Incident Analysis
In-depth guides and analysis on incident analysis from the Safeguard engineering team.
137 articles
Ascension Health Black Basta Ransomware: 5.6M Patients Impacted
Black Basta encrypted Ascension's network on May 8, 2024 via a malicious file downloaded by an employee, diverting ambulances across 140 hospitals and ultimately notifying 5.6 million patients.
Salt Typhoon Telco Intrusion: What We Know
Salt Typhoon breached at least nine U.S. carriers, exposing lawful intercept systems. We unpack the attack chain and what telcos must fix in 2025.
Zoom Incidents: Software Supply Chain Dimensions
Zoom's security history from 2020 onward reshaped how the industry thinks about conferencing software supply chains, from installers to third-party components.
Blue Yonder Termite Ransomware: SaaS Supply-Chain Outage in Retail
In November 2024 the Termite ransomware group hit Blue Yonder, taking workforce-management and logistics SaaS offline for Starbucks, Sainsbury's, and Morrisons. We unpack the SaaS supply-chain blast radius.
Schneider Electric Hellcat: Jira, Infostealers, and Baguette Ransoms
In November 2024 the Hellcat ransomware group breached Schneider Electric's Atlassian Jira via Lumma infostealer credentials. We unpack the SaaS supply-chain anatomy and the project-tracker as data target.
Port of Seattle Rhysida: Airport Ransomware and the Public-Sector Tail
On August 24, 2024, Rhysida ransomware took down Port of Seattle systems including Sea-Tac airport check-in, baggage, and the Port website. The Port refused a $6 million ransom. We unpack the case.
Mailchimp 2022-2023 Incidents: A Timeline
Mailchimp disclosed three social-engineering-driven intrusions in thirteen months; the timeline illustrates how repeated incidents shape vendor trust.
Slack 2022-2023 Incidents: Operational Retrospective
Slack disclosed a stolen-token incident over the 2022 holidays and a related GitHub repository access event; the operational lessons apply broadly.
LastPass 2022-2023: A Retrospective at Depth
A detailed walk through the two LastPass breaches of 2022 and their long 2023 tail, reconstructing how a developer laptop became a vault disclosure.
The GitHub Dependabot Token Incident: Retrospective
In 2023, attackers used stolen GitHub personal access tokens to push malicious commits masquerading as Dependabot; a short-sharp incident with lasting lessons.
CrowdStrike Falcon Global Outage: A Post-Mortem Deep Dive
A technical reconstruction of the July 19 CrowdStrike Falcon sensor crash that grounded 8.5M Windows hosts, and what supply chain owners should change.
CrowdStrike Falcon Update Triggers Global IT Outage: What Happened
On July 19, 2024, a faulty CrowdStrike Falcon sensor update caused 8.5 million Windows machines to blue-screen worldwide, grounding flights, halting hospitals, and exposing the fragility of centralized security infrastructure.