Companies Destroyed by Security Breaches
Real cases. Real damage. Every one of these could have been prevented with basic security headers and proper auditing.
$350 Million
Social Media
2021
Facebook — 533 Million Users Exposed
Phone numbers and personal data of 533 million Facebook users from 106 countries were found in a public forum. The data had been scraped through a vulnerability in Facebook's contact importer feature.
What went wrong:
An API endpoint allowed bulk phone number lookups without rate limiting. Attackers queried billions of phone numbers and matched them to profiles.
Impact: $350M+ in regulatory fines (Ireland DPC), massive reputation damage, congressional hearings, class-action lawsuits across multiple countries.
What we check: API rate limiting, CORS configuration, access control headers. Our audit would have flagged the unrestricted API endpoint.
$575 Million
Credit Bureau
2017
Equifax — 147 Million People's SSNs Stolen
Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) that Equifax failed to patch for 2 months. Names, SSNs, birth dates, addresses, and driver's license numbers were stolen.
What went wrong:
An outdated web framework with a known critical vulnerability. The patch was available for months before the breach. Plus, an expired SSL certificate on an internal security tool meant the breach went undetected for 76 days.
Impact: $575M FTC settlement, CEO/CIO/CSO resigned, stock dropped 35%, congressional investigation, permanent brand damage.
What we check: Outdated libraries with known CVEs, SSL certificate expiry, security header configuration. Our scanner catches expired certs and outdated frameworks automatically.
$115 Million
Healthcare / Insurance
2015
Anthem — 78.8 Million Patient Records Stolen
The second-largest health insurer in the US suffered the largest healthcare data breach in history. Names, birth dates, SSNs, medical IDs, addresses, income data — all stolen via a spear-phishing email.
What went wrong:
No encryption on the database storing 78.8M records. Once attackers got in through phishing, the data was sitting in plaintext. No multi-factor authentication on admin accounts.
Impact: $115M class-action settlement, $16M HHS HIPAA fine (largest ever at the time), years of credit monitoring for 78.8M people.
What we check: Authentication security, session management, HIPAA compliance mapping (§164.312 technical safeguards). Our HIPAA audit identifies exactly these gaps.
$85 Million
Retail
2013
Target — 40 Million Credit Cards Stolen
Attackers gained access through an HVAC vendor's compromised credentials. From there, they moved laterally through Target's network and installed malware on point-of-sale systems across 1,800 stores.
What went wrong:
A third-party vendor had network access without proper segmentation. No monitoring detected the lateral movement. POS systems were running outdated software.
Impact: $85M+ in settlements, CEO and CIO both fired, 46% profit drop that quarter, massive customer trust loss.
What we check: Third-party script security, network information disclosure, server version exposure. Vendors with unmonitored access are a top attack vector.
$4.7 Million
Healthcare
2023
Montefiore Medical Center — Insider Threat + Poor Access Controls
An employee stole protected health information of 12,517 patients over 6 months. The hospital had no monitoring system to detect unusual data access patterns.
What went wrong:
No access logging, no anomaly detection, no role-based access controls. An employee could access any patient record without restriction or audit trail.
Impact: $4.75M HIPAA settlement with HHS OCR. Required to implement comprehensive access controls and 2 years of monitoring.
What we check: Access control headers (§164.312(a)), session management, authentication flows. Our HIPAA audit maps every access control gap.
$1.3 Million
Healthcare
2024
BetterHelp — FTC Action for Sharing Mental Health Data
The online therapy platform shared users' sensitive mental health data with advertisers including Facebook, Snapchat, and Criteo for ad targeting — despite promising HIPAA-level privacy.
What went wrong:
Third-party tracking scripts (Facebook Pixel, analytics) on therapy session pages. Referrer headers leaked therapy page URLs to ad networks. No Content-Security-Policy to control which scripts ran.
Impact: $7.8M FTC settlement, required to pay $1.3M+ to affected users, banned from sharing health data for ads, massive media coverage destroying trust.
What we check: Content-Security-Policy (controls which scripts load), Referrer-Policy (prevents URL leaking), third-party script audit. These exact headers would have prevented this.
$5.1 Million
Healthcare
2023
Banner Health — Phishing → 2.81 Million Records
Attackers compromised food and beverage payment systems, then pivoted to access patient medical records. 2.81 million patients affected.
What went wrong:
Network segmentation failure — payment systems and healthcare records on the same network. No HSTS meant internal traffic could be intercepted. Missing security headers across web portals.
Impact: $5.1M class-action settlement, 2+ years of remediation, mandatory security overhaul.
What we check: HSTS configuration, network information disclosure, X-Frame-Options (clickjacking). Basic header security would have limited the blast radius.
$150 Million+
Hotel / Hospitality
2018
Marriott — 500 Million Guest Records Stolen
Attackers had been inside Starwood's (acquired by Marriott) network for 4 YEARS before being discovered. Passport numbers, credit cards, and personal data of 500M guests exposed.
What went wrong:
No security audit during the Starwood acquisition. Outdated systems inherited with the merger. No encryption on the reservation database. Breach went undetected from 2014 to 2018.
Impact: $124M GDPR fine (UK ICO), $28M+ additional costs, stock drop, CEO congressional testimony, lawsuits across 50 states.
What we check: SSL/TLS configuration, encryption posture, information disclosure. Regular security audits would have caught the intrusion years earlier.
$100 Million+
Financial Services
2019
Capital One — 100 Million Applications Leaked
A misconfigured AWS WAF (Web Application Firewall) allowed an ex-AWS employee to access 100 million credit card applications including SSNs, bank account numbers, and credit scores.
What went wrong:
Server-Side Request Forgery (SSRF) through a misconfigured firewall. The WAF was set to forward requests to AWS metadata endpoints, leaking IAM credentials. No CSP to restrict outbound requests.
Impact: $100M+ in costs, $80M OCC fine, $190M class-action settlement, CISO departed.
What we check: Security headers (CSP prevents SSRF), server configuration disclosure, cloud metadata exposure. Our scan would have flagged the permissive WAF configuration.
$230 Million
Airlines
2018
British Airways — 380,000 Cards Skimmed via XSS
Attackers injected a malicious JavaScript script into BA's payment page that skimmed credit card details for 15 days. The script was just 22 lines of code.
What went wrong:
No Content-Security-Policy header. Without CSP, any script could be injected and execute on the payment page. The attackers modified a third-party script (Modernizr) to include card-skimming code.
Impact: Initial GDPR fine of $230M (reduced to $26M). 380,000 payment cards compromised. Massive reputation damage for a national carrier.
What we check: This is EXACTLY what our Content-Security-Policy check catches. CSP would have blocked the injected script entirely. A $500 audit could have prevented a $230M fine.
Don't Be the Next Case Study
A $500 security audit today prevents a $5M breach tomorrow.
View Our Services