Phishing Breach Case Files

UnitedHealth's pharmacy-claim subsidiary halted. Pharmacies could not process claims for weeks. Direct financial impact $872M per UnitedHealth Group SEC 10-Q. Patient-data exposure for an estimated 100M individuals triggered regulatory and litigation exposure that continues to grow.

Attacker called MGM IT helpdesk, impersonated an employee, secured an MFA reset, and pivoted to ransomware deployment across the property estate. Slot machines, hotel keys, and reservations offline for ten days. Cost disclosed in MGM 8-K (Form 8-K, October 2023).

Production disruption, IT cleanup, and lost sales. Disclosed in Clorox FY24 10-K. Production normalised over the following two quarters, but customer relationships took longer to restore.

Same threat-actor cluster as the MGM incident, executed the week prior. Caesars paid roughly $15M of a reported $30M demand to avoid public exposure. Disclosed in Caesars 8-K.

Initial access via spear-phish, escalated by an insider who later attempted extortion. Stock dropped roughly 20 percent on disclosure. Ubiquiti restated breach scope in subsequent SEC filings.

Attackers called Twitter staff posing as IT, secured admin-tool access, and posted a Bitcoin scam from verified accounts. Direct fraud receipts low (~$120K), but stock-price impact, FTC consent-order penalty exposure, and remediation costs ran into the hundreds of millions.

Single fraudulent wire-transfer instruction, accepted by a finance team that bypassed second-factor approval. Reported by Toyota in subsequent disclosure. Recovery efforts largely unsuccessful.

Lithuanian actor (Evaldas Rimasauskas) impersonated a Taiwanese hardware supplier across two years. DOJ indictment recovered most funds; the attack remains the canonical BEC case study. Settled at sentencing in 2019.

Spear-phishing emails to executives delivered initial access. Attackers exfiltrated 100TB+ over months and released it publicly. Direct cost included production halts, IT rebuild, and litigation. Regulatory follow-on lighter than expected.

78.8M records exposed. $115M class-action settlement plus $39.5M state AG settlement plus $16M HIPAA settlement to OCR. Largest healthcare breach settlement at the time.

Vendor compromise pivoted into Target POS network. 40M cards exposed. Settlements with banks, card networks, and state AGs aggregated above $290M. Catalysed mainstream third-party-risk practice.

Compromise of SecurID seed values. EMC absorbed the cost of replacing tokens for affected customers. The first widely-cited spear-phish-by-attachment case file.

Wire instruction issued in line with apparent CEO authorisation. Funds traced to Wenzhou and recovered via Chinese banking-holiday timing. The exception that proves the BEC rule.

SEC 8-K filed February 2024. Personal data exposure across multiple subsidiaries. Material costs still being booked. Listed here as an active filing.

Smishing of an HR staffer led to internal-systems access and game-content exfiltration. Direct cost not disclosed. Cited as an early high-profile smishing case.