The Attack
In late 2024, a mid-sized manufacturing company received what looked like a routine email from a supplier. An accounts payable employee clicked a link and entered credentials on a convincing phishing page.
The attackers used those stolen credentials to connect to the company's VPN. Because MFA wasn't enabled on remote access, a username and password was all they needed.
Once inside, they spent 11 days conducting reconnaissance, escalating privileges, and positioning ransomware. On a Friday evening, they triggered the encryption.
Total cost: $350K ransom + $500K+ recovery, lost production, and remediation
The Damage
- 3 weeks of downtime — Production lines idle. Orders couldn't be processed.
- $350,000 ransom paid — After failed recovery attempts, leadership paid.
- $500,000+ in recovery costs — IR, forensics, system rebuilding, legal.
- Customer relationships damaged — Several long-term customers left.
- Insurance claim denied — MFA wasn't enabled despite the attestation.
Why Insurance Denied the Claim
The insurer's forensics team discovered MFA wasn't enabled on the VPN — despite the company attesting to it on their application. This is called material misrepresentation. The company was left holding the entire $850K+ bill.
The lesson: Your insurance application isn't paperwork to rush through. It's a legal attestation. If you claim to have MFA — you need to actually have it, configured correctly, and working.
What Could Have Prevented This
- MFA on VPN — The single most impactful control
- Security awareness training — Recognize and report phishing
- Network segmentation — Limit lateral movement
- Immutable backups — Can't be encrypted by attackers
- EDR with 24/7 monitoring — Detect the 11-day recon period
Source: Adapted from Verizon 2025 DBIR manufacturing sector analysis