Anatomy of a Breach

Anatomy of a Breach: 2024 Year in Review — Change Healthcare, CrowdStrike, Synnovis, and the Year MFA Could Have Prevented Everything

> series: anatomy_of_a_breach —— part: 192 —— year: 2024 —— verdict: mfa_could_have_prevented_everything<span class="cursor-blink">_</span>_

Hedgehog Security 31 December 2024 16 min read
year-in-review 2024 change-healthcare crowdstrike synnovis snowflake lockbit tfl series
Breach #192

2024: the year MFA could have prevented everything. And the year a security update crashed the world.

2024 was defined by two themes: the continued, catastrophic consequences of absent MFA, and the systemic fragility of global IT infrastructure. Change Healthcare — processing one-third of US healthcare transactions — was breached through a Citrix portal without MFA (100 million people, $22 million ransom). The Snowflake campaign exposed 700+ million people through cloud accounts without MFA. Microsoft's own executives' emails were read by Russia's SVR through a test account without MFA.

Then, on 19 July, CrowdStrike's faulty update crashed 8.5 million Windows systems — the largest IT outage in history — proving that even the security tools designed to protect us can be the single point of failure that brings everything down. In the UK, Synnovis ransomware cancelled thousands of NHS blood tests and surgeries across London, Transport for London was attacked by a teenager, and Blue Yonder disrupted Morrisons' supply chain. In December, the US Treasury was breached by China's Silk Typhoon through a compromised BeyondTrust vendor account — closing the year with yet another supply chain compromise of a nation's financial infrastructure.

The Breaches
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Twelve months. Sixteen years of evidence condensed into one devastating year.

# Breach Key Lesson
181 Microsoft / Midnight Blizzard Russia reads Microsoft executives' email. Test account. No MFA. At Microsoft.
182 LockBit Takedown UK NCA leads Operation Cronos. 1,000+ decryption keys. Most prolific group disrupted.
183 Change Healthcare 100M people. $22M paid. No MFA on Citrix. US healthcare payments halted for weeks.
184 AT&T 73M 2019 breach denied, 2024 data surfaces. Denial delays the reckoning.
185 Snowflake Campaign Ticketmaster 560M, AT&T 110M, Santander 30M. No MFA on cloud accounts. 700M+ affected.
186 Synnovis / NHS London UK: Blood tests cancelled. Surgeries postponed. O-type blood shortage. Patient data published.
187 CrowdStrike Outage 8.5 million systems crashed. Not a breach — a faulty security update. The largest IT outage ever.
188 National Public Data 2.9 billion records from a data broker you never heard of. Company goes bankrupt.
189 Transport for London UK: 9 million daily journeys. 5,000 in-person credential resets. 17-year-old arrested.
190 Internet Archive 31M accounts. The library of the internet. No mission exempts you.
191 Blue Yonder UK: Morrisons, Sainsbury's disrupted. Supply chain vendor ransomware — year four.
192 US Treasury + Year Review China breaches US Treasury via BeyondTrust. Sixteen years complete.
Sixteen Years Complete

192 articles. 2009 to 2024. The root causes have not changed. The controls have not changed. The choice is yours.

With 192 articles spanning sixteen years, the Anatomy of a Breach series has documented the most comprehensive history of the modern cyber threat landscape ever compiled. From HMRC's lost CDs (2007/2009) to the US Treasury's BeyondTrust compromise (2024). From SQL injection to AI-powered attacks. From £1,000 ICO fines to national emergency declarations. From data on CDs to data in the cloud. From teenage hackers to nation-state cyber warfare.

The attack techniques have evolved continuously. The scale has grown exponentially. The consequences have escalated from inconvenience to existential threat. But the root causes — unpatched systems, absent MFA, misconfigured infrastructure, supply chain trust, social engineering, and the persistent gap between security policy and implementation — remain unchanged from article #001 to article #192. The controls remain the same: penetration testing, Cyber Essentials certification, SOC in a Box monitoring, and incident response capability. Sixteen years of evidence. One conclusion. The organisations that implement these controls survive. The rest fill these pages.

Sixteen Years of Evidence

192 breaches. Sixteen years. MFA still prevents the biggest breaches. Patching still matters. Testing still works. Act now.

<a href="/penetration-testing">Test</a>. <a href="/cyber-essentials">Certify</a>. <a href="https://www.socinabox.co.uk">Monitor</a>. <a href="https://www.cyber-defence.io">Prepare</a>. Sixteen years of evidence demands nothing less.

Commission a Penetration Test Back to 2024 — Breach #181
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2023

Anatomy of a Breach: 2023 Year in Review — MOVEit, Royal Mail, Scattered Spider, and DNA as Data

Breach #180 and the 2023 finale. The year MOVEit's SQL injection compromised 2,500 organisations and 60 million people, Royal Mail's international post was halted by LockBit, Scattered Spider social-engineered MGM and Caesars for $100 million+, 3CX proved supply chain attacks cascade from supply chain attacks, Barracuda told customers to replace not patch their compromised appliances, the UK Electoral Commission lost 40 million voters' data for two years, 23andMe proved genetic data gets breached too, and ICBC — the world's largest bank — settled US Treasury trades via USB stick after LockBit. Fifteen years of this series. SQL injection is still the dominant vulnerability. Social engineering is still the dominant technique. Patching is still the dominant defence. The root causes have not changed.

year-in-review 2023
16 min read
Anatomy of a Breach 31 December 2025

Anatomy of a Breach: 2025 Year in Review — M&S Hits UK GDP, Bybit Loses $1.4 Billion, and 16 Billion Credentials Prove Passwords Are Dead

Breach #204 and the 2025 finale. The year Marks & Spencer's £1.9 billion breach hit UK GDP growth, Bybit lost $1.4 billion in the largest crypto heist ever, three Chinese groups exploited SharePoint to compromise 400+ organisations including US nuclear security, Jaguar Land Rover halted manufacturing, Collins Aerospace grounded airport check-in across Europe, the Salesforce ecosystem suffered its 'SolarWinds moment,' and 16 billion stolen credentials proved that passwords alone can never be trusted again. In the UK, the NCSC issued emergency guidance as M&S, Co-op, and Harrods were targeted in a coordinated retail campaign. Seventeen years. 204 articles. The most devastating year for UK corporate cybersecurity on record.

year-in-review 2025
16 min read
Anatomy of a Breach 30 September 2024

Anatomy of a Breach: Transport for London — Cyber Attack Forces 5,000 Staff Credential Resets and a Teenager Is Arrested

Breach #189. On 1 September 2024, Transport for London (TfL) — the body responsible for London's public transport network serving 9 million journeys daily — disclosed a cyber attack that affected internal systems, customer-facing services, and staff operations. Approximately 5,000 TfL employees were required to attend in-person appointments to verify their identity and reset credentials. Customer data including names, email addresses, home addresses, and Oyster card refund bank account details for approximately 5,000 customers was accessed. A 17-year-old was arrested in connection with the attack. The breach disrupted one of Europe's largest transport networks and forced a massive in-person credential reset operation.

tfl transport-for-london
13 min read
All Posts Get in Touch