IT Lessons from Major Data Breaches: What Every Business Can Learn

Every major data breach teaches the same uncomfortable lesson: the failures that enabled the attack were almost always preventable. Not with exotic technology or unlimited budgets, but with fundamental IT practices that the breached organization had either neglected or implemented incompletely. The breaches that dominate headlines — Equifax, Target, Marriott, Colonial Pipeline, MGM Resorts — did not succeed because attackers deployed unprecedented techniques. They succeeded because well-known vulnerabilities went unaddressed.

For small and mid-sized businesses, these case studies are not abstract cautionary tales. The same categories of failure — unpatched software, weak access controls, inadequate vendor management, absent multi-factor authentication — exist in organizations of every size. Attackers exploit the same gaps whether they target a Fortune 500 company or a 50-person firm in Los Angeles. Understanding what went wrong in these high-profile incidents and mapping those lessons to your own environment is one of the most practical exercises in cybersecurity.

Equifax (2017): The Cost of One Unpatched Server

In September 2017, Equifax disclosed that attackers had accessed personal information — including Social Security numbers, birth dates, and addresses — for approximately 147 million people. The breach remains one of the largest in history, and the root cause was startlingly simple: a single unpatched vulnerability in Apache Struts, an open-source web application framework.

The vulnerability (CVE-2017-5638) had a patch available two months before attackers exploited it. Equifax’s security team was aware of the vulnerability and had issued an internal directive to apply the patch. But the organization’s asset inventory was incomplete — they did not know which systems were running the affected software. The vulnerable server sat unpatched while attackers exploited it to gain initial access, then moved laterally through the network for 76 days before detection.

Lessons for Every Business

Maintain a complete asset inventory. You cannot patch what you do not know exists. Every server, application, and service running in your environment needs to be cataloged and tracked. This is not a one-time project — it requires continuous discovery as systems are added, modified, and decommissioned.

Patch management requires verification, not just policy. Equifax had a patching policy. They had issued the directive to patch. What they lacked was verification that the patch had actually been applied across all affected systems. A patching program without confirmation scanning is a policy document, not a security control.

Segment your network. Once attackers gained access through the vulnerable server, they moved laterally across the network with minimal resistance. Network segmentation — dividing your network into isolated zones with controlled access between them — limits how far an attacker can travel from their initial foothold. If the compromised server had been properly segmented, the breach scope would have been dramatically smaller.

Monitor for anomalous activity. The attackers operated inside Equifax’s network for over two months. During that time, they accessed databases, staged data for exfiltration, and transferred massive volumes of information externally. Effective network monitoring and data loss prevention tools should have flagged this activity far earlier.

Target (2013): When Your Vendor Becomes Your Vulnerability

In late 2013, attackers stole payment card data for approximately 40 million Target customers and personal information for an additional 70 million. The attack did not start with Target’s systems at all. Attackers first compromised Fazio Mechanical Services, an HVAC contractor that had network access to Target’s systems for electronic billing and project management.

Using credentials stolen from the HVAC vendor, attackers accessed Target’s network, then pivoted to the point-of-sale systems where they installed memory-scraping malware that captured credit card numbers during transactions. Target’s security monitoring system — a FireEye deployment — actually detected the malware and generated alerts. The security team in Bangalore flagged the alerts, but they were not escalated or acted upon. The malware continued operating for nearly three weeks.

Lessons for Every Business

Audit and control vendor access. Every third party with access to your network is a potential entry point for attackers. Vendor access should follow least-privilege principles — grant only the minimum access required for the vendor’s specific function, restrict it to specific systems and time windows, and monitor it continuously. An HVAC contractor should never have had a network path to point-of-sale systems.

Implement network segmentation between vendor zones and critical systems. Even if a vendor’s credentials are compromised, proper segmentation prevents attackers from reaching your most sensitive assets. Billing systems and point-of-sale terminals should exist in entirely separate network zones with strict access controls between them.

Act on your security alerts. Target had invested in sophisticated threat detection technology. The technology worked — it identified the malware. The failure was organizational: alerts were generated but not acted upon. Security monitoring is only valuable if there is a clear escalation process, defined response procedures, and accountability for investigating alerts promptly. Technology that generates warnings nobody acts on provides no protection.

Require multi-factor authentication for all remote access. The vendor credentials that enabled the initial compromise were a single username and password. If Target had required multi-factor authentication for all vendor connections, stolen credentials alone would not have been sufficient for access.

Marriott/Starwood (2018): Inherited Risk from Acquisitions

In 2018, Marriott disclosed that attackers had accessed the Starwood guest reservation database, exposing records for up to 500 million guests including names, addresses, phone numbers, passport numbers, and encrypted payment card data. The investigation revealed that the compromise had begun in 2014 — four years earlier — on Starwood’s network, two years before Marriott acquired Starwood in 2016.

When Marriott purchased Starwood, they inherited not just the hotel brand and customer database but also the active, undetected breach. Marriott’s due diligence process had not included a sufficiently thorough cybersecurity assessment of Starwood’s infrastructure. The compromised systems continued operating post-acquisition, and Marriott did not discover the breach until late 2018.

Lessons for Every Business

Cybersecurity due diligence is essential in any acquisition or merger. When you acquire another company, you acquire their security posture — including any active compromises. A thorough security assessment should be part of the due diligence process, examining network architecture, access controls, vulnerability status, incident history, and active threat indicators.

Integrate acquired systems promptly and securely. Leaving acquired infrastructure running independently for years creates an extended window where security gaps persist. Integration plans should include security hardening, credential rotation, access control alignment, and migration to your organization’s security monitoring and standards.

Encrypt sensitive data with proper key management. Some of Starwood’s payment card data was encrypted, which limited the damage from those specific records. However, the encryption keys were stored on the same compromised systems, which significantly reduced the protection encryption provided. Encryption is only as strong as your key management — keys must be stored separately from the data they protect.

Implement detection mechanisms that would surface a four-year compromise. A breach that persists for four years indicates a fundamental gap in monitoring. Regular security assessments, penetration testing, threat hunting exercises, and database access auditing should identify unauthorized access to guest records long before the fourth anniversary.

Colonial Pipeline (2021): One Password, One Pipeline

In May 2021, the Colonial Pipeline — which supplies approximately 45% of fuel to the eastern United States — was shut down after a ransomware attack by the DarkSide group. The attack disrupted fuel supplies across the East Coast for nearly a week and resulted in Colonial Pipeline paying a $4.4 million ransom (most of which was later recovered by the FBI).

The initial access vector was a single compromised password for a VPN account that did not have multi-factor authentication enabled. The account was no longer actively used by an employee, but it had not been deactivated. Attackers likely obtained the password from a separate data breach where the employee had reused the same credentials.

Lessons for Every Business

Multi-factor authentication is not optional. A single password — no matter how complex — is not sufficient protection for remote access to your network. MFA ensures that even if a password is stolen, compromised, or guessed, the attacker cannot gain access without the second authentication factor. Every VPN connection, remote desktop session, cloud application, and administrative interface should require MFA.

Deactivate unused accounts immediately. The compromised VPN account was no longer in active use. Dormant accounts are invisible attack surfaces — they provide access without triggering the suspicion that comes with compromising an active user’s account. Implement a process to review and deactivate accounts when employees leave, change roles, or simply stop using a particular system.

Password reuse is an organizational risk, not just a personal habit. The employee whose credentials were compromised had likely used the same password across multiple services. When any of those services is breached, every account sharing that password becomes vulnerable. Enforce unique password requirements through a password manager and educate employees about the specific danger of credential reuse.

Separate IT and operational technology networks. Colonial Pipeline shut down the pipeline as a precautionary measure because they could not confirm that operational technology systems were not also compromised. Proper segmentation between IT systems (email, billing, VPN) and operational technology (pipeline control systems) would have provided that assurance, potentially avoiding the shutdown entirely.

MGM Resorts (2023): A Phone Call That Cost $100 Million

In September 2023, a cyberattack on MGM Resorts International disrupted hotel reservations, digital room keys, slot machines, and restaurant payment systems across MGM properties for approximately ten days. The estimated financial impact exceeded $100 million. The attack was attributed to Scattered Spider, a threat group that specializes in social engineering.

The attackers gained initial access through a phone call to MGM’s IT help desk. Using information gathered from LinkedIn — an employee’s name, role, and other publicly available details — they impersonated the employee and convinced the help desk to reset the account’s credentials. With those credentials, the attackers accessed MGM’s identity management systems, escalated privileges, and deployed ransomware across the environment.

Lessons for Every Business

Social engineering targets people, not technology. The most sophisticated firewalls and endpoint detection tools in the world cannot prevent an attacker from calling your help desk and asking for a password reset. Security awareness training must include realistic social engineering scenarios — vishing (voice phishing), pretexting, and impersonation — not just email-based phishing simulations.

Implement strict identity verification for help desk requests. Password resets and credential changes should require verification methods that an impersonator cannot easily replicate. A callback to the employee’s registered phone number, verification through a separate authenticated channel, or in-person verification for high-privilege accounts all provide protection that a knowledge-based question (which can be researched on LinkedIn) does not.

Limit the blast radius of compromised credentials. Even after attackers obtained valid credentials, the damage should have been containable. Least-privilege access, where users and administrators only have access to the systems they need for their specific role, limits how far an attacker can move from any single compromised account. Privileged access management systems that require additional authentication for sensitive operations add another containment layer.

Assume your employees’ information is publicly available. Attackers used LinkedIn to gather the details they needed for the impersonation. In an era where professional information is freely shared online, security controls cannot rely on information that is effectively public. Design your verification procedures around factors that cannot be researched externally.

The Common Thread: Fundamentals, Not Sophistication

These five breaches span a decade, affected vastly different industries, and involved different attacker groups with different motivations. Yet the enabling failures share striking similarities.

Access control failures enabled four of the five breaches. Weak or missing MFA, excessive vendor access, dormant accounts, and help desk credential resets all represent failures to properly control who can access what. Implementing strong access controls — MFA everywhere, least-privilege access, prompt account deactivation, and verified credential management — would have prevented or dramatically limited the majority of these incidents.

Monitoring and response gaps allowed breaches to persist for weeks, months, or years. Equifax’s 76-day dwell time, Marriott’s four-year compromise, and Target’s ignored alerts all point to the same problem: organizations that either lacked adequate monitoring or failed to act on the warnings their monitoring produced. Detection without response is not detection.

Network segmentation failures amplified every breach. Initial access through one system led to lateral movement across entire networks because nothing prevented it. Segmentation is one of the most effective controls for limiting breach impact, yet it remains one of the most commonly neglected.

Asset and vendor management gaps created the initial vulnerabilities. Equifax’s unknown servers, Target’s over-permissioned vendor, Marriott’s uninspected acquisition, and Colonial Pipeline’s forgotten VPN account all represent assets and access that fell outside the organization’s security governance.

Applying These Lessons to Your Business

You do not need the budget of a Fortune 500 company to implement the controls that would have prevented these breaches. The fundamentals are accessible to businesses of every size.

Start with MFA. Enable multi-factor authentication on every system that supports it — email, VPN, cloud applications, administrative interfaces, and remote access tools. This single control addresses the most common initial access vector in modern breaches.

Know what you have. Build and maintain an inventory of your systems, applications, and user accounts. You cannot secure assets you do not know about. Include vendor access and third-party connections in this inventory.

Patch promptly and verify. Establish a patching cadence that addresses critical vulnerabilities within days, not months. Verify that patches are actually applied through scanning, not just policy.

Segment your network. At minimum, separate guest networks from business networks, business systems from sensitive data stores, and vendor access from internal systems. Every boundary you create limits the potential impact of a breach.

Monitor and respond. Deploy monitoring that covers your network traffic, endpoint activity, and authentication events. Equally important, establish procedures for investigating alerts and acting on findings. An alert that nobody reviews provides zero protection.

Train your people. Security awareness training should cover social engineering, phishing, credential hygiene, and reporting procedures. Make it realistic, recurring, and relevant to your employees’ actual work.

Moving from Lessons to Action

Reading about data breaches is straightforward. Translating those lessons into implemented controls within your specific environment requires expertise in network architecture, security tooling, and operational procedures. The businesses that avoid becoming the next case study are the ones that invest in professional IT management and proactive security — not as a reaction to an incident, but as an ongoing operational practice.

Every breach analyzed in this article was preventable with fundamental IT practices. If you are not confident that your organization has these controls in place, contact We Solve Problems to assess your security posture and close the gaps before attackers find them.