The 10 Worst Cyber Network Breaches of 2023–2025 and Key Lessons for Your Business

Cyberattacks have escalated in scale and impact over the past two years, hitting organizations of all sizes and across industries. We’ve seen ransomware paralyze hospital systems, data breaches expose hundreds of millions of records, and supply chain exploits ripple across thousands of companies. In this concise review, we examine ten of the most significant network breaches from 2023 to early 2025. For each incident, we summarize what happened, the damage done, what went wrong, and how it might have been prevented. Small business owners can draw valuable lessons from these high-profile cases to strengthen their own cybersecurity posture.

T-Mobile Data Breach – January 2023

What Happened:

In January 2023, T-Mobile disclosed that hackers had exploited an unprotected API (application programming interface) to steal data on approximately 37 million customer accounts. The breach exposed names, contact information, and other customer details (though no passwords or financial information). The attack was detected and shut down within a day, but not before a vast amount of personal data was siphoned off.

Impact:

While services remained operational, the exposure of tens of millions of customers’ data was a serious privacy incident. T-Mobile faced regulatory scrutiny and reputational damage, as this was its second major breach in two years. The prospect of customer churn increased, and the company braced for potential legal and compliance costs (as regulators like the FCC opened an investigation).

Key Security Failure:

The root cause was an inadequately secured API endpoint. The interface allowed too much data access without proper rate limiting or strong authentication, enabling attackers to methodically harvest customer information. This highlights a lapse in API security and monitoring. T-Mobile’s prior investments in security hadn’t prevented an old weakness from persisting.

Prevention:

Strictly enforcing authentication on all APIs, implementing rate limiting (to detect bulk scraping), and conducting regular security tests could have thwarted this attack. Small businesses should inventory their own web APIs or customer portals and ensure they are locked down. Regular code reviews and penetration testing of APIs can catch oversights before attackers do.

MOVEit Supply Chain Attack – Mid 2023

What Happened:

A critical zero-day vulnerability in the widely used MOVEit Transfer file transfer software was exploited in May 2023 by a ransomware group. By leveraging this flaw, the attackers (the Clop gang) gained unauthorized access to MOVEit servers worldwide, stealing sensitive data from over 1,000 organizations. This supply chain attack meant that by breaching a single software platform, the hackers obtained data from countless companies that relied on MOVEit for secure file transfers.

Impact:

The MOVEit breach cascaded globally, with an estimated 60 million individuals’ personal data affected across all victim organizations. High-profile victims ranged from financial institutions and airlines to government agencies and pension funds. While the attackers largely used the incident for extortion (threatening to leak stolen data unless paid), the operational disruption was moderate for most victims – mainly consisting of emergency patching and incident response rather than complete shutdowns. However, the breach’s scope made it one of 2023’s largest cyber incidents, forcing hundreds of organizations to notify customers and deal with reputational fallout.

Key Security Failure:

This was essentially a software supply chain failure – a trusted third-party tool contained an unknown critical bug. Organizations had insufficient monitoring on their file transfer systems; attackers were exfiltrating data for days before detection. Many victims also lacked automated patch management, delaying their response once the vulnerability was announced.

Prevention:

No single company could have prevented the MOVEit zero-day vulnerability; however, rapid patching and network segmentation helped limit the damage. Businesses should apply security updates immediately for critical software and use intrusion detection systems to catch large, anomalous file transfers. Isolating third-party applications (like file transfer servers) in their own segment can prevent a breach in one system from spreading to broader networks. Vendor risk management is also crucial: small firms should ensure that the software vendors they rely on have rigorous security practices and a mechanism to alert users quickly about threats.

MGM Resorts Ransomware – September 2023

What Happened:

In September 2023, casino and hotel giant MGM Resorts fell victim to a high-profile ransomware attack. A hacker group (ALPHV/BlackCat, working with a social engineering crew called Scattered Spider) infiltrated MGM’s IT network by targeting an outsourced helpdesk via a phone scam. Once inside, they deployed ransomware that forced MGM to shut down many of its systems as a precaution.

Impact:

The attack led to severe operational disruption across MGM’s Las Vegas properties and other locations. For over 10 days, slot machines, hotel room digital keys, reservation systems, and even casino floor operations were crippled. Guests experienced check-in delays and resort services had to revert to manual processes, resulting in frustrated customers and losses. MGM refused to pay the ransom; as a result, the hackers leaked stolen personal data (including some customers’ driver’s license and Social Security numbers) on the dark web. Financially, MGM reported an estimated $100 million loss in revenue for the quarter due to the business interruption, plus over $10 million in recovery and consulting costs.

Key Security Failure:

Social engineering was the initial failure – the attackers convinced an IT support contractor to provide administrator credentials, bypassing technical safeguards. Internally, MGM lacked robust multi-factor authentication or verification procedures for high-level access requests, which allowed a simple phone call to lead to domain control. Additionally, network segmentation and incident response planning were insufficient to contain the ransomware once it triggered, forcing enterprise-wide shutdowns.

Prevention:

Employee training and strict identity verification protocols are critical. Small businesses should implement MFA for any sensitive account and establish procedures so that no password resets or admin changes happen without thorough validation. Limiting third-party access and monitoring for unusual account activities (like new administrative users or bulk file encryption) can catch an attack early. A strong incident response plan – including network isolation playbooks – can help limit downtime if ransomware strikes.

Caesars Entertainment Data Breach – September 2023

What Happened:

Just days before the MGM incident, Caesars Entertainment (another major casino operator) suffered its own cyberattack, reportedly by the same threat group. Attackers infiltrated Caesars through a third-party IT support vendor and stole a copy of the company’s massive loyalty rewards program database. Faced with an extortion demand, Caesars chose to quietly pay the hackers (allegedly about $15 million) to secure a promise that the data would not be leaked. The breach wasn’t publicly confirmed until it came to light in an SEC filing and news reports later in September 2023.

Impact:

The stolen loyalty program database contained personal details for roughly 65 million customers, including sensitive fields like driver’s license and Social Security numbers for some members. However, Caesars managed to avoid any significant operational outages – casinos and hotels remained fully functional. By paying the ransom swiftly, Caesars likely prevented the kind of prolonged disruption seen at MGM. The primary impacts were financial (the ransom payment and subsequent security enhancements) and reputational, as customers had to be notified that their personal data had been compromised. Caesars avoided immediate revenue loss from downtime, but it faces potential longer-term costs, including erosion of customer trust and class-action lawsuits.

Key Security Failure:

Caesars’ breach highlights weaknesses in third-party risk management and access controls. Attackers gained entry via an external vendor’s compromised credentials – indicating that vendor accounts were not locked down with least-privilege principles or robust authentication. Additionally, storing an entire loyalty database (with millions of sensitive records) in one accessible location represents a single point of failure. Encryption of sensitive fields and tighter database access monitoring might have limited the damage.

Prevention:

Businesses large and small must vet the security of their contractors and partners. Limit what third-party users can access, enforce MFA on any external logins, and closely monitor unusual access patterns (especially into crown-jewel data stores). Regular audits of data repositories can identify if too much information is pooled in one system. In Caesars’ case, segmenting and encrypting their customer data could have made the stolen records unusable to thieves. The lesson for a small company is clear: your security is only as strong as the weakest link in your vendor network.

Rackspace Hosted Email Outage – Dec 2022/Jan 2023

What Happened:

In late 2022, cloud service provider Rackspace was hit by a ransomware attack on its Hosted Exchange email environment. The attackers exploited a then-unknown vulnerability (a zero-day in Microsoft Exchange Server, later identified as CVE-2022-41080) to gain access and encrypt Rackspace’s email servers. Rackspace’s response was to take the entire hosted email service offline to contain the threat. Unfortunately, this outage dragged on into early 2023 and ultimately became permanent – Rackspace decided not to restore the legacy Hosted Exchange service, leaving customers to migrate to other solutions.

Impact:

The incident caused a massive email outage for about 30,000 businesses that relied on Rackspace for email hosting. For days and in some cases weeks, small companies, law firms, and other Rackspace clients lost access to historical emails and had to set up new mail accounts. Rackspace eventually recovered some data for some customers, but many had to rebuild their email archives from local backups (if they had them). Financially, Rackspace estimated a loss of around $30 million in annual revenue due to customer departures, plus $10–$15 million in incident response and legal costs. The company also suffered reputational damage, as trust in its services plummeted.

Key Security Failure:

The breach stemmed from a failure to apply critical patches in a timely manner. Microsoft had patched the Exchange vulnerability a month before, but Rackspace’s environment remained unpatched and thus exposed. Additionally, Rackspace did not have a segmented architecture for Hosted Exchange – once the ransomware executed, it affected the entire cluster of servers. Lack of an effective offsite backup or rapid restore process compounded the downtime.

Prevention:

The obvious lesson is to keep software up to date, especially for internet-facing systems like email servers. Small businesses using self-hosted software must stay vigilant with patches (or consider cloud services that handle updates). Network segmentation could have limited how far the ransomware spread within Rackspace’s infrastructure. Finally, robust business continuity planning is key: companies should have backups and a failover strategy for email and other critical services. In this case, many clients realized the value of having independent backups as they scrambled to recover communications.

Boeing Cyber Incident (LockBit Ransomware) – November 2023

What Happened:

In October 2023, aerospace leader Boeing experienced a cyber intrusion in parts of its network, confirmed publicly in early November when the LockBit ransomware gang announced they had breached the company. LockBit claimed to have stolen a “tremendous amount” of Boeing’s sensitive data and set a ransom deadline, after which they would leak the data. Boeing did not pay by the demanded date, and consequently LockBit began releasing approximately 40GB of data allegedly taken from Boeing’s systems onto the dark web.

Impact:

Boeing is a critical manufacturer, and any attack raises concerns about intellectual property theft and national security. In this case, internal company data (from Boeing’s parts and distribution division) was exposed. The leaked trove likely included technical documents, employee information, and possibly defense-related files, though Boeing stated there was no impact on airplane safety or operations. Unlike many ransomware events, there was no reported encryption of Boeing’s systems – production and flights remained unaffected. The primary damage was potential loss of proprietary data and the cost of incident response. Financial details weren’t disclosed, but some reports indicated LockBit attempted to extort Boeing for as much as $50–$100 million (unverified). The reputational impact for Boeing was significant, and the leak could have long-term competitive implications if trade secrets were compromised.

Key Security Failure:

The attack was attributed to a known vulnerability (“Citrix Bleed” zero-day exploit) that Boeing had not patched in time. This highlights a patch management lapse similar to Rackspace’s case. Moreover, the incident suggests Boeing’s network monitoring did not catch large-scale data exfiltration in progress. The lack of robust egress controls (monitoring and limiting outgoing data) allowed attackers to smuggle out tens of gigabytes of information. Boeing’s decision not to pay ransom was commendable, but it underscores that their cyber defenses should have prevented the intrusion altogether.

Prevention:

Again, timely application of security patches – especially for remote access software and critical infrastructure – is essential. Large transfers of data leaving the network should have raised red flags; implementing data loss prevention (DLP) tools and 24/7 security monitoring can help spot such anomalies. For small businesses, the takeaway is to stay on top of updates for any software that connects to the internet (VPN appliances, cloud apps, etc.) and to have alerts if large amounts of data are being downloaded or sent out, in case an insider or malware is trying to steal information.

Clorox Ransomware Attack – August 2023

What Happened:

In August 2023, The Clorox Company – a household products manufacturer – fell victim to a disruptive cyberattack, later confirmed to be ransomware. The attackers infiltrated Clorox’s IT systems and triggered an incident that forced Clorox to shut down portions of its network to contain the spread. Unlike breaches focused on stealing data, this attack had a direct impact on Clorox’s production and distribution capabilities. For a period of several weeks, the company had to revert to manual order processing and many of its factories ran at limited capacity.

Impact:

Clorox experienced major operational downtime – the supply chain was slowed so significantly that store shelves saw shortages of Clorox products in the ensuing months. It took until late October 2023 for the company to restore normal manufacturing operations. The financial impact was substantial: in the quarter following the attack, Clorox reported a 20% drop in net sales (over $300 million in lost revenue) due to its inability to fulfill orders. Additionally, the company incurred about $49 million in direct expenses for recovery, including IT forensics, system restoration, and extra labor for manual processes. No specific personal customer data breach was reported, but the attack eroded Clorox’s earnings and highlighted the vulnerability of manufacturing processes to digital disruptions.

Key Security Failure:

Clorox did not disclose the exact technical flaw exploited, but the scale of disruption suggests issues with network segmentation and incident response preparedness. The ransomware spread widely, implying that critical production networks were not isolated from corporate IT or that detection was too slow. Inadequate offline backups or redundancies meant the company couldn’t quickly switch to backup systems to keep factories running. Essentially, Clorox was caught without a robust disaster recovery plan for a cyber-induced outage.

Prevention:

Manufacturers and small businesses alike should segment operational technology (OT) networks from corporate networks so that malware in an office PC can’t halt factory machines. Regular drills and business continuity planning could have helped Clorox maintain some output (for example, having alternative ordering systems or manual fallback procedures that are well-rehearsed). Investing in early threat detection – such as monitoring for suspicious encryption activity or unauthorized IT access on production controllers – can catch an attack before it escalates. Lastly, maintain recent offline backups of critical systems so that a ransomware event doesn’t paralyze operations for weeks. Even smaller companies can apply these principles to ensure they can continue serving customers during a cyber crisis.

Change Healthcare / UnitedHealth Ransomware – February 2024

What Happened:

In February 2024, Change Healthcare, a major healthcare technology firm (and part of UnitedHealth Group), was struck by a sophisticated ransomware attack by the BlackCat (ALPHV) group. The hackers infiltrated the company’s systems that process medical claims and insurance payments across the United States. They exfiltrated vast amounts of healthcare data and deployed ransomware that took down critical platforms used by pharmacies, hospitals, and insurers nationwide. UnitedHealth eventually acknowledged the breach publicly and revealed that a ransom was paid (reportedly $22 million) to the attackers as part of the response.

Impact:

This was one of the most disruptive cyber incidents in healthcare history. The attack forced electronic processing of medical claims to halt for an extended period, meaning healthcare providers couldn’t electronically verify insurance or process payments. Patients were impacted as well – many had to pay out-of-pocket for medications or services and later seek reimbursement because normal billing systems were down. In terms of data loss, the breach was catastrophic: by 2025, UnitedHealth disclosed that approximately 190 million individuals’ personal health information was compromised. This staggering number (over half the U.S. population) makes it the largest healthcare data breach on record. Financially, UnitedHealth Group spent over $3 billion in 2024 on incident response and bolstering security, far eclipsing the ransom amount. They also set aside around $6 billion to assist healthcare providers affected by the outage. The breach underscored how a cyberattack on one system can cascade into a national healthcare service disruption.

Key Security Failure:

Change Healthcare’s systems, given their importance, lacked sufficient defense-in-depth. The attackers found a way in – possibly via compromised credentials or an unpatched system – and then were able to move laterally and encrypt servers without being stopped. The sheer scale of data affected suggests encryption or anonymization of stored medical data was not consistently implemented, making the breach of one database expose millions of records. Additionally, business continuity planning was insufficient; the healthcare industry relies on vendors like Change, and many had no fallback when its services went offline. This incident exposed weaknesses in third-party risk management for all the hospitals and insurers depending on a single company’s cybersecurity.

Prevention:

At a technical level, implementing zero trust architecture – where even internal systems are continuously validated – could have limited the intruders’ lateral movement. Regular audits and penetration tests on high-value healthcare platforms might have revealed vulnerabilities before attackers exploited them. Data minimization and encryption could have reduced the trove of accessible information even if hackers broke in. For small businesses, the lesson is to evaluate your critical vendors (payroll providers, cloud software, etc.) – ask about their security controls and contingency plans. Also, have your own backup processes for essential operations. If your cloud software provider went down tomorrow due to a breach, could your business still function? Preparing for that scenario is part of good cyber resilience.

Snowflake Data Theft Extortion – May 2024

What Happened:

In May 2024, Snowflake, a prominent cloud data warehousing company, revealed that it had been assisting with an investigation into a series of attacks on its customers’ accounts. A threat actor leveraged stolen login credentials (obtained from prior malware or phishing campaigns) to access over 160 Snowflake customer accounts. Once in, the attacker downloaded large amounts of data from each victim’s cloud databases and attempted to extort those companies for money. Notable enterprises, including AT&T, Ticketmaster, and multiple banks, were among those affected – for example, millions of ticket buyer records and telephone call logs were stolen in this campaign.

Impact:

The breach was unusual in that Snowflake’s own infrastructure wasn’t directly compromised – instead, it was an identity-based attack exploiting weak customer security. Nonetheless, the outcome was a significant data breach affecting potentially millions of individuals’ data across numerous businesses. Some victim organizations reported specific impacts (one retailer saw 2.3 million customer records exposed, a telecom had call detail records pilfered, etc.). Financially, each affected company had to handle the extortion demands (ranging from a few hundred thousand to several million dollars each). Snowflake’s stock price dipped amid concerns about its platform’s security, even though the root cause was users not enabling multi-factor authentication. Operational disruption was minimal since the cloud service itself stayed online; however, the breach eroded trust in cloud data security and prompted many Snowflake clients to scramble and improve account protections.

Key Security Failure:

This incident highlights poor account security practices among cloud users. In many cases, the breached Snowflake customer accounts were not using multi-factor authentication (MFA), and had weak or reused passwords that had been stolen from other breaches. Additionally, Snowflake’s platform did not enforce MFA by default, nor restrict logins by IP address or region, which could have mitigated unauthorized access. There was also an apparent lack of real-time anomaly detection – the attacker was able to perform large data downloads from numerous accounts without immediate flags.

Prevention:

For cloud services, both the provider and the customer share responsibility. Snowflake has since moved toward requiring MFA and offering more security tools, but ultimately each customer must turn on these features. Small businesses using any cloud platform should always enable MFA and regularly review account access logs. Use strong, unique passwords (or a password manager) to avoid credential stuffing attacks. In Snowflake’s case, customers could have set up network policies to limit access to their data (e.g., only from their offices or cloud VPC). Monitoring is key: unusual spikes in data export activity should generate alerts. The big takeaway is that convenience (skipping security steps) can lead to disaster – secure your cloud accounts with the same vigilance as your on-premise systems.

Ascension Health Ransomware – May 2024

What Happened:

In May 2024, Ascension, one of the largest healthcare systems in the U.S., suffered a crippling ransomware attack (attributed to the Black Basta gang). The cybercriminals breached Ascension’s network, likely via a phishing email or vulnerable remote access point, and managed to deploy ransomware across many of its hospital IT systems. Key applications, including the electronic health record (EHR) system used by Ascension hospitals (e.g. the MyChart patient portal), were rendered inaccessible. Essentially, digital hospital operations ground to a halt as staff found themselves locked out of critical systems.

Impact:

The incident led to widespread disruption of healthcare services across multiple states. Ascension’s hospitals had to divert ambulances and emergency patients to other networks, postpone non-urgent surgeries, and revert to paper documentation for weeks. Doctors and nurses lost access to patient histories and lab results electronically, which slowed down care and could have compromised patient safety. Beyond the operational chaos, Ascension later discovered that the attackers also stole data on about 5.6 million individuals, including patients and employees. The stolen information ranged from personal identifiers and insurance details to medical and payment data – a serious privacy breach. Financially, the attack dealt a blow to Ascension’s finances; the organization reported that the cyber crisis contributed to a significant loss in the fiscal year, as they had to spend heavily on system recovery and faced lost revenue from reduced patient services. (Some analyses pegged the cost at over $1 billion, factoring in the prolonged disruptions and remediation efforts.)

Key Security Failure:

Several factors contributed to the severity of this breach. First, lack of network segmentation allowed the ransomware to propagate across many hospitals once the attackers got in. Mission-critical systems like EHR were not sufficiently isolated or protected by strong internal access controls. Second, Ascension’s incident response appeared unprepared for an attack of this magnitude – it took over a month to fully restore systems, indicating insufficient disaster recovery arrangements (no readily available clean backups or hot standby systems for the EHR). Additionally, the fact that millions of records were exfiltrated means data encryption or strict access audits were lacking; hackers had ample time to access and steal sensitive files without detection.

Prevention:

Healthcare providers must treat cybersecurity as a core aspect of patient safety. In practice, this means segmenting networks (so that, for example, a malware infection in an admin PC cannot encrypt ICU monitors or the EHR database). Regular backup and recovery drills for critical systems could ensure that hospitals can be back online quickly even if ransomware hits – possibly by switching to a parallel system or restoring from backups within hours, not weeks. Multi-layered defenses like endpoint detection and response (EDR) tools can spot suspicious ransomware behavior early (e.g., an unusual process encrypting files). For small medical practices or any small business, the lesson is to prepare for the worst: have an offline backup of your essential data, practice operating “offline” or manually, and train your staff to recognize phishing attempts (a common entry point for attackers). Speed and preparation can drastically reduce the impact of a ransomware event.

Comparison of Major Breaches (2023–2025)

To better understand these incidents at a glance, the table below summarizes the financial impact, number of people affected, and operational disruption level for each breach:

Table Key: Individuals Affected refers to number of people whose personal data was compromised, where applicable. Operational Disruption qualitatively rates the impact on business operations: Low = primarily data/privacy impact; High/Severe = significant service outage or business interruption.

Conclusion: Strengthening Your Business Against the Next Breach

Each of these breaches, though occurring at large organizations, carries lessons that are directly applicable to small and medium-sized businesses. Cybercriminals often target smaller companies, knowing they may have weaker defenses. As a business owner, you should assume it’s not if but when you might face a cyber incident. Proactive steps, such as keeping systems patched, enforcing multi-factor authentication, training employees on phishing awareness, segmenting your network, and backing up data, can dramatically reduce your risk and potential damage.

Most importantly, you don’t have to tackle cybersecurity alone. Shield IT Service Management (Shield ITSM) offers managed IT and cybersecurity services that bring enterprise-grade protection to small businesses. From 24/7 network monitoring and regular security updates to employee security awareness training and incident response planning, Shield ITSM can help fortify your business against threats. Don’t wait for a headline-making breach to take action – invest in robust IT security now. Contact Shield ITSM today to learn how our managed services can keep your business safe, operational, and resilient in the face of evolving cyber dangers.

Sources

1. Reuters – T-Mobile says data of 37 million customers exposed in API breach (Jan 2023)

2. TechCrunch – MOVEit mass hack affects 60 million individuals via zero-day exploit (Aug 2023)

3. Cybersecurity Dive – MGM Resorts cyberattack to cost $100M; sensitive customer data stolen (Oct 2023)

4. Levi & Korsinsky Class Action Notice (Accesswire) – Caesars Rewards breach exposes info of 65 million members (Apr 2024)

5. Aeris Cybersecurity Blog – 2023 Top Breaches (incl. Rackspace outage details) (2023)

6. Reuters – LockBit ransomware leaks Boeing data after $50M extortion attempt (Nov 2023)

7. Bitdefender – Clorox cyberattack cost $49M and caused major product outages (Feb 2024)

8. Reuters – UnitedHealth (Change Healthcare) hack affects 190 million Americans (Jan 2025)

9. Cybersecurity Dive – 100+ Snowflake customers’ data stolen due to lack of MFA (June 2024)

10. SecurityWeek – Ascension Health ransomware: 5.6M individuals’ data stolen, hospitals diverted (Dec 2024)