iranian nuclear facilities

What happened: A cyberweapon known as Stuxnet was first uncovered in 2010 but had probably been used for many years prior. The extremely sophisticated malicious software was used most famously to modify the workflow of centrifuges in an Iranian nuclear power plant, causing them to spin uncontrollably and explode or catch fire.

It was the first time a malicious computer program had been used to cause so much physical damage.

Why it was disruptive: Stuxnet catapulted cybersecurity to the forefront of global national security conversations. The incident has raised numerous policy questions - particularly how countries can determine when a cyberattack constitutes an act of war - and illuminated the way in which a country might use the digital realm to cause severe damage to an enemy. Governments also began to invest more heavily in security efforts touching the electrical grid.

Stuxnet had another unexpected effect: the military-grade malicious code, rumored heavily to have been developed jointly by Israeli and American intelligence, was re-engineered by the Iranians and used to attack other targets, notably in Saudi Arabia. The code also leaked onto the internet, putting one of the most powerful cyberweapons that had ever been developed into the hands of just about anyone who could figure out how to use it.


2013: Target

What happened: At the peak of the holiday season in 2013, Target’s CEO announced a massive breach of 110 million customer credit cards and other personal details, including names, addresses, phone numbers and emails. The timing of the breach announcement created a perfect storm of bad press for the company.

The breach was caused by malware-infected technology belonging to an HVAC provider to the company, and infected point-of-sale terminals and other retail equipment.

There were hundreds of similar incidents during the decade. But unlike many of those others, Target suffered real repercussions.

CEO Gregg Steinhafel came out immediately after announcing the breach with heavily apologetic messaging. Rather than calm stormy waters, the approach seemed to exacerbate Target’s problems and annoy anxious holiday shoppers. Target’s year-over-year revenue fell 46% in the fourth quarter of 2013 as a result. Steinhafel would resign by May 2014 because of the incident; he was preceded by the company’s CIO, Beth Jacob, who left in March 2014.

By contrast, Home Depot suffered a nearly identical breach but did not disclose it until early in 2014, which appeared to temper consumer outrage over the incident.

Target introduced numerous reforms to its cybersecurity program following the incident, built a global cybersecurity fusion center and invested heavily in information-sharing initiatives with other retailers, financial services firms and the hospitality industry.

Why it was disruptive: Target’s breach had numerous long-term consequences for cybersecurity.

Crisis teams have closely studied the timing of the breach and the messaging Target used. Target’s in-your-face, highly apologetic strategy backfired; that’s why so many breaches today are announced in staid press releases, and executives seldom spend much time talking about them.

Second, the fact that a mundane third-party service provider opened Target to criminal hackers sparked far greater focus on third-party vendors. Programs vetting the cybersecurity practices of outsourced service providers are much more prominent than they were.

The resignations of the company’s CEO and other top executives because of the breach also marked a first. CEOs, board members and other leaders started paying a lot closer attention to cybersecurity after the Target breach.


2014: Sony

What happened: In November 2014, private information and emails of employees of Sony Motion Pictures were stolen and leaked by hackers associated with the North Korean government. The incident was, the attackers said, retaliation for a comedy film produced by Sony that depicted the assassination of North Korean leader Kim Jong-Un.

The leaked emails included highly embarrassing conversations between studio executives about famous actors and actresses, and led to the resignation of powerful studio executive Amy Pascal.

Why it was disruptive: The Sony breach reverberated through board rooms as much as it did through tabloid media. Execs started grilling cybersecurity staffers about topics they’d shown little interest in before, like whether their companies were angering any hostile nation-states and how their companies treat email retention.

The incident thrust “reputational risk” front and center to the considerations of how cybersecurity could harm the corporation.

North Korea also emerged from the incident as a significant and surprising power player on the cyberthreat stage. The country has raised significant money from its cyberattacks after Sony, which have included major ransomware incidents and bank heists.


2017: NotPetya

What happened: On June 27, 2017, several things happened at once: labs in the U.S. that made vaccines for Merck stopped running, ships that brought goods through Scandinavia and across the oceans for Maersk stopped shipping, factories that churned out chocolates for Cadbury stopped churning, and shipments bound for shops across Europe managed by Reckitt Benckiser and FedEx ground to a halt. All because of NotPetya.

NotPetya was a ransomware virus that acted like a worm, jumping from company to company across networks. It mirrored a predecessor bug known as WannaCry, but was far more damaging, causing lasting outages and significant damage not just to desktop computers, but to the systems that run large industrial equipment or logistics operations. The incident was attributed to Russia, and 80% of the affected systems hit by the ransomware were in Ukraine.

Why it was disruptive: NotPetya displayed plainly for the first time how interconnected different industries are.

It also sparked a reckoning for the nascent industry of cyber insurance. Companies such as FedEx that had no cyber insurance incurred massive costs. Several companies that did have cyber insurance have sued their insurers because those insurers have denied the claims for various reasons, including by invoking “act of War” clauses.

Warren Buffet even cited NotPetya as a reason why he has remained mostly uninvolved in the cyber insurance business, despite Berkshire Hathaway’s considerable holdings in other types of insurance offerings. “We can figure the probability of a quake or a hurricane but don’t know as much in cyber,” Buffett said in 2018. “It’s uncharted territory on the insurance side and will get worse, not better.”

NotPetya and WannaCry also introduced the world to the unsavory world of ransomware, which has reverberated around the world and since hit U.S. cities, educational institutions and health-care providers.


2017: Equifax

What happened: In March 2017, something barely noticeable happened on the cybersecurity landscape - a vulnerability in an open source software platform known as Apache Struts was discovered. The U.S. Computer Emergency Response Team released an urgent memo to companies to patch the problem.

Credit ratings agency Equifax got the memo. The directive to patch the Struts problem was passed down throughout different parts of the organization responsible for these fixes. But one of those departments didn’t fulfill the patching as requested. The rest is history.

By around May, criminals had found the unpatched system, a database housing information on credit bureau complaints. From there, these hackers - who are still unknown - made off with the Social Security numbers and other credit details of nearly half of all Americans, along with some residents of Canada and the U.K.

Why it was disruptive: The Equifax breach, announced Sept. 7, 2017, may not be the biggest or the most expensive, but it absolutely will go down in history as one of the messiest and most likely to spark vitriolic outrage in consumers.

Like the Target breach, executives at other companies looked on in fear as the fallout reached deep within the Equifax organization. CEO Richard Smith left Sept. 26 following a disastrous response. The company’s CIO was later indicted on charges he used information about the breach before it was made public to trade the company’s stock.

Equifax has spent hundreds of millions on this incident, including the most recent $575 million settlement with consumers whose data was stolen in the incident.

The company’s stock has recovered, but its reputation remains battered as it continues to make missteps — most recently, in July 2019, the Federal Trade Commission said Equifax could run out of settlement money before paying all the claims made by consumers whose information was stolen. The company has, however, invested significantly in building a stronger cybersecurity program, including emphasizing communication between leaders and cybersecurity executives, and integrating security projects throughout disparate lines of business.


2018: Marriott

What happened: By 2018, breaches of massive amounts of consumer data had become so commonplace that Marriott was not even particularly memorable. Its numbers were eye-popping - an original estimate of up to 500 million people affected, but no Social Security numbers. The theft of 5 million passport numbers stirred consumers a bit more than the average. But the incident sparked only a few weeks of commentary before mostly fading away.

So why is it on this list? Because under the surface, the Marriott breach was highly disruptive to one cyberthreat area that had mostly gone ignored throughout the decade: merger due diligence. The breach originated with a database managed by Starwood Resorts, which was purchased by Marriott in 2016 for $13.3 billion. The data leak may have been ongoing for several years, the company has said.

Why it was disruptive: Just as Target sparked a whole generation of robust third-party oversight programs in the corporate world in the early half of the decade, the Marriott breach is already causing companies to improve how they conduct investigations of companies they plan to purchase.

Shareholder lawsuits calling into question Marriott’s merger due-diligence practices make some of the most compelling data-breach suits in years.

In many ways, Marriott is a sleeper breach - one that we might not think about much but will cause ripple effects in some major areas of business well into the next decade.

Newsletter

Related Articles

0:00
0:00
Close
Trump Administration Launches “TrumpRx” Plan to Enable Direct Drug Sales at Deep Discounts
Trump Announces Intention to Impose 100 Percent Tariff on Foreign-Made Films
Altman Says GPT-5 Already Outpaces Him, Warns AI Could Automate 40% of Work
Singapore and Hong Kong Vie to Dominate Asia’s Rising Gold Trade
Trump Organization Teams with Saudi Developer on $1 Billion Trump Plaza in Jeddah
Manhattan Sees Surge in Office-to-Housing Conversions, Highest Since 2008
Switzerland and U.S. Issue Joint Assurance Against Currency Manipulation
Electronic Arts to Be Taken Private in Historic $55 Billion Buyout
Thomas Jacob Sanford Named as Suspect in Deadly Michigan Church Shooting and Arson
Russian Research Vessel 'Yantar' Tracked Mapping Europe’s Subsea Cables, Raising Security Alarms
New York Man Arrested After On-Air Confession to 2017 Parents’ Murders
U.S. Defense Chief Orders Sudden Summit of Hundreds of Generals and Admirals
Global Cruise Industry Posts Dramatic Comeback with 34.6 Million Passengers in 2024
Trump Claims FBI Planted 274 Agents at Capitol Riot, Citing Unverified Reports
India: Internet Suspended in Bareilly Amid Communal Clashes Between Muslims and Hindus
Supreme Court Extends Freeze on Nearly $5 Billion in U.S. Foreign Aid at Trump’s Request
Archaeologists Recover Statues and Temples from 2,000-Year-Old Sunken City off Alexandria
China Deploys 2,000 Workers to Spain to Build Major EV Battery Factory, Raising European Dependence
Speed Takes Over: How Drive-Through Coffee Chains Are Rewriting U.S. Coffee Culture
U.S. Demands Brussels Scrutinize Digital Rules to Prevent Bias Against American Tech
Ringo Starr Champions Enduring Beatles Legacy While Debuting Las Vegas Art Show
Private Equity’s Fundraising Surge Triggers Concern of European Market Shake-Out
Colombian President Petro Vows to Mobilize Volunteers for Gaza and Joins List of Fighters
FBI Removes Agents Who Kneeled at 2020 Protest, Citing Breach of Professional Conduct
Trump Alleges ‘Triple Sabotage’ at United Nations After Escalator and Teleprompter Failures
Shock in France: 5 Years in Prison for Former President Nicolas Sarkozy
Tokyo’s Jimbōchō Named World’s Coolest Neighbourhood for 2025
European Officials Fear Trump May Shift Blame for Ukraine War onto EU
BNP Paribas Abandons Ban on 'Controversial Weapons' Financing Amid Europe’s Defence Push
Typhoon Ragasa Leaves Trail of Destruction Across East Asia Before Making Landfall in China
The Personality Rights Challenge in India’s AI Era
Big Banks Rebuild in Hong Kong as Deal Volume Surges
Italy Considers Freezing Retirement Age at 67 to Avert Scheduled Hike
Italian City to Impose Tax on Visiting Dogs Starting in 2026
Arnault Denounces Proposed Wealth Tax as Threat to French Economy
Study Finds No Safe Level of Alcohol for Dementia Risk
Denmark Investigates Drone Incursion, Does Not Rule Out Russian Involvement
Lilly CEO Warns UK Is ‘Worst Country in Europe’ for Drug Prices, Pulls Back Investment
Nigel Farage Emerges as Central Force in British Politics with Reform UK Surge
Disney Reinstates ‘Jimmy Kimmel Live!’ after Six-Day Suspension over Charlie Kirk Comments
U.S. Prosecutors Move to Break Up Google’s Advertising Monopoly
Nvidia Pledges Up to $100 Billion Investment in OpenAI to Power Massive AI Data Center Build-Out
U.S. Signals ‘Large and Forceful’ Support for Argentina Amid Market Turmoil
Nvidia and Abu Dhabi’s TII Launch First AI-&-Robotics Lab in the Middle East
Vietnam Faces Up to $25 Billion Export Loss as U.S. Tariffs Bite
Europe Signals Stronger Support for Taiwan at Major Taipei Defence Show
Indonesia Court Upholds Military Law Amid Concerns Over Expanded Civilian Role
Larry Ellison, Michael Dell and Rupert Murdoch Join Trump-Backed Bid to Take Over TikTok
Trump and Musk Reunite Publicly for First Time Since Fallout at Kirk Memorial
Vietnam Closes 86 Million Untouched Bank Accounts Over Biometric ID Rules
×