The Costliest Breaches in History Weren't Sophisticated. They Were Preventable.
A field guide to the biggest, most expensive cyberattacks ever recorded — Equifax (~$1.4B), Change Healthcare (~$3B), NotPetya (~$10B), Capital One, Colonial Pipeline, MOVEit and SolarWinds — and the short list of controls that would have stopped every one. None required a genius attacker; each traces to a handful of preventable failures: an unpatched CVE, a login with no MFA, an over-permissioned role, a flat network. Every financial figure is tied to a primary source (SEC filings, FTC, DOJ, CISA) and flagged confirmed or estimated, with a prevention playbook — risk-based patching, phishing-resistant MFA, CSPM, Zero Trust, continuous compliance — mapped to each root cause.
Akshay Dubey
Founder
I've spent my career close to the machinery of how companies get breached, and the same uncomfortable truth keeps surfacing: the most expensive cyberattacks in history were not works of genius. They were failures of a handful of controls that every security team already knows about. A missing patch. A login with no second factor. An over-permissioned role. A network with no internal walls.
Two breaches, seven years apart, tell the whole story. In 2017, Equifax lost the personal data of 147 million people because it didn't apply a patch that had been available for two months. In 2024, Change Healthcare — which, by the Senate Finance Committee's own account, touches roughly one in three U.S. patient records — was ransomed through a single remote-access server that had no multi-factor authentication, and the parent company booked more than $3 billion in costs. Different decade, different technology, identical root cause: a known, preventable gap that nobody closed in time.
This is a tour of the breaches that defined the field, what each one actually cost — every figure is tied to a primary source and flagged confirmed or estimated — and, because a post-mortem without a prescription is just a ghost story, the specific, boring disciplines that would have stopped each one.
The hero of the genre: Equifax and the patch that sat on a shelf
On 7 March 2017, Apache disclosed a critical remote-code-execution flaw in its Struts web framework — CVE-2017-5638 — and shipped a fix the same day. Equifax's security team even circulated an internal order to patch within 48 hours. Nobody verified it was done, and one internet-facing system running the vulnerable code was missed.
On 13 May 2017, attackers found that system and walked in. They then moved freely for 76 days across 48 databases — because the network device meant to inspect that traffic had been blind for 19 months behind an expired SSL certificate. The day Equifax finally renewed the certificate, 29 July, it saw the malicious traffic immediately. By then, the data of 147 million people — including 145.5 million Social Security numbers — was gone.
The financial toll became the reference point for the entire industry. Equifax's 2019 settlement with the FTC, CFPB and 50 states was at least $575 million, up to $700 million (confirmed). Add the company's own committed security overhaul and remediation and the all-in figure reported in its SEC filings reached roughly $1.4 billion as of 2019 — and kept climbing after.
This is the norm, not the exception
It would be comforting to file Equifax under "freak event." The data says the opposite. According to Verizon's 2025 Data Breach Investigations Report, exploitation of vulnerabilities as an *initial* way into a network has climbed relentlessly — up 180% in 2024, then another 34% in 2025 — and now accounts for 20% of all breaches. Much of that is against *known, patchable* CVEs, exactly the Equifax pattern, at scale.
*The ~5% 2023 point is derived from Verizon's reported +180% growth to 14% — the DBIR publishes the 14% and 20% endpoints, not a standalone 2023 baseline. Separately, an oft-cited (and now dated, 2019) Ponemon study found ~60% of breach victims traced their breach to a known vulnerability for which a patch was available but unapplied.*
And the cost of getting it wrong keeps rising where it counts. IBM's 2025 Cost of a Data Breach report put the U.S. average breach at $10.22 million — an all-time high — even as the global average dipped on faster AI-assisted detection. Breaches still take an average of 241 days to identify and contain, and ransomware now appears in 44% of breaches (Verizon DBIR 2025). Credential abuse — a login that should have had MFA — remains the single most common way in, at 22%.
The cost ladder
Here are the marquee incidents ranked by financial impact. Note the range: from a $4.4 million ransom to a $10 billion act of cyber-war. The bars are on a logarithmic scale — otherwise everything but NotPetya would be invisible — and each figure carries its confidence flag.
Sources: NotPetya ~$10B — White House estimate via WIRED (no official tally exists). Change Healthcare — UnitedHealth FY2024 SEC 8-K (full-year running total). Capital One — $80M OCC fine + $190M settlement. MOVEit — Coveware estimate (~2,773 orgs / 95.8M people). MGM — SEC 8-K. SolarWinds — shareholder settlement. Colonial — DOJ (≈$2.3M recovered at seizure, as Bitcoin's price had fallen).
Five root causes explain almost all of it
Strip these incidents down and they collapse into five recurring failures. None is exotic. Each has a marquee, multi-million- or billion-dollar example.
| Root cause | Marquee incident | What actually happened | Cost |
|---|---|---|---|
| Unpatched known CVE | Equifax (2017) | Struts CVE-2017-5638 patch ignored for ~2 months | ~$1.4B |
| Missing MFA / identity gap | Change Healthcare (2024) | A Citrix portal with no MFA; the CEO confirmed it to Congress | ~$3.09B |
| Cloud misconfig + over-privilege | Capital One (2019) | A misconfigured WAF → instance-metadata credentials → an over-permissioned role → ~100M records in S3 | ~$270M |
| Flat network / no segmentation | NotPetya (2017) | A wiper crossed the globe in hours via unpatched SMB + stolen credentials | ~$10B |
| Unmanaged surface / supply chain | SolarWinds (2020), MOVEit (2023) | A trusted software update and a widely-deployed file-transfer tool became mass-distribution channels | ~18,000 orgs |
A few deserve a closer look, because they show how *ordinary* the entry points are:
The prevention playbook
Here is the part that matters. Every root cause above maps to a well-understood discipline, backed by a specific authority and, in most cases, hard numbers. This isn't proprietary wisdom — it's the consensus of CISA, NIST and CIS. The hard part was never knowing *what* to do; it's doing it *continuously*, everywhere, and proving it.
| If the risk is… | The discipline | The authority & the evidence |
|---|---|---|
| Unpatched known vulnerabilities | Risk-based vulnerability management — prioritize by evidence of exploitation, not raw severity | CISA KEV catalog + BOD 26-04 (risk-tiered SLAs, 2026). Mandiant clocked the average time-to-exploit at just 5 days in 2023 — and negative by 2025, meaning exploitation now often precedes the patch. |
| Missing / weak MFA, over-privilege | Phishing-resistant MFA + least privilege (CIEM) on every account, including legacy and test | Microsoft: MFA blocks >99.2% of account-compromise attacks. CISA: use FIDO/PKI. NIST 800-53 AC-6. |
| Cloud misconfiguration | Continuous posture management (CSPM) against consensus baselines | CIS Benchmarks, cloud Well-Architected security pillars. Gartner: through 2022, ≥95% of cloud failures are the customer's fault. |
| Lateral movement | Segmentation / Zero Trust — no implicit trust from network location | NIST 800-207 (7 tenets); CISA Zero Trust Maturity Model v2. |
| Unknown / shadow assets | External attack surface management — continuous, outside-in asset discovery | NIST CSF 2.0 (ID.AM); CISA's Cross-Sector Performance Goals: inventory every IP-addressable asset, at least monthly. |
| Point-in-time compliance | Continuous controls monitoring — prove controls daily, not once a year | NIST 800-137 (ISCM); NIST CSF 2.0 (DE.CM). The drift between annual audits is where breaches live. |
*Figures reflect the current, verifiable wording from each authority. Microsoft's original 2019 headline was "99.9%"; the current official figure is ">99.2%." CISA's older BOD 22-01 was superseded by the risk-based BOD 26-04 in 2026.*
Why I built EchelonGraph around exactly this
I'll be direct about my bias: this pattern is the reason EchelonGraph exists. Every breach above was survivable, and what stood between the victim and survival was *continuous visibility* across four planes that most teams watch separately — vulnerabilities, cloud posture, identity, and the external surface — plus the discipline to prove it against a framework. So we built one platform that does all of it:
None of this is magic, and I won't pretend it is. It's the boring consensus of CISA and NIST, operationalized so it runs continuously instead of once a year in a spreadsheet. The attackers in these stories weren't beaten by cleverness. They win because the gap stays open long enough. Close the gap, keep it closed, and prove it — that's the whole game.
See where you stand — free. Start with our free, real-time CVE intelligence feed, run a free external attack-surface scan of your own domain, or see every framework we score. Start free →
*Written by Akshay Dubey, Founder of EchelonGraph. Every financial figure in this piece is linked to a primary source — SEC filings, regulator releases, court records, or government reports — and marked confirmed or estimated. Where an aggregate figure is disputed or dated (NotPetya's ~$10B, WannaCry's £92M), it's flagged in the text; we would rather under-claim than overstate.*
Protect your infrastructure before the breach
Map your attack surface, automate compliance, and detect insider threats in real time.
Start free trial →