Five Majors Case Studies

Five Major Case Studies

Real incidents that shaped current regulation. Each one contains a direct lesson for board-level governance.

1.3 What Happened — And What It Means for Your Board

Case 1 — Jaguar Land Rover: Production Shutdown (2022)

Ransomware encrypted operational technology (OT) systems connected to manufacturing lines, halting production at multiple facilities for several weeks. Financial impact: hundreds of millions. Key lesson: the 'air gap' between IT and OT systems is largely a myth in modern connected manufacturing. A cyber attack stopped physical production lines.

Board Question

Does your organisation have a documented, tested OT/IT separation policy? Has the board received a briefing on which physical operations could be halted by a cyber incident?

Case 2 — British Airways: Data Theft, £20M GDPR Fine (2018)

Malicious JavaScript silently exfiltrated payment and personal data of ~500,000 customers for 62 days undetected. The attack vector was a compromised third-party supplier — but BA bore the full regulatory penalty. Key lesson: third-party liability is your liability.

Case 3 — MOVEit Global Supply Chain Attack (Cl0p, 2023)

Zero-day vulnerability in MOVEit file transfer software. 2,500+ organisations affected, 83 million records exposed. BBC, British Airways, Shell, Boots, US federal agencies all compromised simultaneously. Triggered 72-hour notification obligations across dozens of jurisdictions at once.

Case 4 — MGM Resorts: Social Engineering, $100M+ Loss (2023)

Attackers called the IT helpdesk, impersonated an employee identified via LinkedIn, and requested an MFA reset. The entire MGM technology infrastructure — slot machines, hotel key cards, restaurant POS, reservations — was taken offline for 10+ days. No sophisticated technical exploit. A phone call defeated the entire security stack.

Case 5 — SolarWinds: Nation-State Supply Chain (2020)

Russian state actor APT29 compromised the SolarWinds Orion software build pipeline, pushing malware to 18,000 organisations including the US Treasury, DHS, and Microsoft. The attack went undetected for 9 months. The most sophisticated known supply chain attack in history — targeting the software development process itself.