What Can We Learn from Data Breaches

Analyzing recent and historic data breach incidents is a valuable and constructive way to identify learning opportunities and prevent the same incident occurring elsewhere.

When we respond to something that goes wrong in our organization, one of the later steps should always be a “lessons learned” exercise, in which we consider what went as expected, what went unexpectedly well and what ultimately went wrong so we can avoid a recurrence. One of the incredible opportunities we have in the cybersecurity industry, though, is the ability to learn from what happened to other organizations that experienced a cybersecurity issue. Any well-known company’s chances of keeping a significant cybersecurity issue out of the public eye are extremely low due to the need to keep affected parties informed, along with the need to comply with a variety of public disclosure regulations around the world.

Examining Some High-Profile Incidents

What can we learn from others who have experienced a cybersecurity incident? Let us look at a few example incidents that impacted some well-known organizations in the last year or so.

Event ticket platform Ticketmaster suffered a data breach in mid-May 2024, in which some data was stolen that, to quote the company’s own statement: “may include email, phone number, encrypted credit card information as well as some other personal information”. Notably, the data was stolen from what was described as “an isolated cloud database hosted by a third-party data services provider”.

Around the same time computer hardware maker Dell also fell victim to an attack; the company notified affected customers by email, informing them of what was taken but reassuring people that “the information involved does not include financial or payment information, email address, telephone number or any highly sensitive customer information”.  Interestingly, there are also media reports that Dell data was breached again in September 2024, noting that in this case the 10,000 or so stolen records were taken from the vendor’s Atlassian (a vendor of SaaS-based collaboration tools) server.

U.S. telco AT&T told the world in July 2024 of a data breach it had experienced the previous April. Call records for a 183-day (precisely six months) period two years previously had been compromised, containing phone numbers but not: “the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information”. Once again, a third-party cloud service was part of the incident. According to the company’s statement: “customer data was illegally downloaded from our workspace on a third-party cloud platform”.

American Express also fell victim to a data breach in the spring of 2024. The view is that the card numbers, expiration dates and customer names belonging to 50,000+ users (against over 140 million cards in circulation) were “breached … through a third-party merchant processor”.

In September 2024, in a conference at its U.K. research park, telco BT cited data about the sheer quantity of cyber attacks it sees from its vantage point – around 2,000 per second. According to reports, only a couple of months later the company fell victim to a reported data breach on part of its conferencing network; in this case the attackers claim to have exfiltrated 500GB of data, though this is yet to be independently confirmed.

The list goes on: the U.K. Ministry of Defence (MoD) payroll system suffered a data breach. The Romanian arm of telco Orange Group was reported to have lost control of almost 400,000 email addresses plus contracts, source code and other data. In early 2025 the U.S. Coast Guard had its second reported data breach in a year. The British Museum in London fell victim to a fascinating and stunningly simple availability attack in which a former contractor simply entered the premises and shut down a number of systems before being caught. Prior to this, the British Library saw a much greater, more complex attack from which, over a year on, it is still recovering.

Learning to Prevent Recurrence

We could continue the list, but the point is clear: vast amounts of information about attacks is out there that we can and should use it. Doing so allows us to learn from it and influence our own approaches to security. There are many things we can do to enhance our security posture, but here we will focus on three that arise specifically from the examples we have cited.

It should be no surprise that third-party security concerns are top of the list. In the preparation of this article, we did not intend to focus on attacks that came about due to third party security issues, that came about naturally as we researched household-name companies that had experienced cybersecurity incidents recently.

The fact that so many of the examples turned out to include a third-party factor speaks volumes, and points at the extensive need to focus on the security of third-party systems and your software supply chain in general.

A couple of pertinent points at this stage. First, it was interesting to learn that the MoD payroll system that was breached was run by a third-party provider. This was the result of the U.K. Government creating a joint venture between one of its departments and a private IT provider. In globally distributed companies such as Orange Group, geographically distant divisions with their own systems and IT staff often exist and operate in a similar vein as third parties. Second, in a third-party hack it is not necessarily the third-party operator that is to blame: if a customer stored data on a cloud-based service and opted not to implement proper Single Sign-On (SSO), Multi-Factor Authentication (MFA), IP address allow-lists and the like, that is a responsibility and liability that potentially sits outside of the third-party provider if a bad actor launches a brute-force attack or steals a user’s password.

The second learning we can take is how to communicate about an incident. We have included links to some of the affected organizations’ official statements following the cited incidents, but the level of openness we see from well-known companies in such situations varies widely. Dell told its customers by email, for example, while AT&T put out a statement via PR channels and on its web site. Some others have yet to publish anything of their own. We know about the incidents thanks to the IT press and the cybersecurity grapevine. Publicly listed companies have to disclose to the likes of the SEC; banks have to inform regulators like the FCA and the PRA. European and U.K. organizations have 72 hours to admit data breaches to the relevant authorities as set out in the GDPR. An effective and properly thought-out proactive communication regime, even if you have no legal or regulatory requirement to say anything to anyone, will result in a better reputational outcome than saying nothing.

As the cliché goes, there are three potential outcomes if you have an incident: (a) you tell people about it; (b) you don’t tell people about it, but someone finds out; and (c) you don’t tell people about it, and nobody finds out … and (c) has never happened!

The final learning comes from the British Museum: we can use all the technical solutions we can afford and train our staff to an advanced degree, but if we miss the basics such as having an effective staff leaving procedure and physically (as well as electronically) locking the doors to sensitive areas, we undermine the effectiveness of any advanced measures.

Related Insights

• Webinar - Five Smart Ways to Invest in Your Human Firewalls
• Minnesota's Cybersecurity Incident Reporting Law - What You Need to Know
• Guidance from DOJ and FBI on SEC Incident Disclosure Rules