Blog

As Cybersecurity Awareness Month draws to a close and Halloween approaches, we thought it would be fitting to share some spine-chilling “horror” stories from our OnDefend experts.

These tales are a reminder of the lurking dangers from sometimes the most obvious sources. From phishing attacks to data center nightmares, here are five real-life cybersecurity stories that will give you goosebumps! 

1. A Heist from Inside the Data Center 

Wayne Loveless, OnDefend Managing Director of Strategic Services 

Several years ago, I led a large team tasked with designing and implementing security controls for a massive, newly built hospital. The facility had already opened, even though it was still being built from an IT perspective. My primary concern was the lack of physical security controls. For instance, the hospital’s main data center, which served not only the local hospital but the entire Washington D.C. region, had doors propped open, and access was practically free for all.

After repeatedly raising the issue to senior leadership without action, I decided to take matters into my own hands—with the CIO’s permission, of course. I left my badges in the car, put on some scrubs, and walked right into the data center, past several checkpoints without being stopped. I then wheeled out a rack containing patient data right out of the front doors of the hospital, assisted by staff along the way.

I sent a selfie to the regional CIO, showing myself with the stolen equipment. It worked like a charm—security was quickly and dramatically improved. Sometimes, it takes a little trickery to deliver the treat of better protection!

2.The Ghost in the Network 

Aaron Rosenmund, OnDefend Senior Director of Programs and Tradecraft  

The phone rang for the third time in 10 minutes. Our IT support team, utterly exhausted after weeks of around-the-clock shifts, answered yet another call from a team member unable to access mission-critical resources. Machines were mysteriously dropping off the network, and the ports were locking. Logs indicated MAC address mismatches, making it seem like someone was spoofing devices.

The team suspected everything from insider threats to advanced malware, but there was little evidence to go on. It wasn’t until we isolated and baselined one of the systems in the lab that the truth emerged—a rare, misconfigured network switch was causing all the chaos. No hacker, no malware—just a simple configuration error wreaking havoc on an entire mission-critical system.

Sometimes, the biggest horror stories are not from advanced cyberattacks but from the small mistakes that get overlooked during high-pressure situations.

3. The MRI Machine That Opened Pandora’s Box 

Joe Brinkley, OnDefend’Director of Offensive Security  

During a penetration test for a hospital, we stumbled upon an old MRI machine running Windows Server 2003—ancient by today’s standards. Exploiting known vulnerabilities in the system, we gained access. But what we uncovered next was truly terrifying.

From this single machine, we cracked passwords, infiltrated the hospital’s local domain, and compromised more accounts. Then, we gained access to a connected vendor’s domain and VPN, escalating our privileges. In the end, we had the ability to steal sensitive patient data from multiple organizations undetected.

The experience was a chilling reminder that even seemingly innocuous devices can become powerful tools for cybercriminals if left unprotected.

4. Even the Experts Aren’t Immune 

Billy Steeghs, OnDefend COO 

Phishing attacks are one of the most effective tactics used by cybercriminals. We were conducting a phishing and social engineering test for a client. After presenting the results, we realized that the person who had initiated the test and signed the contract had fallen for the phishing attempt. Despite being fully aware of the exercise, they unknowingly provided their credentials.

It was a humbling reminder that no one is immune. Even those who organize the tests can be caught off guard. It just goes to show how convincing and dangerous phishing attacks can be—especially when they target human behavior.

5. A Web App Pentest Turned Real-Life Nightmare 

Evan Hosinski, OnDefend’s Senior Tradecraft Engineer 

One of the most frightening experiences I’ve had was during a web application pentest for a medical company. They relied on a third-party vendor to generate all their PDFs linked to medical records. After some probing, I found the vendor’s site and a version number that led me to a series of vulnerabilities (CVEs). Using this information, I developed a tool that could brute force random patient IDs, giving access to medical records. 

When I presented my findings, the client dismissed it as an unlikely scenario, saying it would require insider access. Fast forward a few months, and the same company made the news—hundreds of medical forms were leaked due to the exact type of brute force attack I had warned them about. This was not a database leak but a targeted attack, and they paid the price for not taking the threat seriously. 

 

Final Thoughts 

From phishing attacks and unsecured data centers to unpatched machines and network misconfigurations. These real-life stories remind us that even the most well-prepared organizations can fall victim to cyber threats. The lesson here? Always stay vigilant and never underestimate the power of even the smallest vulnerabilities—they might just turn into your next horror story. 

About OnDefend

OnDefend, established in 2016, stands at the forefront of preventative cybersecurity testing and advisory services, a reputation further enhanced by the introduction of its advanced Breach and Attack Simulation (BAS) Software as a Service (SaaS) platform, BlindSPOT. OnDefend is a trusted partner, empowering organizations globally to proactively combat real-world cyber threats. From ensuring compliance with industry standards to building out mature security programs, our mission is to ensure that the security resources our customers invest in are well-utilized, effective, and provide tangible results. For more information about their services and solutions, please visit http://www.ondefend.com/

OnDefend Media Contact:

Lauren Verno, Media@ondefend.com

904-299-3669