The Cost of a Breach
The largest data breaches in history share one thing in common: mainframe data.
Not because mainframes are weak — but because that's where the most valuable records live. When attackers want maximum impact, maximum ransom leverage, and maximum stolen data value, they target the crown jewels. The financial consequences are measured in billions, not millions.
The Common Thread
Every one of these organizations had perimeter security, access controls, and backup strategies. None of them could detect credential-based attacks in progress, contain them in seconds, or recover surgically.
- Slow detection — breaches ran for days, weeks, or months before discovery
- Unclear scope — teams couldn't determine what was affected or when the compromise actually began
- Prolonged recovery — restoration took weeks to months because nobody knew which backups were clean
CSF addresses all three. Detection in milliseconds. Containment before exfiltration. Surgical recovery guided by cryptographic proof of what changed and when.
Breach Impact at a Glance
Organization | Year | # Records | Total Cost | Recovery Time |
|---|---|---|---|---|
2024 | 192.7M | $3.09B | 2+ months | |
2023 | N/A | $9B capital infustion | Ongoing | |
2017 | 147M | $1.38B settlement | Replatformed | |
2015 | 21.5M | $819M+ | 5+ years legal | |
2015 | 78.8M | $439M+ | 9+ years legal |
Jaguar Land Rover (2025)
Supply-chain credential compromise → mainframe lateral movement
Impact:
- 5+ weeks of production shutdown across Solihull, Halewood, and Castle Bromwich plants
- 43% drop in wholesale vehicle volume; £485M quarterly revenue loss (£559M after tax)
- £70M/day in estimated losses during peak shutdown
- £1.6–£2.1 billion total economic impact (direct + supply chain cascade)
- 1,200+ supplier firms disrupted; UK government issued £1.5 billion loan guarantee to stabilize supply chain
- Customer PII, dealer network credentials, and internal engineering documents exfiltrated
- CEO resignation; Board-level leadership restructuring
- Prior March 2025 incident (JIRA/Confluence credential leak via Hellcat affiliate) went inadequately remediated
Key Lesson: Mainframe-connected supply chain systems create catastrophic blast radius — a single compromised credential cascaded into the UK's largest automotive cyber disaster
Nevada State Government (2025)
Legacy databases targeted. Three weeks of government shutdown.
A cyber attack targeting Nevada's legacy database systems forced a complete shutdown of state government services beginning August 24, 2025. Recovery extended past three weeks, with data exfiltration suspected and inadequate backup systems compounding every step of the process.
- State-wide government shutdown affecting ~20 state offices including DMV, Dept. of Health, and public safety
- 3+ weeks of service disruption affecting 3.2 million residents
- Data exfiltration confirmed; inadequate backup systems compounded recovery
UnitedHealth Group (2024)
A third of Americans affected. Nine days offline.
Attackers from the ALPHV/BlackCat ransomware group used stolen credentials to log into a Citrix remote access portal at Change Healthcare — UnitedHealth's claims processing subsidiary. The portal lacked multi-factor authentication. For nine days, no one noticed. They moved laterally, exfiltrated data, and deployed ransomware on February 21, 2024. The result: the largest healthcare data breach in U.S. history.
- 192.7 million Americans affected (per HHS filing, July 2025)
- $3.09 billion total cost — $2.2B direct response, $867M business disruption, $22M ransom paid (per Q4 2024 SEC filing)
- 94% of hospitals reported financial impact; 74% reported direct effect on patient care
Sources
Industrial & Commercial Bank of China (ICBC, 2023)
A VPN attack that disrupted $26 billion in U.S. Treasury trades.
In November 2023, attackers exploited a Citrix vulnerability to bypass authentication on ICBC Financial Services' VPN, then deployed
- LockBit 3.0 ransomware. The breach didn't just hit one company — it disrupted U.S. Treasury settlement operations and forced BNY Mellon, the sole settlement agent for Treasury securities, into manual processing.
- LockBit 3.0 RaaS deployment via compromised Citrix-managed VPN
- U.S. Treasury settlement operations disrupted; BNY Mellon forced to manually clear trades
- ICBC's head office made an emergency $9 billion capital infusion to cover uncleared trades
Equifax (2017)
One unpatched vulnerability. $1.4 billion. Complete replatforming.
An unpatched Apache Struts vulnerability gave attackers a foothold into Equifax's environment. From there, they reached the mainframe data stores holding 147 million consumers' financial records. Equifax spent weeks determining what was actually affected — and ultimately had to rebuild from the ground up.
- 147 million consumer financial records exposed, including Social Security numbers
- $1.38 billion settlement plus $1 billion committed to security transformation
- Complete infrastructure replatforming required post-breach
Sources
- HIPAA Journal, "Anthem Inc. Settles State Attorneys General Data Breach Investigations," October 1, 2020
- U.S. Department of Justice, "Member of China-Based Hacking Group Indicted," May 2019
- Healthcare Finance News, "Anthem pays $16 million in record HIPAA settlement," October 2018
- BankInfoSecurity, "A New In-Depth Analysis of Anthem Breach," January 10, 2017
Anthem Health (2015)
Ten months undetected. $439 million documented. Attackers inside RACF-protected mainframe systems.
A spear-phishing email on February 18, 2014 gave Chinese state-sponsored attackers (Deep Panda) a foothold into Anthem's network. They spent ten months moving laterally across 90+ systems, escalating privileges through 50+ accounts, and accessing RACF-protected z/OS mainframe infrastructure — all without triggering an effective response. On December 10, they queried the enterprise data warehouse and exfiltrated 78.8 million records. A database administrator spotted the suspicious query six weeks later.
- 78.8 million healthcare records — largest HIPAA breach at the time; 1 in 4 Americans affected
- $439M+ documented cost: $260M recovery, $115M class-action settlement, $16M HIPAA penalty, $48.2M state AG settlements
- Ten months of undetected lateral movement inside mainframe-integrated infrastructure
Office of Personnel Management (2015)
21.5 million security clearances. Fingerprints. Background investigations. Gone.
A state-sponsored cyber espionage campaign — attributed to China — penetrated OPM's mainframe systems and exfiltrated 21.5 million records including security clearance files, fingerprint data, and detailed background investigations. The attackers operated undetected for months.
- 21.5 million SF-86 security clearance records stolen, including 5.6 million fingerprints
- 819M+ documented cost: $756M in credit monitoring contracts, $63M class-action settlement (finalized October 2022)
- Attackers operated undetected from mid-2014 through discovery in April 2015; IG had warned of deficiencies since 2005
Sources
- Federal News Network, "Settlement in 2015 OPM data breach," January 7, 2025
- Government Executive, "A Judge Has Finalized the $63M OPM Hack Settlement," October 26, 2022
- CSO Online, "The OPM hack explained," February 12, 2020
- NBC News, "OPM: 21.5 Million People Affected By Background Check Breach," July 2015