What can go wrong?
One thing to note about cyberthreats is that it often doesn’t matter how big or small, or well-reputed your company is. Everyone is susceptible to cyberthreats. And even the best companies have fallen victim to them from time to time.
Let’s have a quick look at some recent examples.
Uber Social Engineering
In September 2022, Uber experienced a significant cybersecurity incident that highlighted how even large organisations can be vulnerable to security breaches. The attack was carried out by an 18-year-old individual using a social engineering technique.
The attacker initially obtained an employee’s login credentials through a phishing attack. However, gaining credentials alone was not enough to access sensitive systems. The attacker also needed to bypass multi-factor authentication (MFA).
Using the stolen credentials, the attacker repeatedly sent MFA approval requests to the employee. The attacker then contacted the employee via WhatsApp, posing as a member of the organisation’s IT support team. By creating a sense of urgency and legitimacy, the attacker persuaded the employee to approve the request.
Once access was granted, the attacker was able to gain extensive access to internal systems, including communication platforms such as Slack, internal tools, and sensitive company information.
This incident highlights several key lessons:
- Social engineering can bypass even strong technical controls, such as MFA
- Human factors are often the weakest point in security
- Security awareness and training are essential to prevent such attacks
For organisations operating under frameworks such as the UK GDPR, incidents like this can lead to serious consequences, including data breaches, regulatory penalties, and reputational damage.
GoDaddy Data Breach
In 2023, GoDaddy disclosed a long-running cybersecurity breach, highlighting the complexity and persistence of modern cyber attacks. The incident is believed to have begun in 2021, when attackers gained unauthorised access to GoDaddy’s systems.
While the exact method of entry was not publicly disclosed, the scale and duration of the breach indicate a highly sophisticated attack.
Once inside the systems, the attackers were able to maintain access over an extended period. This type of prolonged intrusion is often associated with advanced, targeted attacks designed to remain undetected.
During this time, attackers accessed sensitive data, including customer information and system resources. They were also able to install malicious software and interfere with website hosting environments.
A significant impact of the breach was on Managed WordPress customers, with approximately 1.2 million accounts affected.
This incident highlights several important lessons:
- Cyber attacks can remain undetected for long periods
- Attackers may target both data and infrastructure
- Large-scale breaches can affect millions of users
- Continuous monitoring and timely detection are critical
For organisations operating under regulations such as the UK GDPR and the Data Protection Act 2018, breaches of this nature can lead to serious legal, financial, and reputational consequences.
Cybersecurity Breach at Capita (United Kingdom)
In 2023, Capita, a major UK outsourcing company providing services to government departments, local authorities, and critical public services, experienced a significant cybersecurity breach.
Attackers gained unauthorised access to parts of Capita’s IT systems, resulting in the compromise of sensitive data.
Reports indicated that the exposed information may have included personal details of employees, pension scheme members, and data linked to public sector services.
The attack had a direct operational impact. Capita had to take systems offline to contain the breach, which disrupted services for several clients, including local councils and public sector organisations.
This incident highlights several key risks:
- Cyber attacks can disrupt essential public functions
- Sensitive personal and financial data is a high-value target
- Data breaches can lead to identity theft and fraud
- Operational disruption can affect multiple organisations
In the UK, this incident drew attention from the Information Commissioner's Office (ICO), reinforcing the importance of strong cybersecurity controls and timely breach reporting.
For organisations in the UK, incidents like this fall under regulatory frameworks such as the UK GDPR and the Data Protection Act 2018.
Last modified: Monday, 11 May 2026, 12:44 PM
