upgrade
upgrade

📵Technology and Policy

Major Cybersecurity Breaches

Study smarter with Fiveable

Get study guides, practice questions, and cheatsheets for all your subjects. Join 500,000+ students with a 96% pass rate.

Get Started

Why This Matters

Cybersecurity breaches aren't just headline-grabbing disasters—they're case studies in policy failure, regulatory gaps, and systemic vulnerabilities that shape how governments and organizations approach digital security. When you study these breaches, you're learning about the intersection of technology, governance, and human behavior. Each incident reveals something specific about where our defenses break down: supply chain dependencies, third-party access, patch management failures, or inadequate disclosure requirements.

On the exam, you're being tested on your ability to identify why breaches happen and what policy responses they trigger—not just memorize dates and victim counts. Don't just know that Equifax was breached; understand how it demonstrates the consequences of poor vulnerability management. Don't just recall that SolarWinds affected government agencies; recognize it as the defining example of supply chain compromise. Each breach illustrates a broader principle about how we protect—or fail to protect—critical systems and personal data.

Patch Management and Known Vulnerability Failures

Some of the most damaging breaches occur not from sophisticated zero-day exploits but from organizations failing to apply available security patches. When companies ignore known vulnerabilities, they leave doors wide open for attackers.

Equifax Data Breach (2017)

  • 147 million individuals exposed—including Social Security numbers, birth dates, and addresses, making this one of the most sensitive data exposures in U.S. history
  • Unpatched Apache Struts vulnerability allowed attackers entry; the patch had been available for two months before the breach
  • Triggered major regulatory action including FTC settlements and accelerated discussions around federal data breach notification standards

WannaCry Ransomware Attack (2017)

  • Global scale across 150 countries—hundreds of thousands of computers infected, with healthcare systems particularly devastated
  • Exploited EternalBlue vulnerability in Windows systems; Microsoft had released a patch months earlier, but many organizations hadn't applied it
  • Demonstrated cascading infrastructure risk when the UK's National Health Service faced massive operational disruptions, delaying patient care

Compare: Equifax vs. WannaCry—both exploited known, patchable vulnerabilities, but Equifax was a targeted data theft while WannaCry was indiscriminate ransomware. If an FRQ asks about organizational negligence in cybersecurity, either works, but Equifax better illustrates corporate accountability failures.

Supply Chain and Third-Party Vulnerabilities

Modern organizations don't operate in isolation—they depend on vendors, software providers, and contractors. Attackers increasingly target these trusted relationships to bypass direct defenses.

SolarWinds Supply Chain Attack (2020)

  • Compromised Orion software updates distributed malicious code to approximately 18,000 organizations, including multiple U.S. federal agencies
  • State-sponsored attribution (Russian intelligence) elevated this from corporate breach to national security incident
  • Reshaped federal cybersecurity policy, leading to Executive Order 14028 mandating software supply chain security standards

Target Data Breach (2013)

  • 40 million credit/debit cards compromised during peak holiday shopping, with attackers accessing Target's network through an HVAC vendor
  • Third-party vendor access became the entry point—the vendor had legitimate network credentials but inadequate security controls
  • Transformed retail cybersecurity practices, accelerating chip-and-PIN adoption and vendor security requirements across the industry

Compare: SolarWinds vs. Target—both demonstrate third-party risk, but SolarWinds shows software supply chain compromise while Target illustrates vendor access management failures. Use SolarWinds for questions about government/critical infrastructure; use Target for private sector and consumer data protection.

Critical Infrastructure and Ransomware

When cyberattacks target systems that societies depend on daily, the consequences extend far beyond data loss. Infrastructure attacks reveal how digital vulnerabilities translate into physical-world disruptions.

Colonial Pipeline Ransomware Attack (2021)

  • Shut down 5,500 miles of fuel pipeline—the largest U.S. fuel pipeline, causing gas shortages and panic buying across the Eastern seaboard
  • **4.4millionransompaid(approximately4.4 million ransom paid** (approximately 2.3 million later recovered by DOJ), sparking debate over whether paying ransoms encourages future attacks
  • Catalyzed infrastructure security mandates, including TSA directives requiring pipeline operators to report incidents and implement cybersecurity measures

Compare: Colonial Pipeline vs. WannaCry—both ransomware, but Colonial targeted specific critical infrastructure while WannaCry spread indiscriminately. Colonial is your go-to example for questions about infrastructure protection policy and sector-specific regulation.

State-Sponsored Attacks and National Security

Some breaches aren't financially motivated—they're acts of espionage or geopolitical aggression. Attribution to nation-states changes the policy response from regulatory enforcement to diplomatic and intelligence action.

Office of Personnel Management (OPM) Breach (2015)

  • 21.5 million federal employees affected—including highly sensitive security clearance background investigation data
  • Chinese state-sponsored attribution made this an intelligence goldmine, potentially compromising U.S. personnel for decades
  • Forced federal cybersecurity overhaul, leading to the creation of new agencies and accelerated modernization of legacy government systems

Sony Pictures Hack (2014)

  • Corporate data weaponized—unreleased films, executive emails, and employee information leaked publicly as intimidation
  • North Korean attribution linked to the film The Interview, making this a case study in cyber operations as political coercion
  • Raised cyber warfare questions about proportional response and when corporate attacks constitute attacks on national interests

Yahoo Data Breaches (2013-2014)

  • All 3 billion accounts compromised—the largest breach by number of affected users, including names, emails, and security questions
  • State-sponsored actors identified (Russian intelligence), though Yahoo initially underestimated the scope
  • Delayed disclosure devastated trust—the breach wasn't fully disclosed until 2016, reducing Yahoo's acquisition price by $$350 million

Compare: OPM vs. Yahoo—both attributed to state-sponsored actors, but OPM targeted government personnel data for intelligence purposes while Yahoo represented mass consumer data theft. OPM is essential for national security policy questions; Yahoo illustrates disclosure requirements and corporate accountability.

Not all breaches involve hackers breaking in—some involve companies misusing data they legitimately collected. These incidents blur the line between security breach and privacy violation.

Facebook-Cambridge Analytica Scandal (2018)

  • 87 million users' data harvested through a personality quiz app that exploited Facebook's platform permissions
  • Political microtargeting application—data used for voter profiling in the 2016 U.S. election and Brexit campaign
  • Sparked global privacy regulation momentum, contributing to GDPR enforcement actions and renewed U.S. calls for comprehensive federal privacy legislation

Marriott International Data Breach (2018)

  • 500 million guest records exposed—including passport numbers and encrypted credit card data from the Starwood reservation system
  • Inherited breach through acquisition—the compromise began in 2014, before Marriott purchased Starwood, highlighting M&A cybersecurity due diligence gaps
  • First major GDPR enforcement case against a U.S. company, resulting in a £18.4 million fine from UK regulators

Compare: Facebook-Cambridge Analytica vs. Marriott—Cambridge Analytica involved authorized data collection misused, while Marriott was unauthorized external access. Use Cambridge Analytica for questions about consent, platform responsibility, and data ethics; use Marriott for traditional breach response and regulatory enforcement.

Quick Reference Table

ConceptBest Examples
Patch management failuresEquifax, WannaCry
Supply chain vulnerabilitiesSolarWinds, Target
Third-party vendor riskTarget, Marriott (acquisition)
Critical infrastructure attacksColonial Pipeline, WannaCry
State-sponsored espionageOPM, Yahoo, SolarWinds
Geopolitical cyber operationsSony Pictures, SolarWinds
Data privacy and consentFacebook-Cambridge Analytica
Disclosure and transparency failuresYahoo, Equifax

Self-Check Questions

  1. Which two breaches best illustrate the dangers of failing to patch known vulnerabilities, and what distinguishes their attack methods?

  2. If asked to explain supply chain risk in cybersecurity, which breach would you choose as your primary example—and why might SolarWinds be more policy-relevant than Target?

  3. Compare the OPM breach and the Facebook-Cambridge Analytica scandal: both involved sensitive personal data, but how do they differ in terms of who was responsible and what policy responses followed?

  4. An FRQ asks you to discuss how a single cyberattack can affect national security, economic stability, and public trust simultaneously. Which breach provides the strongest multi-dimensional example?

  5. What distinguishes the Marriott breach from other data breaches in terms of regulatory significance, and what lesson does it offer about corporate acquisitions?