The Most Expensive IT Incidents in History
A consolidated reference table of the most costly cyber incidents and IT outages on record. Costs are drawn from earnings filings, legal settlements, insurance analyses, and regulatory disclosures. Where an organisation has not disclosed a cost, independent estimates are noted.
Note: "Cost" figures vary by source and what is included (direct costs only vs. total economic impact including market cap loss). Where possible, direct company-disclosed costs are cited.
Master Incident Table
| Organisation | Year | Type | Est. Total Cost | Root Cause (Summary) | Primary Source |
|---|---|---|---|---|---|
| Change Healthcare (UHG) | 2024 | Ransomware | $2.87B+ | AlphV/BlackCat ransomware; UHG subsidiary | UHG 10-K filings, Congressional testimony |
| MOVEit (Cl0p campaign) | 2023 | Supply chain / SQL injection | $10B+ (industry-wide) | Zero-day in MOVEit file transfer software; 2,600+ victim orgs | KonBriefing research; legal filings |
| CrowdStrike Windows BSOD | Jul 2024 | Software update outage | $5.4B+ (Fortune 500 impact) | Faulty Falcon content update; 8.5M Windows devices offline | Parametrix insurance analysis; earnings reports |
| Equifax breach | 2017 | Data breach | $1.4B+ | Unpatched Apache Struts vulnerability; 147M records | Equifax legal settlement; FTC filing |
| Merck NotPetya | 2017 | Destructive malware / outage | $870M | NotPetya wiper malware; attributed to Russian GRU | Merck 10-K 2018 |
| Clorox ransomware | 2023 | Ransomware | $356M | Manufacturing disruption; 13 weeks of system outages | Clorox 10-K FY2024 |
| Maersk NotPetya | 2017 | Destructive malware / outage | $300M | NotPetya wiper; global shipping operations halted | Maersk annual report 2017 |
| Target breach | 2013 | Data breach | $292M | HVAC vendor credential theft; 40M credit cards, 70M records | Target 10-K; legal settlements |
| Capital One breach | 2019 | Data breach (cloud misconfiguration) | $190M+ | SSRF attack on misconfigured AWS WAF; 106M records | Capital One SEC disclosures |
| MGM Resorts ransomware | 2023 | Ransomware (social engineering) | $100M+ | Scattered Spider vishing + BlackCat ransomware; 9 days downtime | MGM 8-K filings |
| Uber breach + coverup | 2016/2022 | Data breach / coverup | $148M+ (settlement) | GitHub credentials; 57M records; coverup paid $100K ransom to hide | FTC consent order; legal filings |
| AT&T breach | 2024 | Data breach | Ongoing (est. $200M+) | Snowflake-connected data theft; 73M+ records + call records of 109M | AT&T SEC disclosures; Reuters |
| SolarWinds supply chain | 2020 | Supply chain compromise | $100M+ (industry-wide) | Nation-state (SVR); Orion update backdoor; 18,000+ orgs affected | SolarWinds 10-K; SEC enforcement |
| Colonial Pipeline | 2021 | Ransomware | $4.4M ransom + weeks disruption | DarkSide ransomware; 5,600-mile fuel pipeline offline 6 days | DarkSide ransom payment; DOJ recovery disclosure |
| Caesars Entertainment | 2023 | Ransomware (social engineering) | $15M ransom paid | Scattered Spider; chose to pay vs disclose (unlike MGM) | Caesars SEC 8-K filing |
| 23andMe breach | 2023 | Credential stuffing + data breach | $30M+ settlement | Reused passwords; 6.9M user genetic profiles affected | 23andMe class action settlement |
| Sony Pictures hack | 2014 | Data theft + destructive malware | $35M+ | Lazarus Group (North Korea); employee data, emails, films leaked | Sony SEC disclosures; FBI attribution |
| British Airways breach | 2018 | Data breach | £20M (GDPR fine) + £23M operational | Card skimming script (Magecart) on booking page; 500K customers | ICO fine decision; BA filings |
| Okta breach (Lapsus$) | 2022 | Identity provider compromise | $6B market cap impact (est.) | Support contractor laptop compromise; Okta customers at risk | Okta disclosures; Lapsus$ claims |
Costs from public filings, legal settlements, insurance analyses, and regulatory disclosures. Updated April 2026. Some figures are estimates where direct disclosure is unavailable.
Incident Spotlights
The AlphV/BlackCat ransomware affiliate attack on Change Healthcare in February 2024 became the largest healthcare cyber incident in US history. UnitedHealth Group (Change's parent) disclosed $2.87B in direct costs by mid-2025, including the ransom payment (reportedly $22M in Bitcoin, later stolen from AlphV by a sub-affiliate). The attack disrupted prescription processing across the United States for weeks, forcing thousands of pharmacies to process prescriptions manually. Congressional hearings highlighted the systemic risk of healthcare IT concentration: Change Healthcare processed 50% of US medical claims.
On July 19, 2024, a faulty CrowdStrike Falcon content update caused 8.5 million Windows devices globally to enter a boot loop and display the Blue Screen of Death. Airlines, hospitals, banks, broadcasters, and emergency services were disrupted simultaneously. Parametrix estimated Fortune 500 companies suffered $5.4 billion in direct losses. Delta Air Lines alone claimed $500M in damages and filed a lawsuit against CrowdStrike. This was not a cyberattack, but an operational incident caused by insufficient testing of a production content update - a reminder that availability incidents from software providers can exceed the cost of targeted attacks.
The Cl0p ransomware group exploited a zero-day SQL injection vulnerability in Progress Software's MOVEit Transfer product in May 2023. Because MOVEit is a widely-used file transfer tool in regulated industries, over 2,600 organisations were affected including government agencies, banks, insurance companies, universities, and healthcare providers. KonBriefing Research estimated total industry-wide costs exceeded $10 billion. Notable victims included Shell, British Airways, the BBC, Aon, and multiple US federal agencies. This remains the most impactful supply chain ransomware campaign on record by number of organisations affected.
Methodology Note
Cost figures on this page represent the best available estimate from primary sources (SEC filings, earnings calls, 10-K annual reports, court filings, regulatory decisions). Where an organisation has not formally disclosed costs, independent analyses from insurance firms, research organisations, or news investigations are noted as estimates. Industry-wide costs (MOVEit, NotPetya) aggregate disclosed and estimated costs across all affected organisations and should be treated as rough orders of magnitude rather than precise figures.