Boulevard of Broken Dreams: 2 Decades of Cyber Fails

Boulevard of Broken Dreams: 2 Decades of Cyber Fails

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCyberattacks & Data BreachesCybersecurity OperationsEndpoint SecurityNewsSince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.Boulevard of Broken Dreams: 2 Decades of Cyber FailsFrom the MGM and Caesars fiasco and MOVEit's patch nightmare to epic business blunders and the jaded reality of living in a post-breach world, Dark Reading looks back at the mistakes, miscalculations, systemic failures, and cringeworthy moments that still have us shaking our heads.Dark Reading Editorial TeamMay 18, 202629 Min ReadSource: DBURKE via Alamy Stock PhotoBoulevard of Broken Dreams: 2 Decades of Cyber FailsThings started off so brightly: we were supposed to have nice things. SIEMs were supposed to be replaced by something much awesomer; connected Internet of Things (IoT) devices were supposed to be fun and useful and not a lurking threat in millions of homes; law enforcement's cybercrime takedowns were supposed to last; and people's private information was supposed to stay, well, private. Specific businesses have had their share of dreams too: Symantec had high hopes for its certificate authority, Mt. Gox was once a shining example of frontier tech ingenuity, and CrowdStrike wasn't always seen as a crucial choke point for operations.But alas, those visions of a happy cyber world where things go the right way most of the time was not to be. The road since 2006 is much darker and littered with stories of operational failures, systemic cyber malaise, and preventable misery in the form of simple hacks that cause complex damage. As part of our special 20th anniversary coverage, we're recapping some of the biggest cyber fails of that time period (in a process that's becoming a bit of a tradition). We expect there to be some debate about these, so after you're done motoring down this avenue of lowlights, hit up Dark Reading on LinkedIn or other socials to weigh in on your favorite cyber horror stories — or reminisce about the ones we've included here. Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! Equifax. Experian, Anthem, et al: Data Breach Fatigue Leads to ApathyAnother day, another data breach headline. At this point, does it even matter? We've reached peak data breach jadedness; the announcement of yet another massive exposure of sensitive personal information elicits little more than a collective shrug — and perhaps a performative password change.The harsh reality is that any adult with a credit history, bank account, or health insurance has had their information (and Social Security numbers) stolen multiple times at this point. The Equifax breach in 2017 affected 143 million individuals, and the Anthem breach in 2015 affected almost 80 million. Tricare in 2011 and Community Health Systems in 2014 were smaller (5 million each) but were no less significant. Experian had multiple breaches over the years (including when an Experian entity sold data to an identity theft ring). More recently, the Change Healthcare ransomware attack compromised data belonging to 100 million people. And with data stolen from educational institutions and healthcare facilities, kids are not exempt. It's no longer a question of "if" the data will be stolen. The more relevant question is how many criminal databases have that data. The Identity Theft Resource Center, which tracks publicly reported data breaches in the United States, reported 3,322 security incidents in 2025, with almost 279 million victim notices sent. ITRC tracked 321 incidents in 2006. That's a lot of offers for free credit monitoring. Enter the jadedness: A Varonis survey last year found that 64% of surveyed American adults never checked whether they were affected when hearing about a data breach. And there doesn't seem to be long-lasting repercussions for companies that lose control of their data. Stock prices dip before rebounding.This is no longer breach fatigue. It's apathy."Data breaches haven't mattered for a long time because the impact on an individual, in a general sense, is low compared to the value the person receives from using these [breached] services in the first place," says Tyler Shields, CMO of Allstacks and former analyst at Enterprise Strategy Group. "It's all risk evaluation math. If my value is greater than the perceived risk, do it anyway."In other words, this is the post-data breach era, where everyone's information has already been stolen, and we've all just learned to live with it.MOVEit Fiasco: A Lone SQL Bug Exposes 100M RecordsOne of the most impactful security incidents (or series of incidents) of the past five years was the rampant exploitation of CVE-2023-34362, an SQL injection flaw in Progress Software's MOVEit Transfer managed file transfer (MFT) software used by thousands of companies. Enormous data breaches across healthcare, finance, government sectors, and more impacted almost 100 million individuals, whose data was exposed from third-party systems.Progress Software disclosed the zero-day vulnerability on May 31, 2023, and while patches weren't available immediately, the company provided mitigation instructions and published a patch later that day. Threat actors, especially the Cl0p ransomware gang, compromised droves of organizations (including downstream compromises) in a series of low-effort, data-theft extortion attacks. These attacks were an apparent windfall for Cl0p to the tune of at least $75 million.John Hammond, senior principal security researcher at Huntress, tells Dark Reading that the follow-on attacks from CVE-2023-34362 created a supply chain attack that was destructive on a historic scale."In 2023, the exploitation of the MOVEit Transfer software was one of many large-scale incidents of what was then an emerging trend: hackers compromising managed file transfer solutions," he says. "The attack itself was 'point-and-shoot' — a hacker didn't need anything more than an IP address or host name to fully compromise a vulnerable system, and the Russia-affiliated CL0p ransomware gang took full advantage of that." The failure here was twofold. Although zero-days will happen and vendors can be granted a bit of grace, CVE-2023-34362 is an SQL injection flaw — one of the oldest kinds of vulnerabilities and one of the easiest for internal code scanning to catch. The second is that while many defenders and organizations acted quickly to patch and get the word out, many also failed to do so. Compromises and breach disclosures continued for months after initial discovery, and the entirety of the immense toll it took on organizations did not become clear for months after attacks began. The security community has hopefully learned from these failures — now getting ahead of potentially monumental supply chain threats — but the MOVEit Transfer attacks go down in cyber history for the destruction left in their wake.  'Death of the SIEM' (Still) Greatly ExaggeratedDespite nonstop predictions of its demise, the ubiquitous security information and event management (SIEM) platform just won't give up the ghost. None of the emerging technologies touted as replacing it in the security operations center (SOC) managed to succeed: First it was security orchestration automation and response (SOAR); then extended detection and response (XDR); behavioral analytics; big data; and now of course, agentic AI. But rather than supersede the SIEM, many of these tools instead have been blended or integrated into it."SIEM hasn't died because compliance won't let it," says Jesse Whaley, president and CISO/CTO at consultancy Digital Cyber Forge. "FedRAMP, CMMC [Cybersecurity Maturity Model Certification], PCI DSS, [and] SOC 2 all treat log aggregation and correlation as a control requirement, not a preference. You can't kill infrastructure that auditors mandate. That's the part nobody says out loud."But the cost of ownership, plus the emergence of new AI functions, could eventually kill the stubbornly persistent platform — at least in the form we know it as today. While the SIEM's superpower has long been its collection and storage of security data and logs, that has become a costly venture for security teams to maintain. "The ability of the SIEM to do correlation is weak, at best, and puts the burden on the analyst to be able to create rules to do so, which for the unskilled is difficult," notes Fred Kwong, CISO at DeVry University. "With AI, the scenario is shifting, as AI agents are now able to take the data in the SIEM and do the hard work."The shift to AI handling that workload for the SIEM makes sense, he says, noting that this then leav