Cyber Attacks and How they could be prevented
1. Office of the Comptroller of the Currency (OCC) Email Breach (2024–2025, USA)
Summary: Discovered in early 2025, hackers had unauthorized access to the U.S. OCC’s email system for over a year. Around 100 senior officials’ email accounts were compromised, exposing some 150,000 messages (many with sensitive data about banks under OCC supervision) bankingdive.comsbscyber.com. The breach began in 2024 (undetected for months) and is considered a major incident by the banking regulator.
Type of Attack: Stealth email system compromise (cyber-espionage) – Attackers gained access via a compromised administrative account, silently monitoring and exfiltrating emails. No ransomware or public extortion was involved; the motive appears to be espionage or data gathering (no actor was officially named, though the method echoes state-sponsored tactics).
Impact and Response: The intruders accessed highly sensitive OCC data on regulated financial institutions (e.g. examination reports). While there was no immediate disruption to services, the confidentiality of critical financial information was violated. Upon discovery in February 2025, OCC disabled the breached accounts and launched an incident response. An internal review and independent investigation were initiated, and officials acknowledged “long-held…deficiencies” in the OCC’s cybersecurity posture that allowed the prolonged intrusion. The incident was classified as a major breach, and OCC notified Congress and partnered with law enforcement to investigate.
Prevention and Mitigation:
Technical: Implement least-privilege access controls and network segmentation for administrator accounts, so that a single account compromise cannot expose an entire email system sbscyber.com. Enforce strong authentication (MFA) for admin access and improve real-time monitoring of email systems – the OCC breach went undetected due to gaps in logging and detection. Robust cloud security configurations (in coordination with email service providers) are critical, as this incident revealed lapses in oversight of a cloud email environment.
Procedural: Conduct regular security audits and timely remediation of known vulnerabilities. Notably, reports indicate internal warnings about email security were missed or delayed at OCC. A proactive cybersecurity program must ensure that any flagged risks are promptly addressed, not just documented. Drills and incident response plans for cloud/SaaS attacks should be in place so that staff can detect and respond to suspicious account behavior more rapidly.
Policy-Level: Strengthen vendor and inter-agency cybersecurity policies. The breach underscores the need for strict security standards for any third-party or cloud service handling government data. Agencies like OCC should require providers (e.g. cloud email vendors) to meet higher security benchmarks and share security event information promptly. Federal oversight bodies could mandate continuous monitoring programs for critical systems and enforce compliance with frameworks (such as CISA’s Cloud Security Guidance). Additionally, the U.S. Cyber Safety Review Board examining a similar cloud email breach (Storm-0558 in 2023) recommended that Microsoft and other cloud providers implement fundamental security reforms dhs.gov – following such recommendations (e.g. improving token validation, audit logging availability, and cross-tenant alerting) can help prevent future email system infiltrations.
2. UK Ministry of Defence Payroll Data Breach (May 2024, UK)
Summary: In May 2024, Britain’s Ministry of Defence (MoD) revealed that a third-party payroll contractor’s system was hacked, exposing the personal data of approximately 270,000 military personnel (current and former) theguardian.com. The compromised data included names, home addresses, bank details and other payroll information for nearly all members of the UK armed forces. The breach was ongoing for weeks before detection and was uncovered just days before the public announcement in early May 2024.
Type of Attack: Supply-chain data breach (likely state-sponsored espionage) – Attackers infiltrated the network of Shared Services Connected Ltd (SSCL), the MoD’s payroll provider, rather than MoD’s own systems. The UK Defence Secretary indicated a “malign actor” was responsible and did not rule out state involvement, with many pointing to Chinese state-backed hackers given the scale and target. This was a cyber-espionage operation via a contractor, aiming to collect sensitive personal and financial data on military personnel.
Impact and Response: Sensitive personal data of military staff and veterans was accessed, creating risks of identity theft, profiling of UK forces, or leverage against personnel. Operational military systems were not directly affected, and salary payments continued normally. However, the breach raised national security concerns. The MoD offered affected personnel credit monitoring and identity theft protection, anticipating potential misuse of the leaked data. In Parliament, officials faced criticism for a slow response – it emerged that the contractor detected the breach in February 2024 but failed to report it for several months. The government launched an official inquiry into the incident, focusing on the contractor’s delay and security lapses. Amid the fallout, MoD indicated it might terminate contracts with the vendor; indeed, SSCL had been awarded a new cybersecurity contract in April 2024 (after the breach occurred) which was then put under review for revocation. The breach prompted urgent reviews of how the MoD oversees data held by contractors.
Prevention and Mitigation:
Technical: Enforce strict security requirements on third-party contractors handling sensitive data. This includes encryption of sensitive personal records, network segmentation (so a compromise of the contractor’s one system doesn’t grant access to all data), and multi-factor authentication plus rigorous access controls for any contractor administrators. Regular penetration testing and security monitoring should be mandatory for contractors to catch intrusions early. In this case, the attackers dwelt in the contractor’s system for weeks; improved intrusion detection systems and anomaly monitoring could have flagged unusual data access.
Procedural: Strengthen supply-chain cybersecurity governance. The breach highlights the need for clear procedures: contractors must have incident response plans and obligations to promptly disclose breaches to their government clients. Had SSCL reported the incident in February when it was detected, mitigation (like network isolation and personnel alerts) could have started sooner. Regular audits and compliance checks of contractors’ security postures (perhaps led by MoD’s cyber unit or the UK NCSC) should be conducted. Additionally, this incident suggests improving inter-department communication – ensuring that when one part of government (or a vendor) sees suspicious activity, the information is quickly shared with security authorities.
Policy-Level: Elevate supply-chain security standards and oversight at the national level. Government agencies in the UK (and elsewhere) are now re-evaluating how to better vet and secure contractors chathamhouse.orgchathamhouse.org. Policies could require that contractors handling defense data comply with frameworks equivalent to military security standards (for example, attaining certifications or following the NCSC’s Cyber Assessment Framework). The MoD breach also draws parallels to the infamous 2015 OPM breach in the US (where a contractor’s compromise led to millions of security clearance files stolen) – lessons learned from those events (such as thorough background checks on vendors, continuous monitoring of third-party connections, and zero-trust architecture where contractors’ systems are treated as potentially untrusted) should be codified into policy. Furthermore, legislation or regulations might mandate rapid breach disclosure by any government supplier, with penalties for withholding incident reports. Ensuring that critical service providers share threat intelligence with government cyber defense teams in real time will help prevent such prolonged unnoticed attacks in the future.
3. MOVEit Supply Chain Data Breach (May–June 2023, Global – USA/Europe)
Summary: In late May 2023, a critical zero-day vulnerability (CVE-2023-34362) was discovered in MOVEit Transfer, a widely used file-transfer software. The Russia-linked Cl0p ransomware gang exploited this flaw to steal data from organizations worldwide. Over 2,700 organizations were compromised, and an estimated 93 million individuals’ personal data exposed, making it one of the farthest-reaching data breaches in recent history. Victims spanned multiple sectors – government agencies, financial institutions, airlines, technology and healthcare companies in the U.S., UK, Europe, and beyond were all affected.
Type of Attack: Supply-chain software exploit leading to data theft and extortion. This was a zero-day attack: Clop leveraged an SQL injection vulnerability in the MOVEit application to gain unauthorized access to databasescisa.gov. They installed a custom web shell (“LEMURLOOT”) on MOVEit servers to exfiltrate sensitive files. Notably, while Clop is a ransomware group, in this case they did not encrypt systems; instead, they engaged in data breach extortion – stealing data and demanding ransom to not leak it. Many organizations received extortion notes threatening publication of stolen data on Clop’s leak site if payment wasn’t made.
Impact and Response: The impact was widespread across industries and countries. In the U.S., several federal agencies were hit (CISA confirmed “several” agencies were affected, including the Department of Energy). In Europe, dozens of companies and government bodies were breached – for example, in the UK, British Airways, the BBC, Aer Lingus, and Boots had employee data stolen via their payroll provider that used MOVEit. Stolen information ranged from personal data (names, addresses, Social Security/National Insurance numbers, etc.) to corporate proprietary files. Millions of individuals had their data exposed. Operationally, the attacks were somewhat opportunistic: CISA noted that Clop appeared to steal only the data present in the file-transfer app at the time of intrusion, without gaining deeper network access. As a result, for many victims the main damage was data loss and reputational harm rather than immediate operational downtime. The response involved a massive coordinated effort: Progress Software (the vendor) issued emergency patches within days (on May 31, 2023). Governments issued alerts – CISA and the FBI assisted U.S. agencies and highlighted that, unlike a SolarWinds-style attack, this campaign, though serious, was “largely opportunistic” and not a systemic compromise of critical infrastructure. Affected organizations scrambled to apply patches, identify stolen data, notify regulators and customers, and in some cases negotiate with the extortionists. In the UK, the National Cyber Security Centre worked with victim organizations on containment, and regulators like the ICO were notified of personal data breaches. Some companies chose to pay Clop for data deletion, while many refused; Clop followed through by listing victims on their leak site and publishing snippets of data for non-payers.
Prevention and Mitigation:
Technical: Prompt patch management and vulnerability disclosure are paramount. The MOVEit incident underscores that organizations must apply security updates immediately for mission-critical software – a patch was available by May 31, but any delay left systems open to Clop’s attacks. Using intrusion detection systems or web application firewalls could also have helped flag or block the unusual SQL injection traffic that Clop used cisa.gov. More broadly, organizations should adopt a defense-in-depth approach for third-party software: network segmentation for servers running file-transfer tools, least privilege for accounts (so a file-transfer service account can only access strictly necessary data), and continuous monitoring (unusual large file downloads or exports should trigger alerts). Regular code audits and security testing of software like MOVEit (especially since it’s used to store sensitive data) could catch vulnerabilities earlier, reducing the window for attackers to exploit them.
Procedural: Incident response and supply-chain risk management need strengthening. Many organizations were caught off-guard by a breach in a vendor-supplied application. It’s crucial to have an incident response plan that includes third-party software – e.g. subscribing to threat intelligence and vendor security bulletins so you learn of zero-days ASAP, and have a rapid action plan (such as shutting down or isolating vulnerable servers until patched). Organizations should also routinely review what data they store in file-transfer applications: if possible, avoid persistent storage of sensitive data on such platforms or encrypt it such that even if stolen it’s not immediately usable. Data leakage prevention practices (like monitoring outbound traffic from these applications) can mitigate the impact. This incident also highlights the importance of transparency and collaboration during a supply-chain attack: Progress Software’s quick disclosure and patches, and CISA’s coordination with FBI and international partners, were key in limiting damage therecord.mediatherecord.media. Companies should participate in information-sharing networks (like ISACs) to receive early warnings of exploits and share indicators of compromise.
Policy-Level: Encourage or mandate secure software development and supply-chain security standards. Governments in the U.S. and Europe are increasingly pushing for vendors to build security in (e.g. the U.S. Executive Order on cybersecurity requires software bills of materials and rigorous testing for software used by federal agencies). A policy response to MOVEit could include requiring critical software providers to undergo independent security assessments and share security advisories more widely. Regulatory frameworks like Europe’s NIS2 Directive and the U.S. SEC cyber disclosure rules mean companies must report breaches in a timely manner – this helps ensure swift action and accountability in supply-chain incidents. Additionally, consider policies for liability or responsibility of software vendors for security flaws: if critical infrastructure is consistently hit via third-party software, regulators may press vendors to adopt safer programming practices and more rapid patch release processes. Finally, international law enforcement cooperation is a policy aspect – Clop’s members are cybercriminals (reportedly operating from Russia); continued diplomatic and law enforcement efforts are needed to deter ransomware gangs that exploit such vulnerabilities, through sanctions, arrests (where possible), and by disrupting their payment channels.
4. MGM Resorts Ransomware Attack (September 2023, USA)
Summary: In September 2023, MGM Resorts International, one of the world’s largest casino and hospitality companies, suffered a major ransomware attack that disrupted operations for over a week. The attackers penetrated MGM’s network – reportedly by social engineering a helpdesk employee – and deployed malware that forced MGM to shut down many of its IT systems as a containment measure. Guests at MGM’s Las Vegas properties encountered casino floor disruptions (slot machines went offline with error messages) and hotel check-in delays, as the company reverted to manual processes. MGM’s websites and digital services were also impacted.
Type of Attack: Ransomware/extortion via social engineering. The attack was attributed to the ALPHV/BlackCat ransomware gang, working in tandem with a hacking group known as Scattered Spider. Scattered Spider (a group adept at social engineering, also called UNC3944) allegedly phoned MGM’s IT helpdesk impersonating an employee to obtain credentials, then gained admin access to the network. Once inside, ALPHV deployed ransomware encrypting systems and stole data for extortion. This was a criminal financially motivated attack, not nation-state. The threat actors sought a ransom payment (for decrypting systems and for not leaking stolen data).
Impact and Response: The breach significantly disrupted MGM’s business. The company had to shut down reservation systems, digital room keys, ATMs in casinos, and even email systems across multiple hotels. It reported an estimated $100 million loss in revenue for that quarter due to the incident and recovery costs. Customer data was also compromised: MGM later confirmed that personal information for some 37 million customers (who had used MGM services before 2019) was stolen.. This data included contact details, dates of birth, driver’s license numbers and a limited number of Social Security and passport numbers (but not financial account info). MGM stated it had no evidence of the data being used for fraud as of reporting. In response to the attack, MGM worked with the FBI and cybersecurity firms. They chose not to immediately pay the ransom; instead, systems were gradually restored from backups, and services were brought back online over about 10 days. Law enforcement opened an investigation, and state regulators also probed the incident given its scale reuters.comreuters.com. MGM faced lawsuits in the aftermath (from customers claiming negligence). The incident served as a wake-up call across the casino and hospitality industry about the threat of social engineering-led breaches. (Notably, a week before MGM’s hack, Caesars Entertainment was hit by a similar attack – reportedly by the same groups – and Caesars did pay a ransom around $15 million to prevent data leakage of its customers.)
Prevention and Mitigation:
Technical: Implement strong multi-factor authentication (MFA) and verification procedures for all sensitive access, including internal IT helpdesk processes. In MGM’s case, the attackers exploited human trust – to counter this, companies should have technical controls that an attacker can’t bypass just by knowing an employee’s personal details. For example, require that password resets or account changes by helpdesk agents involve out-of-band verification with the employee or manager. Zero Trust network architecture could limit the damage of such intrusions – even if a helpdesk credential is obtained, segment networks so that one account can’t access all critical systems without additional checks. Endpoint detection and response (EDR) tools should be deployed to catch suspicious activities (like credential-dumping or malware deployment) quickly, before ransomware spreads. Regular network penetration tests and social engineering drills can identify weaknesses in both systems and people. MGM’s attack demonstrated the need for robust internal monitoring – unusual admin access patterns or mass encryption activity should trigger automatic system lockdowns.
Procedural: Security awareness training for employees, especially IT support staff, is crucial. Social engineering was the key to this breach, so employees must be trained to recognize and verify phishing phone calls or emails. Establish strict procedures: helpdesk staff should verify identity through multiple factors and be alert to attackers who create a sense of urgency. Conduct periodic simulated phishing and vishing (voice-phishing) tests. Additionally, have an incident response plan specifically for ransomware – including offline backups and a practiced recovery process. MGM resorted to backups; having those readily available and tested for integrity can drastically reduce downtime. Companies should also prepare public communication plans and customer support for breaches – timely transparency can help maintain trust during an incident. After this attack, MGM and others likely updated procedures around how quickly they isolate affected systems; drills (like ransomware tabletop exercises) can improve that speed.
Policy-Level: At an industry and government level, there’s a push for improved cybersecurity standards in critical sectors like hospitality and gaming. Regulators could establish minimum cybersecurity requirements (e.g. the Nevada Gaming Control Board now pays closer attention to cyber risks). Information sharing is another policy aspect: after the MGM and Caesars incidents, cybersecurity agencies (like CISA in the U.S.) and industry groups shared the tactics used by Scattered Spider so that others could harden their helpdesk and Okta authentication flows. Encouraging companies to report breaches promptly and share threat indicators helps the wider community. Law enforcement also plays a policy role – the FBI’s involvement and ongoing efforts to track ransomware gangs are key to deterrence. Governments may consider regulations on ransom payments (to discourage funding criminal groups) and require disclosures of cyber incidents. Finally, broad initiatives such as promoting digital identity verification standards could make social engineering more difficult – for instance, moving away from easily-known personal info as identity proof towards more secure methods. The MGM attack vividly demonstrated that even large enterprises remain vulnerable to savvy social engineeringreuters.com, so policies that incentivize stronger human-factor defenses (like regular training, employee screening, and perhaps certifications for cybersecurity hygiene in high-risk roles) would be beneficial.
5. Royal Mail LockBit Ransomware Attack (January 2023, UK)
Summary: In January 2023, the UK’s Royal Mail (the country’s leading postal and parcel service) was crippled by a ransomware attack that specifically hit its international mailing operations. The attack targeted Royal Mail’s Heathrow Worldwide Distribution Centre – a vital 25-acre facility through which most international mail enters and leaves the UK. As a result, Royal Mail had to halt all outbound international letters and parcels for weeks, and incoming international mail faced severe delays. This incident effectively ground cross-border mail services to a standstill, affecting businesses and consumers nationwide who relied on Royal Mail for shipping.
Type of Attack: Ransomware (critical infrastructure hit). The LockBit ransomware gang was behind the attack, according to subsequent investigations. LockBit is a criminal ransomware-as-a-service operation; in this case an affiliate of LockBit deployed the malware on Royal Mail’s IT systems at the distribution center. The malware encrypted computers and systems responsible for customs clearance and package routing, thus paralyzing logistics. The attackers also claimed to have stolen data and initially demanded an exorbitant £66 million ransom for decryption and to prevent data leakage. (LockBit’s operators even initially denied involvement, possibly due to the high-profile nature of attacking a national service but later admitted responsibility and tried to pressure Royal Mail to pay computerweekly.com.)
Impact and Response: The impact was nationally significant. Royal Mail could not process international mail deliveries for over one month – export services were restored only by early March 2023, after protracted recovery efforts. This caused widespread disruption to individuals and companies: packages and letters piled up, small businesses couldn’t send orders abroad, and Royal Mail had to advise customers not to mail items overseas. The domestic UK mail was less affected, but the spillover effects were felt: even the Post Office (which accepts mail from the public) incurred losses, compensating local postmasters for business they lost during the outage. Financially, Royal Mail’s parent firm disclosed about £10 million spent on incident recovery and bolstering cybersecurity in the following months, and the company expected an overall revenue hit due to the service disruption. Royal Mail refused to pay the £66m ransom, deeming it absurd. Instead, they worked with the UK National Cyber Security Centre and outside experts to gradually clean and restore systems. Manual workarounds were used where possible, and some critical export services were reinstated in phases with contingency solutions until the IT systems were secured. LockBit, after failing to obtain payment, eventually leaked some of the stolen data on their dark web site, although the details of the data released were not fully public; it likely included internal Royal Mail files or employee data (the exact scope wasn’t confirmed in news reports). The incident drew attention from the UK government – since Royal Mail is considered critical national infrastructure, authorities were involved in the response, and there were calls to improve cyber resilience in such essential services.
Prevention and Mitigation:
Technical: Royal Mail’s attack illustrates the need for strong perimeter defense and network segmentation in critical systems. The initial intrusion vector wasn’t publicly confirmed, but LockBit often exploits phishing or unpatched systems theguardian.com. Therefore, Royal Mail and similar firms should deploy advanced email filtering, up-to-date anti-malware on endpoints, and rigorous patch management (especially on servers handling logistics software). Network segmentation is crucial: the fact that the ransomware took down an entire distribution center’s systems suggests that the network was flat or insufficiently segmented. Separating critical operational networks (e.g. sorting and customs systems) from corporate IT and ensuring they have restricted access could contain the spread of malware. Additionally, maintain offline, frequent data backups for operational technology systems, and practice restoring from them – Royal Mail took over a month to recover, hinting at difficulties in system restoration. Regular security assessments of industrial control systems and logistics IT could have identified weaknesses (like outdated software or poor access controls) before attackers did. Implementing an intrusion detection system that monitors for abnormal file encryption activity can also provide early warning to stop a ransomware process before it encrypts everything.
Procedural: Incident response planning and business continuity for cyberattacks must be in place for critical service providers. Royal Mail had to improvise manual processes; a better approach is to have pre-defined continuity plans (e.g. could international mail be rerouted through an alternative facility or processed with backup manual procedures from day one of IT outage?). Regular drills simulating a cyber-induced outage would help an organization like Royal Mail maintain some services during a real event. Employee training on cybersecurity, particularly to resist phishing emails, is a procedural defense – ransomware often starts with an employee unknowingly running malware. Royal Mail staff should be trained to spot suspicious emails and report them. Moreover, once the attack happened, clear communication was key: Royal Mail did provide public updates and worked with customers (which is good practice to maintain trust). Going forward, they should incorporate lessons learned: for example, quicker isolation of infected systems at first suspicion (to prevent spread), and ensuring partnerships with law enforcement and cyber experts are established in advance.
Policy-Level: The Royal Mail attack prompted discussions in the UK about treating postal/logistics IT as part of the Critical National Infrastructure (CNI) that warrants stronger oversight. Policymakers can enforce that CNI organizations adhere to frameworks like the NCSC’s Cyber Essentials and beyond. The UK’s Network and Information Systems (NIS) regulations already cover certain transport and logistics providers – expanding or strengthening such regulations can ensure that companies like Royal Mail invest in cybersecurity (indeed Royal Mail’s £10m spend on cyber improvements post-attack was likely driven by regulatory and public pressure. Internationally, this case adds weight to calls for a coordinated response to ransomware: law enforcement across borders need to collaborate to target ransomware gangs (LockBit has been prolific globally). Some affiliates have been arrested in other countries, but the leaders remain at large; a policy of continued international pressure (through indictments or sanctions) is needed. Finally, information sharing and mandatory reporting policies play a role – Royal Mail promptly informed authorities and the public; making this the norm (via laws requiring disclosure of significant cyber incidents) helps coordinate national responses. Governments might also consider funding support or establishing rapid response teams for cyber incidents in essential sectors, to help organizations with limited expertise to recover faster. In summary, treating cyberattacks on services like postal delivery with the same urgency as physical attacks will drive the policy changes needed to bolster defenses and response mechanisms for the infrastructure people rely on daily.
Each of these incidents underscores critical lessons about the evolving cyber threat landscape. Whether through ransomware or espionage, attackers exploited technical gaps and human weaknesses. The impacts – from stolen national security data to paralyzed public services – highlight why robust technical safeguards, vigilant processes, and supportive policies are all needed in concert to prevent and mitigate future cyber-attacks. By learning from these major incidents, government and corporate entities in the US, Europe, and beyond can improve their cyber resilience and better protect the people and data entrusted to them.
