The threat landscape has not slowed down. Attacks that once targeted perimeters now exploit trusted vendors, cloud misconfigurations, and AI-assisted social engineering. Change Healthcare lost access to pharmacy claims across the entire US healthcare system because a single Citrix portal had no MFA enabled. Stryker watched its computers get wiped across 79 countries in real time, with no ransomware and no negotiation. The goal was simply destruction.
What these incidents share is the gap between how organizations think they are protected and how attackers actually get in. Stolen credentials, unpatched software, a trusted third-party tool with a hidden flaw, an employee who answered the wrong phone call. The most damaging cyber attacks in recent history did not require nation-state sophistication. They required organizations to leave a door unlocked.
This article examines 10 of the most consequential cyber attacks and data breaches from 2020 through 2026, which set the template for those that followed.
Key Takeaways
- The 2026 Stryker wiper attack wiped over 80,000 systems across 79 countries.
- Change Healthcare’s 2024 breach exposed the health data of 193 million
- North Korea’s Lazarus Group stole $1.5 billion from Bybit in 2025, the largest crypto theft on record.
- The National Public Data breach exposed 9 billion records, including Social Security numbers.
- Most breaches here trace back to the same failures: no MFA, unpatched software, or stolen credentials.
- The global cybersecurity workforce gap stands at 8 million unfilled positions.
- Studying past cyber attacks is the most practical way to prevent the next one.
1. Stryker Wiper Attack (2026)
On March 11, 2026, Stryker Corporation, a Fortune 500 medical technology company operating across 61 countries and serving more than 150 million patients annually, suffered one of the most operationally destructive cyber attacks against a corporate target in recent history. The Iranian hacktivist group Handala claimed responsibility, stating the attack was retaliation for a US military strike in Iran.
The attackers obtained Global Administrator-level access within Stryker’s Microsoft environment, giving them control over core administrative services including endpoint management. They reportedly used Microsoft Intune to issue remote wipe commands in the early hours of the morning, erasing devices across the company’s global network. Employees watched their computers and phones wiped in real time. Stryker was forced to send home approximately 5,500 employees in Ireland alone and disrupted operations across 79 countries, including the US, India, and Australia.
Unlike most high-profile attacks, this was not ransomware. The goal was maximum disruption rather than financial extortion. Order processing, manufacturing, and global shipping were all brought to a halt. Stryker filed with the SEC on the day of the attack, disclosed a material impact on its Q1 2026 earnings, and worked with Palo Alto Networks’ Unit 42 to investigate. The investigation confirmed that the attackers inserted a malicious non-malware file to abuse the Microsoft Intune environment. By late March, Stryker confirmed it had returned to full operational capacity.
What made it significant: A politically motivated hacktivist group caused enterprise-wide operational collapse across 79 countries without deploying a single line of ransomware, signaling a shift toward destructive attacks designed to punish rather than profit.
2. Bybit Cryptocurrency Heist (2025)
On February 21, 2025, the FBI confirmed that North Korea’s Lazarus Group, also known as TraderTraitor and APT38, had stolen approximately $1.5 billion in Ethereum from Dubai-based cryptocurrency exchange Bybit, making it the largest single cryptocurrency theft in history.
The attack did not target Bybit’s internal infrastructure directly. Instead, the Lazarus Group compromised the front-end interface of Safe{Wallet}, a third-party multi-signature wallet platform that Bybit used to authorize transactions. By injecting malicious JavaScript into the Safe interface, attackers caused the wallet’s legitimate signers to unknowingly approve a transaction that redirected funds to attacker-controlled addresses. The stolen assets were rapidly converted into Bitcoin and dispersed across thousands of blockchain addresses to obscure the trail.
Bybit’s CEO Ben Zhou confirmed the theft via livestream and committed to making depositors whole. The FBI issued 51 Ethereum addresses linked to the laundering operation and urged cryptocurrency providers to block related transactions.
This attack followed a known pattern: the Lazarus Group had previously stolen $308 million from Japan’s DMM Bitcoin exchange in 2024. North Korea has become one of the world’s most prolific perpetrators of state-sponsored cryptocurrency theft, using stolen funds to finance weapons programs.
What made it significant: Attacking the user interface of a trusted wallet platform, rather than the exchange itself, exposed the front-end supply chain as a critical and underdefended attack surface in the cryptocurrency industry.
3. Snowflake Customer Account Campaign (2024)
In mid-2024, a wave of data thefts targeting Snowflake customers rocked some of the world’s most prominent brands. Snowflake, a widely used cloud data platform, was not itself breached. Instead, attackers used credentials harvested through infostealer malware to log into customer accounts that had not enabled multi-factor authentication.
The campaign ultimately compromised data from Ticketmaster (affecting 560 million customers), Santander Bank, Advanced Auto Parts, Pure Storage, and hundreds of other organizations. The threat actor, tracked as UNC5537, exfiltrated enormous volumes of customer data and attempted extortion across multiple targets.
The incident reinforced a pattern that has appeared across multiple major breaches: where MFA is absent, attackers will find the door wide open.
What made it significant: It demonstrated that cloud platform customers bear direct responsibility for their own security configurations, and that credential theft from a single employee device can compromise an entire enterprise’s data warehouse.
4. National Public Data Breach (2024)
In April 2024, a cybercriminal group operating under the moniker USDoD began offering for sale what turned out to be one of the most sweeping data breaches in history. The target was National Public Data, a Florida-based background check company that aggregated records from public databases and court documents.
The breach exposed 2.9 billion records containing full names, Social Security numbers, current and past addresses, dates of birth, and telephone numbers for individuals across the United States, United Kingdom, and Canada. The data was listed on dark web forums for $3.5 million. By July 2024, portions of it had been leaked freely.
National Public Data confirmed the breach in August 2024, tracing unauthorized access back to December 2023. The company subsequently filed for Chapter 11 bankruptcy, facing over a dozen lawsuits. The breach raised serious questions not just about cybersecurity but about data brokers collecting sensitive personal information on billions of people without their knowledge or consent.
What made it significant: The sheer volume of exposed records and the inclusion of Social Security numbers created a lasting identity theft risk for an estimated 170 million people in the US, UK, and Canada.
5. Change Healthcare Ransomware Attack (2024)
On February 21, 2024, the US healthcare system experienced what many have called its most consequential cybersecurity incident to date. Change Healthcare, a subsidiary of UnitedHealth Group and a clearinghouse that processes roughly half of all medical claims in the United States, was struck by the ALPHV/BlackCat ransomware group.
The attackers gained access nine days earlier, on February 12, by exploiting stolen credentials on a Citrix remote access portal that had no multi-factor authentication. They spent those nine days moving through the network, exfiltrating up to 6TB of data before deploying ransomware. Change Healthcare immediately took its systems offline to contain the spread.
The downstream impact was catastrophic. 94% of US hospitals reported being financially affected. More than 90% of the country’s 70,000 pharmacies could not process insurance claims. Physicians could not submit billing. Patients faced delays in prescriptions and authorizations for necessary care.
UnitedHealth Group confirmed paying a $22 million ransom. A second group, RansomHub, later claimed to have the same data and threatened further leaks. Total financial impact rose to $2.87 billion by the end of 2024. Change Healthcare notified the Office for Civil Rights that 192.7 million individuals had been affected, making it the largest healthcare data breach in US history.
What made it significant: The absence of multi-factor authentication on a single portal effectively brought a significant portion of the US healthcare payment system to its knees.
6. MOVEit Transfer Zero-Day Breach (2023)
In May 2023, the Cl0p ransomware group exploited a previously unknown SQL injection vulnerability in MOVEit Transfer, a widely used managed file transfer platform developed by Progress Software. The attack was methodical. By injecting a custom web shell called LEMURLOOT into MOVEit databases, the attackers extracted sensitive data from any organization that had not patched the vulnerability in time.
The breach ultimately compromised over 2,700 organizations and exposed the personal data of approximately 93 million individuals worldwide. Victims included the BBC, British Airways, the US Department of Energy, the New York City Department of Education, and dozens of major financial institutions. In one particularly sensitive case, BORN Ontario disclosed that health data on approximately 3.4 million newborns and pregnant patients had been stolen.
The US CISA and FBI issued a joint advisory, and Progress Software faced SEC investigation and numerous class-action lawsuits. Total damages were estimated at over $15 billion and still climbing as of early 2024.
What made it significant: One vulnerability in a single third-party file transfer tool cascaded into the largest supply-chain data breach of 2023, affecting organizations across healthcare, finance, education, and government simultaneously.
7. Colonial Pipeline Ransomware Attack (2021)
On May 7, 2021, the DarkSide ransomware group compromised the network of Colonial Pipeline, which transports approximately 2.5 million barrels of fuel daily from the Gulf Coast to the Eastern Seaboard. The attack forced Colonial to shut down operations across its 5,500-mile pipeline network, the largest fuel pipeline in the United States.
Within days, panic buying set in across the Southeast. Gas stations ran dry. Airlines scrambled. Colonial confirmed it paid $4.4 million in cryptocurrency to DarkSide in exchange for a decryption key. The US Department of Justice later recovered approximately $2.3 million of that ransom.
The attackers had gained entry through a legacy VPN account that lacked multi-factor authentication. In almost six decades of the company’s history, it was the first time the pipeline had been completely inoperable. The attack exposed the vulnerability of critical infrastructure to ransomware and sparked sweeping executive action on pipeline cybersecurity.
What made it significant: A single compromised credential without MFA brought a piece of national energy infrastructure to a standstill, forcing the US government to treat ransomware as a national security threat.
8. Microsoft Exchange Server Zero-Day Exploitation (2021)
From January through March 2021, a Chinese state-sponsored threat group known as Hafnium exploited multiple zero-day vulnerabilities in Microsoft Exchange Server, the on-premises email platform used by governments and enterprises globally. The campaign gave attackers full remote access to affected email servers without needing any credentials.
The impact was staggering. Nine US government agencies and over 60,000 private companies worldwide were affected. Once the vulnerabilities were made public, other threat actors piled on rapidly, exploiting unpatched systems before organizations could respond.
Microsoft released emergency patches and urged all Exchange customers to apply them immediately. The attack underscored the danger of on-premises infrastructure that is slow to patch and exposed to the internet.
What made it significant: A chain of four zero-day vulnerabilities turned email servers into open doors for nation-state espionage at an unprecedented scale, exposing the risk of delaying critical security patches.
9. Twitter / X Social Engineering Attack (2020)
In July 2020, Twitter suffered one of the most publicly visible cyber attacks on a social media platform. Attackers used phone phishing, a form of social engineering, to trick Twitter employees into handing over credentials. With access to Twitter’s internal management tools, they hijacked the accounts of Elon Musk, Jeff Bezos, Barack Obama, Apple, Uber, and dozens of other highprofile accounts.
The attackers posted bitcoin scam messages from these accounts, netting over $118,000 in cryptocurrency according to the New York State Department of Financial Services. The financial damage was modest. The reputational and systemic implications were not.
Three individuals were eventually arrested. The mastermind, 17-year-old Graham Ivan Clark, was sentenced to three years in prison. The fact that a teenager with a phone could compromise a platform used by over 330 million people demonstrated just how exposed organizations are when employees lack cybersecurity awareness training.
What made it significant: No technical exploit was needed. A convincing phone call was enough to penetrate one of the world’s most widely used platforms.
10. Marriott International Data Breach (2020)
In March 2020, Marriott International disclosed a data breach affecting 5.2 million guests. Unlike a dramatic ransomware strike, this breach was subtle. Attackers used the login credentials of two employees at a franchise property to access a guest services application, quietly extracting contact details and customer loyalty account information over what the company believes began as early as mid-January 2020.
Upon discovery, Marriott disabled the compromised credentials, implemented heightened monitoring, and notified affected guests. While no payment card data was confirmed stolen, the breach still represented a significant failure of access control and credential hygiene.
Notably, this was not Marriott’s first incident of this kind. The chain had suffered an earlier breach in 2018, affecting up to 500 million guests. Two breaches in two years made Marriott a cautionary case study in what happens when large organizations fail to apply lessons from previous incidents.
What made it significant: Insider credential abuse is a persistent threat, particularly in organizations with franchise models where security standards are not uniformly enforced across all properties.
Key Lessons Learned from Major Cyberattacks
Across all 10 incidents, several patterns repeat themselves with striking consistency:
- Credential theft is the most exploited entry point: The Twitter attack, the Change Healthcare breach, the Colonial Pipeline attack, and the Snowflake campaign all began with compromised credentials. Multi-factor authentication, while not infallible, would have stopped or severely limited several of these incidents.
- Supply chain attacks multiply your exposure: The MOVEit and Bybit breaches did not begin with the victim organizations. They began with trusted vendors and third-party platforms. Every external tool in your environment is a potential attack vector.
- Dwell time is the enemy: The Change Healthcare attackers spent nine days inside the network before deploying ransomware. The faster an organization detects unusual activity, the less damage an attacker can do.
- Critical infrastructure is a prime target: Energy, healthcare, manufacturing, and transportation have all been targeted. The Stryker and Change Healthcare attacks show that even companies removed from traditional critical infrastructure categories can face attacks with public safety consequences.
- Ransomware payments do not guarantee safety: Change Healthcare paid $22 million and still faced extortion from a second group. Colonial Pipeline paid and had its infrastructure compromised regardless. Paying ransoms emboldens threat actors and rarely ends the threat.
- Destruction is the new extortion: The Stryker attack showed that some threat actors are no longer interested in ransom. Politically motivated groups are willing to wipe systems and walk away, making resilience and recovery planning just as important as prevention.
Summary of Major Cyberattacks
| Incident | Year | Attack Type | Impact |
|---|---|---|---|
| Stryker | 2026 | Destructive wiper / hacktivist | 80,000+ systems wiped, 79 countries affected |
| Bybit | 2025 | Supply chain / UI compromise | $1.5B stolen — largest crypto heist ever |
| Snowflake Campaign | 2024 | Credential-based | Ticketmaster, Santander, 100s of others |
| National Public Data | 2024 | Data theft | 2.9B records, 170M+ people affected |
| Change Healthcare | 2024 | Ransomware | 192.7M individuals, $2.87B total cost |
| MOVEit Transfer | 2023 | Zero-day / ransomware | 2,700+ orgs, 93M individuals, $15B+ damages |
| Colonial Pipeline | 2021 | Ransomware | US fuel supply disrupted, $4.4M paid |
| Microsoft Exchange | 2021 | Zero-day exploitation | 9 gov agencies, 60,000+ companies |
| Twitter / X | 2020 | Social engineering | High-profile account takeovers, $118K stolen |
| Marriott International | 2020 | Credential theft | 5.2 million guests affected |
Why Studying Past Cyberattacks Still Matters in 2026
It would be tempting to treat these incidents as historical records. They are not. The attack patterns behind MOVEit, the Snowflake campaign, and Bybit are still being actively used. The Lazarus Group behind the Bybit heist is still operating. The Handala group that wiped Stryker’s systems has been active since at least 2023. Many of the organizations affected by ransomware had seen similar incidents in their sectors years before they were hit.
Studying past cyber attacks is how defenders build pattern recognition. It is how security teams learn to ask the right questions during threat modeling. It is how CISOs justify the budget line items that leadership would otherwise cut. And it is how cybersecurity professionals build the instincts that tools alone cannot replace.
The global cybersecurity workforce gap currently stands at 4.8 million unfilled positions, a 19% increase year over year. Every industry is competing to fill roles that require a blend of technical depth, threat intelligence, and crisis response capability. Organizations that invest in building and training cybersecurity talent today are the ones that will be better positioned when the next major attack arrives.
The question is not whether there will be a next major attack. The patterns documented in this article make the answer clear enough.
Ready to build the skills to defend against the next generation of cyber threats?
Enroll in an Online Cybersecurity Degree at EC-Council University. ECCU offers industryaligned programs in Security Analysis, Digital Forensics, Cloud Security, Incident Management, and more, designed for working professionals who want to be future-ready.
Inquire now to learn more about current term admissions.
Frequently Asked Questions
Some of the most significant cyber attacks in recent years include the Stryker wiper attack across 79 countries (2026), the Bybit cryptocurrency heist of $1.5 billion (2025), the Change Healthcare ransomware attack that impacted 192.7 million Americans (2024), the National Public Data breach exposing 2.9 billion records (2024), the MOVEit data breach affecting over 2,700 organizations (2023), and the Colonial Pipeline ransomware attack (2021). Together, these incidents have redefined how organizations think about digital risk.
The most common root causes behind major cyber attacks are compromised credentials and the absence of multi-factor authentication, unpatched software vulnerabilities (particularly zero-days), supply chain compromises through trusted third-party vendors, social engineering targeting employees, and insufficient monitoring that allows attackers to remain undetected for extended periods.
Ransomware attacks encrypt an organization’s data, effectively locking them out of their own systems. Beyond the ransom demand itself, organizations suffer operational downtime, lost revenue, regulatory penalties, reputational damage, and the cost of recovery and forensic investigation. The Change Healthcare attack, for example, led to a total financial impact of $2.87 billion despite UnitedHealth Group paying the initial $22 million ransom.
The consistent lessons are: enforce multi-factor authentication everywhere, keep software and systems patched, assess the security posture of third-party vendors, invest in threat detection capabilities to reduce dwell time, and build incident response plans before they are needed. Organizations that treat cybersecurity as a business priority, rather than an IT cost, consistently fare better in both prevention and recovery.
Most major cyber attacks do not begin with exotic technical exploits. They begin with a phone call, a phishing email, or a reused password. The Twitter attack and the Colonial Pipeline breach both started with social engineering or credential theft. Cybersecurity awareness training turns employees from a vulnerability into a line of defense.
Effective prevention combines technical controls, including MFA, endpoint detection, zero trust architecture, and regular patching, with human elements like security awareness training and clear incident response protocols. Organizations should also conduct regular third-party risk assessments and penetration testing to identify gaps before attackers do.
Healthcare, financial services, manufacturing, government, and education are among the most targeted sectors. Healthcare consistently records the highest average breach cost, reaching $9.77 million per incident according to the IBM Cost of a Data Breach Report 2024. These industries are targeted because they hold large volumes of sensitive personal data and because disruptions to their services put maximum pressure on them to pay ransoms.
Past cyber attacks reveal the techniques, tactics, and procedures that threat actors use repeatedly. Understanding how MOVEit was compromised helps professionals design better vendor risk programs. Understanding how Change Healthcare was breached reinforces the case for MFA on every access point. The Stryker attack shows why resilience planning and rapid recovery capabilities are just as important as preventive controls. Pattern recognition built from real incidents is one of the most valuable skills a cybersecurity professional can develop, and it cannot be replicated in a lab environment alone.
