The Résumé That Held a Company to Ransom
I watched one of Australia's largest logistics firms brought to its knees by a single PDF. Here's what it cost — and why it pushed me to create my solution.

It started, as these things so often do, with something completely ordinary: a job application. A résumé landed in the inbox of a young member of our HR team. She did what any of us would have done — she opened the PDF to read it. That was the whole attack. That was the click that took the company down.
I was an employee at one of the largest logistics companies in Australia at the time, and I watched the next seventy-two hours unfold from the inside. The PDF carried a payload. The moment it opened, a well-known ransomware crew had a foothold on her machine — and, through it, a foothold on our network.
They didn't smash their way in. They didn't need to. They quietly pulled the stored credential hashes off that one computer, and amongst them was the saved login of an IT support engineer with admin rights. From there it was no longer a break-in; it was a guided tour. They moved deeper into the infrastructure, helped themselves to gigabytes of company data — names, home addresses, drivers' licences, the personal details of staff — and then, patiently, encrypted the backups before locking the servers themselves.
By the time our infrastructure team realised what was happening, it was already over. The company went dark. Systems offline. Insurers on the phone. A specialist cyber-incident firm was brought in to negotiate, because the attackers had emailed their demand straight to the CEO and CFO: a little over two million dollars, or the stolen data goes up on the dark web. After the negotiators did their work, the figure settled at four hundred thousand. One clause in the deal was almost surreal — the attackers had to send back a written report explaining exactly how they'd got in. We were lucky in one respect: a single recent backup had been missed by the encryption, and it was that overlooked copy — not any decryption key — that eventually brought us back online.
“Lucky” is relative. The company still lost millions. We were named on the gang's leak site, the newspapers ran with it for days, and the downtime alone did damage that took a long, long time to undo. We survived. Plenty of companies in the same position don't.
The whole thing turned on one person, opening one file, on an ordinary Tuesday.
There's a part of this story the headlines never carried. The person who opened that PDF was a friend of mine. The company never blamed her, and to their credit never released her name internally — only senior management ever knew who it was. It didn't matter. She never really recovered from it, and not long after she quietly left for another job. When she'd joined, she was given a day of induction — health and safety, fire exits, the usual — and not one minute of it was about security. None of us had any. The “awareness training” we finally got after the attack was so bland and so generic it would have stopped exactly nothing.
And that's the part that should give every business reading this pause. What happened to us wasn't exotic or unlucky — it's the most common attack there is. Breach reports consistently find that the large majority of incidents involve a human element, and that phishing and stolen credentials are the front door attackers use again and again. The companies that get hit hardest aren't always the careless ones — they're simply the ones whose people were never shown what a real attack looks like.
of breaches involve a human element
Verizon DBIR
phishing is the top initial attack vector
industry reports
a ransomware attack is launched, somewhere
industry estimates
of small firms hit hard fold within 6 months
widely cited
I kept coming back to the same thought: every expensive, humiliating, business-threatening hour of that incident could have been prevented upstream — not by a better firewall, but by fifteen minutes of the right training reaching the right person before the email did. So I set out to build exactly that.
That's why I built Train2Secure. It turns the lesson my old company learned the hard way into something your team can pick up in an afternoon: short, sharp video courses people actually finish, realistic phishing simulations that show them exactly what that résumé-PDF moment feels like, and compliance reporting your auditors will accept. It's built for the businesses most attackers count on being unprepared — the small and mid-sized ones — and you can be running it this week.
Don't wait for your own four-hundred-thousand-dollar lesson. Train your people first.
Start your free trial at Train2Secure.com