Two Decades of Cyber Disasters: Lessons from MGM to MOVEit and Beyond
Over the past twenty years, the cybersecurity landscape has been littered with high-profile blunders—from ransomware attacks that crippled casinos to patch management failures that exposed millions of records. These incidents, including the MGM and Caesars debacles, the MOVEit fiasco, and countless business missteps, have left a trail of hard-earned lessons. This Q&A explores the systemic failures, cringeworthy moments, and the grim reality of living in a post-breach world, offering insights into how organizations can avoid repeating history.
What happened with the MGM and Caesars breaches?
In September 2023, two of the largest gambling and hospitality companies, MGM Resorts and Caesars Entertainment, fell victim to devastating ransomware attacks. The attackers exploited a known vulnerability in Okta, a popular identity management platform, to gain initial access. MGM suffered a prolonged outage that shut down slot machines, hotel booking systems, and even digital room keys, costing an estimated $100 million in lost revenue. Caesars, on the other hand, reportedly paid a ransom to regain control of its systems. Both incidents exposed critical failures in identity security and incident response. The breaches underscored how a single compromised credential can bring entire enterprises to their knees, and they remain a textbook case of systemic vulnerability in the hospitality sector.
Why was the MOVEit incident considered a 'patch nightmare'?
The MOVEit file transfer software, developed by Progress Software, was exploited through a zero-day vulnerability in June 2023. What made this a patch nightmare was not just the flaw itself, but the cascade of exploitation that followed. The Clop ransomware gang quickly automated attacks against unpatched instances, affecting thousands of organizations—including government agencies, banks, and healthcare providers. The real disaster was the delayed patching cycle: many organizations remained vulnerable for weeks after the patch was released, often because they didn't monitor third-party software diligently. The breach ultimately impacted over 2,500 entities and exposed the personal data of more than 100 million people. It became a stark reminder that patch management is not just an IT chore but a critical security discipline.
What are the most common business blunders that lead to cyber failures?
Beyond technical exploits, many cyber disasters stem from fundamental business missteps. These include:
- Poor vendor risk management: Trusting third-party security without rigorous audits, as seen in the MOVEit incident.
- Ignoring cybersecurity hygiene: Failing to enforce multi-factor authentication and regular patching.
- Underinvesting in response teams: Having no tabletop exercises or crisis communication plans.
- Misaligned incentives: Prioritizing revenue over security, like when business units bypass security teams for speed.
These blunders often come from a culture of complacency where executives view security as a cost rather than an enabler. The result? Repeated incidents that could have been avoided with basic due diligence and a proactive risk mindset.
What is the reality of living in a post-breach world?
Living in a post-breach world means accepting that a security incident is no longer a matter of if but when. Organizations now face heightened regulatory scrutiny, mandatory disclosure laws in over 100 countries, and a constant threat of class-action lawsuits. For individuals, it means being repeatedly notified that their personal data—from social security numbers to payment details—has been compromised. This reality is jaded: we've become numb to breach announcements, yet the financial and emotional toll continues to rise. The dark reading of this era is that even after spending millions on defenses, a single oversight can undo years of effort. The only viable path forward is resilience: rapid detection, containment, and recovery, coupled with transparent communication.
How have cyber failures evolved over the past two decades?
Twenty years ago, cyber failures were often isolated incidents—a worm like Blaster or a virus like Melissa. Today, they are systemic, supply-chain-wide events that can paralyze entire industries. The early 2000s focused on perimeter defense; now, attackers bypass firewalls via compromised credentials or remote access tools. The evolution has also shifted from opportunistic to targeted, ransomware-driven attacks with double extortion. Moreover, the failure modes have changed: earlier mistakes were about technology gaps; today, they are as much about human errors, misconfigured clouds, and poor governance. This progression demands a shift from reactive patching to continuous monitoring and zero trust architectures.
What cringeworthy moments stand out in cybersecurity history?
A few moments still make security professionals shake their heads. One is the Equifax breach in 2017, where a patch for a critical vulnerability (Apache Struts) was ignored for months—even after warnings. Another is the Target 2013 incident, where a HVAC vendor’s credentials were compromised, leading to credit card data theft. More recently, the Twitter 2020 hack saw attackers trick employees into giving up admin tools via a simple social engineering phone call. These examples highlight avoidable human errors—not advanced nation-state tactics. They are cringeworthy because they stem from basic lapses in training, monitoring, and internal controls that any organization should have addressed.
What systemic failures continue to plague cybersecurity?
Despite two decades of lessons, several systemic failures persist. First, insecure software supply chains: vendors ship products with known vulnerabilities, and customers lack visibility into code dependencies. Second, skilled labor shortages: the cyber workforce gap remains over 4 million, leading to burnout and oversight. Third, misaligned liability: while consumers bear the cost of breaches, software developers and service providers often face minimal consequences. Finally, complexity and interoperability issues in multi-cloud environments create blind spots. These are not just technical problems but economic and policy ones that require regulatory pressure and industry collaboration to fix.
How can organizations avoid repeating past failures?
To break the cycle, organizations must adopt a proactive, layered approach. First, implement continuous vulnerability management—not just quarterly scans but real-time monitoring of all assets. Second, enforce zero trust principles: never trust any user or device by default, even inside the network. Third, invest in incident response readiness through regular tabletop exercises and simulated attacks. Fourth, improve vendor risk management with contractual clauses requiring timely patches and disclosure. Finally, foster a security-first culture where every employee understands their role. Learning from the MGM, MOVEit, and other failures means embedding security into every business decision—not treating it as an afterthought.