Boulevard of Broken Dreams: 2 Decades of Cyber Fails TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityShai-Hulud Worm Clones Spread After Code ReleaseShai-Hulud Worm Clones Spread After Code ReleasebyAlexander CulafiMay 18, 20264 Min ReadSponsored ContentDevs Got Agentic Workflows. What Did Security Engineers Get?Devs Got Agentic Workflows. What Did Security Engineers Get?May 18, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyber RiskCyberattacks & Data BreachesCybersecurity OperationsEndpoint SecurityNewsSince 2006, Dark Reading has been at the forefront of covering cybersecurity, providing deep insights and analysis beyond the headlines. All those major news events? We were there. Shifts in technology trends? We wrote about them. Enjoy this special anniversary coverage celebrating where we've been and what's next.Boulevard of Broken Dreams: 2 Decades of Cyber FailsFrom the MGM and Caesars fiasco and MOVEit's patch nightmare to epic business blunders and the jaded reality of living in a post-breach world, Dark Reading looks back at the mistakes, miscalculations, systemic failures, and cringeworthy moments that still have us shaking our heads.Dark Reading Editorial TeamMay 18, 202629 Min ReadSource: DBURKE via Alamy Stock PhotoBoulevard of Broken Dreams: 2 Decades of Cyber FailsThings started off so brightly: we were supposed to have nice things. SIEMs were supposed to be replaced by something much awesomer; connected Internet of Things (IoT) devices were supposed to be fun and useful and not a lurking threat in millions of homes; law enforcement’s cybercrime takedowns were supposed to last; and people’s private information was supposed to stay, well, private. Specific businesses have had their share of dreams too: Symantec had high hopes for its certificate authority, Mt. Gox was once a shining example of frontier tech ingenuity, and CrowdStrike wasn't always seen as a crucial choke point for operations.But alas, those visions of a happy cyber world where things go the right way most of the time was not to be. The road since 2006 is much darker, and littered with stories of operational failures, systemic cyber malaise, and preventable misery in the form of simple hacks that cause complex damage. As part of our special 20th anniversary coverage, we're recapping some of the biggest cyber fails of that time period (in a process that's becoming a bit of a tradition). And we expect there to be some debate about these, so after you're done motoring down this avenue of lowlights, hit up Dark Reading on LinkedIn or other socials to weigh in on your favorite cyber horror stories — or reminisce about the ones we've included here. Click here for all of our DR20 content, which will be rolling out across the month of May. Keep checking back for new items! Equifax. Experian, Anthem, et al: Data Breach Fatigue Leads to ApathyAnother day, another data breach headline. At this point, does it even matter? We've reached peak data breach jadedness; the announcement of yet another massive exposure of sensitive personal information elicits little more than a collective shrug — and perhaps a performative password change.The harsh reality is that any adult with a credit history, bank account, or health insurance has had their information (and Social Security numbers) stolen multiple times at this point. The Equifax breach in 2017 affected 143 million individuals, and the Anthem breach in 2015 affected almost 80 million. Tricare in 2011 and Community Health Systems in 2014 were smaller (5 million each) but were no less significant. Experian had multiple breaches over the years (including when an Experian entity sold data to an identity theft ring). More recently, the Change Healthcare ransomware attack compromised data belonging to 100 million people. And with data stolen from educational institutions and healthcare facilities, kids are not exempt. It's no longer a question of "if" the data will be stolen. The more relevant question is how many criminal databases have that data. The Identity Theft Resource Center, which tracks publicly reported data breaches in the United States, reported 3,322 security incidents in 2025, with almost 279 million victim notices sent. ITRC tracked 321 incidents in 2006. That's a lot of offers for free credit monitoring. Enter the jadedness: A Varonis survey last year found that 64% of surveyed American adults never checked whether they were affected when hearing about a data breach. And there doesn't seem to be long-lasting repercussions for companies that lose control of their data. Stock prices dip before rebounding.This is no longer breach fatigue. It's apathy."Data breaches haven't mattered for a long time because the impact on an individual, in a general sense, is low compared to the value the person receives from using these [breached] services in the first place," says Tyler Shields, CMO of Allstacks and former analyst at Enterprise Strategy Group. "It's all risk evaluation math. If my value is greater than the perceived risk, do it anyway."In other words, this is the post-data breach era, where everyone's information has already been stolen, and we've all just learned to live with it.MOVEit Fiasco: A Lone SQL Bug Exposes 100M RecordsOne of the most impactful security incidents (or series of incidents) of the past five years was the rampant exploitation of CVE-2023-34362, an SQL injection flaw in Progress Software's MOVEit Transfer managed file transfer (MFT) software used by thousands of companies. Enormous data breaches across healthcare, finance, government sectors, and more impacted almost 100 million individuals, whose data was exposed from third-party systems.Progress Software disclosed the zero-day vulnerability on May 31, 2023, and while patches weren't available immediately, the company provided mitigation instructions and published a patch later that day. Threat actors, especially the Cl0p ransomware gang, compromised droves of organizations (including downstream compromises) in a series of low-effort, data-theft extortion attacks. These attacks were an apparent windfall for Cl0p to the tune of at least $75 million.John Hammond, senior principal security researcher at Huntress, tells Dark Reading that the follow-on attacks from CVE-2023-34362 created a supply chain attack that was destructive on a historic scale."In 2023, the exploitation of the MOVEit Transfer software was one of many large-scale incidents of what was then an emerging trend: hackers compromising managed file transfer solutions," he says. "The attack itself was 'point-and-shoot' — a hacker didn't need anything more than an IP address or host name to fully compromise a vulnerable system, and the Russia-affiliated CL0p ransomware gang took full advantage of that." The failure here was twofold. Although zero-days will happen and vendors can be granted a bit of grace, CVE-2023-34362 is an SQL injection flaw — one of the oldest kinds of vulnerabilities and one of the easiest for internal code scanning to catch. The second is that while many defenders and organizations acted quickly to patch and get the word out, many also failed to do so. Compromises and breach disclosures continued for months after initial discovery, and the entirety of the immense toll it took on organizations did not become clear for months after attacks began. The security community has hopefully learned from these failures — now getting ahead of potentially monumental supply chain threats — but the MOVEit Transfer attacks go down in cyber history for the destruction left in their wake.  'Death of the SIEM' (Still) Greatly ExaggeratedDespite nonstop predictions of its demise, the ubiquitous security information and event management (SIEM) platform just won't give up the ghost. None of the emerging technologies touted as replacing it in the security operations center (SOC) managed to succeed: First it was security orchestration automation and response (SOAR); then extended detection and response (XDR); behavioral analytics; big data; and now of course, agentic AI. But rather than supersede the SIEM, many of these tools instead have been blended or integrated into it."SIEM hasn't died because compliance won't let it," says Jesse Whaley, president and CISO/CTO at consultancy Digital Cyber Forge. "FedRAMP, CMMC [Cybersecurity Maturity Model Certification], PCI DSS, [and] SOC 2 all treat log aggregation and correlation as a control requirement, not a preference. You can't kill infrastructure that auditors mandate. That's the part nobody says out loud."But the cost of ownership, plus the emergence of new AI functions, could eventually kill the stubbornly persistent platform — at least in the form we know it as today. While the SIEM's superpower has long been its collection and storage of security data and logs, that has become a costly venture for security teams to maintain. "The ability of the SIEM to do correlation is weak, at best, and puts the burden on the analyst to be able to create rules to do so, which for the unskilled is difficult," notes Fred Kwong, CISO at DeVry University. "With AI, the scenario is shifting, as AI agents are now able to take the data in the SIEM and do the hard work."The shift to AI handling that workload for the SIEM makes sense, he says, noting that this then leaves the SIEM as more of a "really expensive database." A data lake would be a more functional and inexpensive option, using artificial intelligence (AI) agents and large language models (LLMs) on the front end, he says.Whaley, meanwhile, predicts a similar scenario, where in the next decade the SIEM evolves into "pure architecture, like a database," with AI-based tools on top that correlate, orchestrate, and take action on the data that the SIEM traditionally has culled from various security tools and equipment. "SIEM becomes the data foundation; AI becomes the reasoning engine. The orchestration layer is the connective tissue between them, and that is what nobody has fully built yet," he notes. Most SIEMs today mainly use AI for searching logs but not true orchestration among events, devices, and response, he adds.A recent online poll conducted by Dark Reading found a mix of views on the SIEM's future: Of the more than 1,400 respondents, 40% said it should be folded into XDR, endpoint detection and response (EDR), or other security products; 35% said AI and other updates will keep the SIEM alive; and 15% said the SIEM will perish. Mt Gox Becomes the Pinnacle of Dumb Management MovesCryptocurrency heists are far from infrequent, but the one that started it all, the big Kahuna of crypto-security failure, was Mt. Gox.Started in 2006 as an online meeting place for Magic: The Gathering gaming enthusiasts (yes, you read that correctly), the Tokyo-based company quickly branched into Bitcoin trading when it became apparent that crypto could make a lot of people very rich. And it did exactly that, on paper at least: by 2013 Mt. Gox had become the world’s largest Bitcoin exchange, handing the majority of the world’s trading of the currency.But things didn’t seem quite right. Investors started complained of glitchy transactions; Mt. Gox itself reported the breach theft of 2,609 BTC in 2011. And in 2013, law enforcement seized $5 million from the Mt. Gox coffers, citing "regulatory violations."But in early 2014, seemingly out of nowhere, Mt. Gox suspended Bitcoin withdrawals, touching off investor panic and singlehandedly causing a steep and rapid 36% decline in Bitcoin’s value. Soon after, the management team revealed that it was the victim of a massive robbery: 850,000 Bitcoins (worth about $450 million at the time) had vanished into thin air. It declared bankruptcy less than a month later, and investors were out of luck.In the postmortem that followed, crucial details came to light: the breach wasn’t one giant incident, but rather the hackers had been slowly siphoning off funds since 2011, supposedly without the company noticing. In fact, Mt. Gox had been bankrupt for years, crediting investors with non-existent funds. It didn't have audit logging, incident-response capability, or any governance oversight in place whatsoever. There were also rumors that the company's CEO, Mark Karpeles, was helping himself to other people's cash flows (he was acquitted of embezzlement charges in 2019). And security for the platform was shockingly inadequate: the company used hot wallets, i.e. those connected to the Internet, rather than in offline "cold storage"; and worse, they didn’t have multi-signature protection, offering up full access for the hackers through simple credential theft. Hackers were able to gain control of wallets, and then exploited a critical transaction malleability bug in the Bitcoin protocol that allowed them to manipulate Bitcoin transaction IDs and create double payments for themselves."At its peak, Mt. Gox processed roughly 70% of global Bitcoin transactions and it had become a systemic concentration point," says T.J. Marlin, CEO of Guardrail Technologies. "A single weak security posture endangered the entire ecosystem, which led to a painful and permanent lesson: decentralized assets sitting inside centralized infrastructure are still subject to centralized failure."The incident almost destabilized the entire market for Bitcoin and served as the end of the "Wild West" era of crypto: it was a major catalyst for regulatory frameworks (Japan was the first to implement one); and it led to various arrests and charges for Mt. Gox' management and the suspected hackers. Meanwhile, exchange best practices like using multi-signature cold storage became the norm. External audits and proof-of-reserves systems emerged (which would have been a good idea from the start), and exchanges began implementing withdrawal limits and enhanced monitoring, just like mainstream monetary institutions.Things are not entirely hunky-dory now though. "Crypto companies can learn from Mt. Gox by treating custody as a regulated-grade fiduciary function, not a tech feature," says Kevin Kirkwood, CISO at Exabeam. "The industry has improved technically, but the hard problem remains trust architecture: who controls the keys, who verifies the balances, who can move funds, who audits the liabilities, and who stops management from doing something stupid before customers discover it on Twitter."And sure, the Mt. Gox story reads like a litany of boneheaded oversights by a management team that was essentially asleep at the switch, content to rake in the dough without worrying to much about what was happening inside the networks or a silly little thing called security — but the cautionary tale has current-day significance, too. "The reason this matters now is that the structural pattern that produced Mt. Gox is reassembling itself inside AI infrastructure," Marlin says. "Enterprises are concentrating decision authority, code generation and operational workflows inside a small number of vendor-controlled model providers. The vendor controls the audit logging and the operator cannot detect failure modes until material loss has occurred. There is no established taxonomy for novel AI vulnerability classes, which is roughly where crypto forensics was in 2013."That Time a Janky CrowdStrike Update Broke the World's IT InfrastructureA routine summer Friday content update to CrowdStrike's Falcon Sensor on July 19, 2024, quickly spiraled into a catastrophic outage, ultimately impacting 8.5 million Windows devices and hobbling a section of the world's critical infrastructure. The optics alone were terrible. Windows "blue screens of death" flashed everywhere — across airport terminal screens, corporate desktops, and broadcast for everyone to see on the Las Vegas Sphere. The buggy code trapped devices in a constant reboot mode. The glitch was adjusted, and CrowdStrike quickly pushed out a fix, but it wasn't enough to undo the damage. Each crashed system had to be rebooted by hand in safe mode so that the corrupt file could be deleted. All told, the disruption lasted for days and caused more than 3,000 cancelled flights, 11,800 flight delays, 911 call-center outages, and even surgery cancellations. That was bad, but the aftermath was brutal, too. Just days after the incident, CrowdStrike's high-profile CEO George Kurtz was called out by the US House Committee on Homeland Security, which demanded an explanation for the mishap. A few weeks later, Kurtz made the rounds at Black Hat USA, going from table to table to chat during the CISO Summit side huddle, which included some of the biggest buyers of cybersecurity solutions in the world. CrowdStrike weathered the reputational hit, but the industry — and specifically Microsoft — was forced to revisit the deep kernel access that cybersecurity companies had been given to make code changes to Windows and push them out to the world all at once. It was an obvious single point of failure. "The CrowdStrike incident was a wake-up call about concentration risk," says Dave Gerry, CEO of Bugcrowd. "When a single update can ground airlines, knock hospitals offline, and freeze banks worldwide, that is not just a vendor problem — that is a systemic one. The lesson for the industry is that resilience has to be designed in, not bolted on. Staged rollouts, kill switches, and rigorous predeployment testing should be table stakes for anything running at kernel level." Microsoft convened a "Security Ecosystem Summit" weeks later to discuss possible solutions. And in late June 2025, Microsoft announced two important updates: Endpoint detection and response (EDR) solutions like CrowdStrike would no longer have kernel-level access, and, recognizing that "BSOD" lends itself a little too easily to a hashtag, perhaps, the blue screen of death aesthetic was being replaced with a black-and-white version. AWS & Other Cloud Outages Reverberate GloballyRecent worldwide cloud outages that disrupted not only work but daily life revealed how much of our connectivity — and work life — is controlled by a small subset of vendors. It highlights how organizations need to evolve security postures to combat risks to business operations, finances, and customer trust.Amazon Web Services (AWS), Cloudflare, CrowdStrike, and Azure have a stronghold on the public cloud market, and they've all crashed multiple times over the past two decades, knocking corporate apps, services, and domains offline. Reliance on cloud services has grown significantly over the past decade, in particular, and it's becoming even more critical amid rising demand for AI-driven data centers. Data centers are now part of every nation's critical infrastructure to boot — and yet the outages keep coming.AWS suffered several outages throughout 2025 and 2026 alone — two linked to errors in its AI tool. In October, one AWS cloud outage caused at least 15 hours of stress as services around the globe were rendered useless. Meanwhile, Microsoft disclosed failures and delays for Azure customers last month. But longer Azure disruptions occurred in 2024 following a distributed denial-of-service (DDoS) attack.  The recent events have shown that public cloud providers are valuable and sometimes easy targets for adversaries, says Ahmed Abugharbia, a SANS-certified instructor. "Cloud failures over the past few months have been highly diverse, ranging from common, inevitable issues, such as DNS-related outages, to previously unforeseen events, like drone strikes causing physical damage to data centers," Abugharbia says.He notes the need for a shift in defensive strategy if enterprises and other organizations are to become more resilient; this could result in a cloud rearchitecting."While relying on a single cloud provider may be simpler, more efficient, and more scalable, this growing range of risks, many of them increasingly unavoidable, means that we as an industry may have no choice but to go back and place greater emphasis on data and service resilience across multiple public clouds and even private ones," he says.Intel's Big Bet on McAfee Implodes to the Tune of $3BIt was a blockbuster acquisition that was supposed to push the world's biggest chip-maker to new heights. But Intel's $7.68 billion purchase of McAfee ended up becoming an object lesson in square pegs and round holes.When the companies announced the proposed acquisition in 2010, cybersecurity was on the rise and McAfee was one of the "Big Three" antivirus vendors in the market, along with Symantec and Trend Micro. Intel's strategy was to meld McAfee's software with chips to bring "hardware-enhanced security" to the masses.While the high price tag raised some eyebrows at the time, cybersecurity was viewed as a path for significant growth. Former Intel CEO Paul Otellini declared security as the "third pillar" of computing, along with energy-efficient performance and Internet connectivity. But the pillar would eventually show cracks. McAfee was renamed as Intel Security Group, but it never fully assimilated into the silicon giant's road map. "Unfortunately, the synergies Intel had hoped for from its new Intel security division never arrived in any meaningful form," says Eric Parizo, president and chief analyst at Cernivera Research. "Security software and semiconductor engineering proved to be fundamentally different businesses with different talent pools, sales motions, customer relationships, and innovation cycles."The timing wasn't great, either. Instead of moving to hardware-software convergence, the technology industry and cybersecurity market rushed toward cloud computing. In 2016, Intel decided to cut its losses and sold off a majority stake in McAfee to TPG Capital for just $3.1 billion. The newly independent McAfee launched another IPO in 2020, but it was taken private again just two years later. The storied cybersecurity vendor was eventually split, with its enterprise business combined with FireEye to form Trellix. In all, Intel's $3-plus billion loss on the McAfee acquisition lives on in memory as "a costly lesson in the limits of hardware-software convergence strategies," Parizo says.Ransomware Takedowns Fail to Stop CybercriminalsIn recent years, law enforcement and defenders have stepped up their game to take down cybercriminals, but it's rare that a threat group is taken down completely. On a case-by-case basis, many security experts speak highly of international law enforcement's role in disrupting groups like LockBit, Cl0p, BlackSuit, and others. Law enforcement action has put many attackers on the back foot and made a positive impact against the scourge of ransomware, including recovering decryption keys.But what we're actually dealing with is a much larger systemic failure due to a persistent, international legal and technical infrastructure that allows cybercriminals to operate with near impunity. Cybercriminals operate from nonextradition countries, exploit gaps in international law, leverage legitimate infrastructure and bulletproof hosting services without real repercussions, and more. Attribution is difficult, and prosecution even harder. When one threat group is shuttered, it often rebrands as one or multiple other criminal entities. For example, DarkSide became BlackMatter, which ultimately became ALPHV/BlackCat. Or sometimes it comes right back like a hydra. Take the case of LockBit, where one (or more) of its heads remains despite severely disruptive law enforcement action. Gangs also fuse with other criminal entities or form cartel-like entities, as we've seen with Scattered Lapsus$ Hunters, a cybercriminal collective apparently composed of members of Scattered Spider, Lapsus$, and ShinyHunters, after various member arrests.There's also the evolution of cybercrime itself over the past 20, 10, and even 5 years. Ransomware-as-a-service (RaaS) has established an affiliate economy where individuals can attack organizations at scale without technical ability. Even if the RaaS group is shuttered, a small army of script kiddies with ill intentions is left behind, ready to create the next big ransomware brand.Ultimately, defenders and law enforcement remain at perpetual odds against those that harm networks and individuals. For years now, law enforcement has been playing a game that heavily favors criminals, despite all the good work done.The good news, as FTI Consulting managing director Brett Callow tells Dark Reading, is that all this work is making a dent."Even when ransomware groups quickly rebrand, law enforcement disruptions still matter because they impose real operational costs and friction," he says. "Infrastructure gets seized, cryptocurrency wallets frozen, affiliates scattered, and trusted relationships become less trusted, forcing groups to spend time and money rebuilding instead of attacking targets."2016 Election Hacks Blend Security Failures & PoliticsA lot has happened on the election-security front in the past 10 years, but it all started with the 2016 election-cycle hacks at the Democratic National Committee (DNC) and the Hillary Clinton campaign. These exposed several critical security failures that allowed Russian intelligence agencies to successfully breach Democratic Party systems and attempt to influence the election.First there was John Podesta, Hillary Clinton's campaign chairman, who fell victim to a spear-phishing email attack from Russian advanced persistent threat (APT) Fancy Bear (aka APT28), featuring a fake Google login page. Podesta did the right thing and sent it to IT for checking (the campaign had been testing everyone with phishing awareness tests for months), but an IT staff typo (the person wrote that the email was "legitimate" instead of "illegitimate") meant that Podesta plugged his credentials in, and hackers were able to nab access to more than 50,000 emails from his Gmail account. He didn't have two-factor authentication (2FA) enabled, which would have prevented the attack.Meanwhile, over at the DNC, more shenanigans were happening. Another Russian APT, Cozy Bear (aka APT29), had been lurking in the network since summer 2015; the FBI contacted the DNC's IT staff twice to warn them that one of their computers was transmitting information back to Russia, but the breach remained unaddressed. Fancy Bear then doubled up on the infection, gaining access in April 2016. Remediation didn't begin til June of that year, after the systems had been riddled with spyware for months.Beyond the basic dropping of the ball, the DNC network lacked sufficient intrusion-detection systems to identify the data exfiltration and spyware implants. Also, sensitive campaign data wasn't properly isolated or protected with additional security layers, allowing hackers to move laterally through systems with impunity.“The 2016 DNC and campaign hacks were a watershed moment because they exposed how quickly cyber risk can escalate when operational trust is assumed instead of continuously validated," says John Cannava, CIO at Ping Identity. "They also highlighted the asymmetry between a relatively simple intrusion and its outsized impact on national and global events. The incident shifted the conversation from protecting systems in isolation to continuously verifying the people, devices, access, and processes supporting democratic operations, with a much greater focus on phishing resistance, identity assurance, and operational discipline.”The APTs, which are outgrowths of Russian intelligence agencies, went on to carefully weaponize the stolen information, strategically releasing it in an effort to to influence public opinion against the Clinton campaign. Using the fabricated hacktivist personae of "DCLeaks" (a supposed American activist platform) and "Guccifer 2.0" (who claimed to be a lone Romanian hacker who took credit for the DNC breach), Russian intelligence started distributing the stolen information by contacting journalists, bloggers, and political operatives like Roger Stone. They also used WikiLeaks as an intermediary, according to US intelligence: in July of 2016 WikiLeaks published approximately 20,000 DNC emails just three days before the Democratic National Convention; and in October, WikiLeaks started releasing Podesta's emails.The 2016 election cycle ushered in the era of Russian interference on a much larger scale than had been seen previously; and it would not be the last of such attacks."These hacks demonstrate how everything today is digitized, and people who can manipulate the system can gain access to information, mimic others to manipulate systems for more control or power, or to spread misinformation," says Melinda Marks, practice director for cybersecurity at Omdia. "Today, we have AI further complicating the possible scale of attacks and impersonation methods, but that period highlighted how we need to always stay on guard to ensure we manage our digital identities, practice security hygiene (strong passwords, multi factor authentication, do not share personal information) and also how we have to be careful about who we trust for communications and information."How Fast-Talking Teens Took Down the Vegas Strip  No Ocean's 11-style sleight of hand required — all it took for a group of keyboard-wielding teens to take down two of the biggest casinos on the Las Vegas Strip was a vishing attack and a little ingenuity.  By sweet-talking the help desks at MGM Resorts and Caesars, a group of cyber hooligans in their late teens, including the now-convicted ringleader "King Bob," were able to drop a devastating piece of ALPHV (aka BlackCat) ransomware against both companies' systems.  Suddenly, slot machines went dark and hotel key cards stopped working for thousands of tourists all at once. For an idea of the scope, MGM Resorts had around 50,000 hotel rooms on the Las Vegas Strip at the time.  What came next was a tale of two divergent incident-response approaches.  Caesars paid up. The organization handed over $15 million in ransom and got back to business. MGM Resorts refused, and it wound up taking a very long and expensive 10 days before its hotels and casinos were back up and running. Neither company had their data secured. All told, MGM lost an estimated $100 million, which compared to the $15 million paid out by Caesars seems like a big loss, but both quickly recovered. Insurance paid out on some of the losses, according to SEC filings following the incident, and, shockingly, neither anticipated any long-term financial damage that investors should be concerned about.  Yet the whole incident was an important lesson for an identity-obsessed cybersecurity industry. King Bob and his band of casino cyber slayers pulled off something that defenders didn't see coming. They used social engineering to get around multifactor authentication, specifically on Okta users with administrator credentials. Lurking in MGM's Okta servers, all the threat actors had to do was pick the time they wanted to drop the ransomware.  "The cybersecurity industry had a wake-up call with the MGM and Caesars attacks," says Huntress cybersecurity adviser Bryson Byrd. "These attacks brought to the forefront the real impact that identity-focused attacks can have, and defenders learned that they must design systems that set end users up for success in the name of operational resilience."King Bob and four additional Scattered Spider bros were arrested in January 2024; they pled guilty to the casino hacks along with other various cybercrimes. (The house always wins!) Along with Scattered Spider, the feds finally caught up with the RaaS operation behind the ALPHV/BlackCat and took town its infrastructure in early December 2023.  Vendors & Organizations Both Fail on Internet-Exposed DevicesA general rule of thumb: Don't expose devices to the Internet if they don't need to be there. Threat actors notoriously scan the public Internet for exposed devices, such as routers, VPN appliances, and Network Attached Storage (NAS) devices, to gain easy front-door access to victim organizations. Still, the world is filled with devices with open IP ports and overlooked cloud misconfigurations, despite urgent warnings about the dangers this attack vector poses.High-profile examples lead back to the Equifax breach, where a public website was running unpatched software, and WannaCry, where the ransomware targeted Internet-exposed devices running unpatched versions of the Microsoft Windows operating system. The ransomware attack on Colonial Pipeline is a more recent example, where threat actors targeted a legacy VPN appliance that should have been taken offline.In other words, the basics matter. And while some devices are more obviously Internet-connected, organizations may be less aware of Internet of Things (IoT) devices, which increasingly populate the workplace — such as thermostats, printers, and IP-enabled cameras. Threat actors can easily hack these devices and move laterally through a network. Responsibility also falls on vendors to make security hygiene easier for organizations. Deral Heiland, principal security researcher at Rapid7, notes that not much has changed much over his 30-year career. First, many technologies still ship with several of their open services enabled by default.      "When we combine that with deployment efforts focused on making the technology work and delivering it within a restrictive time frame, we end up seeing devices and cloud services deployed without proper security hardening out of fear of breaking them and impacting deadlines," Heiland says. And too often, IT departments still emphasize productivity over prudence. "In cases where devices do show up with services and ports disabled, we encounter the issue of, 'Let's just enable everything so we can get this deployment up and running as quickly as possible for testing, and we will harden it down later,'" he notes. "Unfortunately, later never happens."Symantec's Certificate Authority Crashes & BurnsIn 2010, Symantec made a major move to further strengthen its position as the biggest independent cybersecurity vendor in the world with the acquisition of VeriSign's lucrative authentication business.The acquisition included VeriSign's PKI operations; by 2015, Symantec was the biggest certificate authority (CA) in the world, issuing nearly a third of all SSL certificates on the Web and accounting for nearly half of the most-visited websites on the Internet.But two years later, things would begin to unravel. In January 2017, Andrew Ayer, founder of certificate management service SSLMate, discovered the cybersecurity giant had issued more than 100 bad certificates that lacked proper validation. The discovery led Google and Mozilla to investigate further, revealing that Symantec had misissued an astounding 30,000 certificates over the course of several years.As a result, Google, Mozilla, and other major browser providers within the CA/Browser Forum took severe action against Symantec, announcing an incremental removal of trust in the company's certificates. In other words, millions of websites with Symantec certificates would no longer work in many of the major Web browsers. They were, in a word, done.The browser makers also gave Symantec an ultimatum — either rebuild the PKI from the ground up or sell it off. After some initial pushback, Symantec eventually opted for the latter, selling its CA business to DigiCert in 2018.It was considered an unprecedent penalty for major CA. The "browserocracy" had dropped the ban hammer on CAs before for blatant fraud and abuse. But Symantec's case was different and set a new standard for what the market standards should be, Ayer says. "It established that a CA could be distrusted just for being negligent," he says. "You didn't have to be fraudulent, and you didn't have to be compromised."Tim Callan, chief compliance officer at Sectigo, says the Symantec case was pivotal for the CA market. "It showed that a too-big-to-fail mentality is not a safe assumption and that even the most entrenched public CA is ultimately replaceable," he says.The Mirai Botnet Shows Us What Insecure IoT Can Lead ToThe Mirai botnet, a cybersecurity version of Frankenstein’s monster, was created in 2016 by three teenagers: Josiah White, Paras Jha, and Dalton Norman. The trio wrote the botnet with the purpose of knocking rival Minecraft servers offline, wreaking havoc with Rutgers College registration systems, and eventually starting a "protection racket," all through DDoS attacks. But things soon spun out of control when the botnet — which was programmed to automatically infect vulnerable IoT devices — started garnering law-enforcement attention after targeting both cybersecurity journalist Brian Krebs of Krebs on Security with over 600 GB of data and French hosting provider OVH. Its sheer size made it stick out like a sore thumb: At its peak in September 2016, Mirai had infected more than 600,000 vulnerable IoT devices, according to Cloudflare measurements. Feeling the heat, its authors sold off the botnet on Hack Forums, and that's when Mirai got large and became the catalyst for a worldwide Internet outage. The victim was Dyn, a company that controls much of the Internet's domain name system (DNS) infrastructure. A series of massive DDoS attacks on Dyn on Oct. 21 brought down a large chunk of the Internet, including Airbnb, Twitter, the Guardian, Netflix, Reddit, CNN, and many others in Europe and the US.Dyn estimated that the attack had involved "100,000 malicious endpoints" and had an attack strength of 1.2 Tbps — the largest on public record at the time.No one knew who the attackers were or what their motivations could be, but one thing was certain: Mirai could easily be defanged if the default passwords for IP cameras, home routers, DVRs, and other gear were changed, among other easy defense measures, like applying firmware updates."What they accidentally unleashed exposed something the industry had been quietly ignoring: millions of IoT devices shipped with hardcoded default credentials that nobody ever changed," says Darren Guccione, CEO and co-founder of Keeper Security. "The attackers didn't need sophistication — they just needed a list of default usernames and passwords and an Internet connection. A decade later, the core lesson still isn't fully applied. Default credentials persist for individuals and organizations alike, and privileged accounts continue to go unmanaged. The threat actors have evolved, but some of the most common entry points have not."Roughly a year later, the source code turned up freely available on a hacker forum. And that's when Mirai began living its best life, as the malware that spawned seemingly a 1,000 copycats. Everyone and their robotic dog was programming a Mirai-based botnet, for any number of different purposes. Attacks ranged from cryptomining to crashing one of Germany's largest Internet-service providers and taking down all of Liberia's Internet.Despite all the notoriety, IoT botnets continue to be a problem, and new spinoffs of the Mirai botnet, such as the Murdoc_Botnet, are still popping up nearly a decade later."Things really haven’t improved.  Almost everything is connected to the internet in some fashion," says Kevin Kirkwood, CISO at Exabeam. "TVs, refrigerators, coffee machines … There are a plethora of targets out there. You connect them all to your network and you are helping to enable the botnet armies. They don’t have to be smart, just connected, and they can be used to help bad actors continue to do bad things.  Have you ever seen your smart refrigerator get a patch? Did you provide a second identity for the ‘fridge with a complex password? Have you looked at your router and seen the number of devices that you have connected?"Want more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsMore WebinarsDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The evolution of the cybersecurity landscape over the past two decades is characterized by numerous systemic failures, operational mishaps, and a growing sense of jadedness among stakeholders. This period, chronicled in the context of the "Boulevard of Broken Dreams," reveals that initial technological visions—such as seamless Internet of Things integration or perfect security solutions—failed to materialize, resulting instead in complex damages caused by preventable mistakes and systemic malaise.

Concerns regarding data breaches have led to widespread data breach fatigue, where the repeated exposure of sensitive personal information from entities like Equifax, Anthem, and Change Healthcare has induced apathy rather than immediate action. Experts suggest that this shift reflects a risk evaluation mindset where the perceived value of services often outweighs the perceived risk, leading organizations to accept risk rather than remediate it. This state of apathy is juxtaposed against highly destructive incidents, such as the exploitation of the SQL injection flaw in Progress Software's MOVEit Transfer software, which exposed nearly 100 million records. This incident demonstrated how supply chain vulnerabilities, combined with delayed patching and slow response mechanisms, can lead to catastrophic, large-scale damage orchestrated by threat actors like the Cl0p ransomware gang.

The trend highlights critical lessons concerning operational resilience. The catastrophic failure of the CrowdStrike update in July 2024 demonstrated the systemic risk inherent in concentrating function at the kernel level. This event served as a potent cautionary tale, emphasizing that resilience must be designed into systems through staged rollouts and rigorous testing, rather than being bolted on afterward. Similarly, the volatility in the cryptocurrency space, exemplified by the Mt. Gox collapse, illustrated the profound danger of centralized infrastructure where inadequate governance and a lack of safeguards, such as multi-signature cold storage, allowed for massive theft. This event underscored the principle that centralized assets remain subject to centralized failure, reinforcing the need for treating custody functions as regulated fiduciary duties.

The evolution of security infrastructure itself is also undergoing a paradigm shift. The long-standing dominance of the Security Information and Event Management (SIEM) platform is being challenged by emerging technologies like Security Orchestration, Automation, and Response (SOAR), Extended Detection and Response (XDR), and Artificial Intelligence (AI). While compliance mandates continue to require log aggregation, the focus is shifting from the SIEM as a primary operational tool to viewing it as an expensive data repository. Experts predict an evolution where the SIEM becomes the foundational data layer, and AI agents function as the reasoning engine, with orchestration serving as the connective layer.

The vulnerabilities stemming from interconnected devices, particularly the Internet of Things (IoT), have proven to be a significant threat vector. The Mirai botnet, which leveraged hardcoded default credentials on millions of insecure IoT devices, proved that widespread connectivity, divorced from proper security hardening, creates massive botnet armies. This issue is compounded by the general organizational tendency to prioritize speed of deployment over security prudence, often leaving devices with default settings enabled, which threat actors can easily exploit for lateral movement.

Furthermore, the global infrastructure faces persistent challenges, as evidenced by worldwide cloud outages experienced by providers like AWS, Azure, and Cloudflare. This reliance on a small subset of vendors means that organizations must adopt a strategy of resilience across multiple public and private clouds. The failure of the business model underpinning the large-scale acquisition of cybersecurity assets, exemplified by Intel’s $7.68 billion purchase of McAfee, demonstrated the difficulty in harmonizing fundamentally different business entities, such as semiconductor engineering and software security.

Finally, the adversarial aspect of cybercrime remains entrenched, hampered by systemic failures in international law enforcement. While actions against threat groups like LockBit have yielded results, the persistence of cybercrime is due to the transnational nature of the threat and gaps in international legal infrastructure. The evolution from large, identifiable ransomware groups to decentralized affiliate economies using Ransomware-as-a-Service (RaaS) and rebranding illustrates an ongoing arms race. The experience of the 2016 election hacks revealed how easily operational trust can be compromised, highlighting the necessity of focusing on continuous verification of identities, processes, and security hygiene, including robust multi-factor authentication and phishing resistance. The overarching lesson is that as systems become increasingly digitized and interconnected, vigilance regarding identity management, data custody, and systemic resilience is paramount.