Twenty Years of Getting It Wrong: The Breaches and Blunders That Defined Modern Cybersecurity

From MGM's identity disaster to MOVEit's patch pile-up, the same failure modes keep appearing in postmortems. That's the problem.

ThreatVectr Newsdesk· 2 min read
Photoreal news-editorial style, 16:9 framing, edge-to-edge composition
Share

Key points

  • The MGM Resorts breach and the Caesars Entertainment ransomware payment in 2023 exposed how social engineering defeats even well-funded enterprise identity controls.
  • Progress Software's MOVEit Transfer vulnerabilities triggered a mass-exploitation event in 2023 affecting hundreds of downstream organizations.
  • Two decades of high-profile incidents show systemic failures in patch management, credential hygiene, and vendor risk that repeat across generations of security teams.
  • Dark Reading's retrospective catalogs moments that produced genuine organizational change alongside moments that produced nothing except a revised incident response slide deck.

Two decades. Same postmortem.

The MGM situation in 2023 is the one that still stings the most if you spent any time running identity pipelines. Attackers called the help desk. That's it. No zero-day, no sophisticated implant chain — a phone call defeated an enterprise identity stack worth millions. The failure mode here is not technical. It's that organizations build elaborate controls inside their perimeter and leave the human verification process running on vibes and brand familiarity.

Caesars Entertainment paid. Quietly. Which tells you everything about how the ransomware calculus actually works in boardrooms versus how it gets discussed at security conferences.

Then there's MOVEit. Progress Software's managed file transfer product became the supply chain domino of 2023, with the SQL injection vulnerability tracked as CVE-2023-34362 hitting organizations before most of them had finished their morning stand-ups. In practice, the lesson from MOVEit is not that zero-days happen — it's that file transfer appliances and managed transfer services sit in network DMZs, touch sensitive data, and get patched last because nobody owns them cleanly. They live in the gap between the platform team and the security team.

That gap is where most of these incidents actually live.

The broader retrospective Dark Reading assembled spans blunders ranging from straightforward misconfigurations to genuinely baffling executive decisions. What the pattern shows across twenty years is not an escalating sophistication problem. Attackers get more efficient, but the underlying entry points — unpatched internet-facing services, weak MFA enrollment flows, third-party access that never got revoked — have been sitting in the same place since the early 2000s.

One thing the postmortem will say, every time: the indicator was visible in logs before the breach was confirmed. Somewhere, in an S3 access log or a VPC flow log or an Azure Monitor workspace, the data existed. Nobody was looking.

Patch your internet-facing file transfer services before you build the threat model.

© 2026 Threat Vectr