GTconsult - Blog #ProtectionGTconsult - Blog #Protectionhttps://www.gtconsult.com/blogs/tag/protectionThu, 23 Apr 2026 08:37:45 -0700http://zoho.com/sites/<![CDATA[Your SharePoint Could Be an Open Door. Here's What Every Business Leader Needs to Know.]]>https://www.gtconsult.com/blogs/post/your-sharepoint-could-be-an-open-door.-here-s-what-every-business-leader-needs-to-know.SharePoint On-Premises has been under active attack since July 2025. Multiple critical vulnerabilities. A patch deadline approaching in 83 days. Here is what every business leader needs to know right now.]]>

If your organisation runs SharePoint On-Premises, this is not a drill.


Over the past several months, a series of critical vulnerabilities have been discovered and actively exploited in on-premises Microsoft SharePoint environments. These are not theoretical risks sitting in a security researcher's lab. They are real attacks against real organisations, happening right now.


And if you haven't acted yet, you may already be exposed.

What's actually happening?

In July 2025, Microsoft disclosed a critical vulnerability known as ToolShell (CVE-2025-53770), rated 9.8 out of 10 on the severity scale (where 10 is the most dangerous possible). This vulnerability affected all supported versions of SharePoint On-Premises: SharePoint Server 2016, 2019, and Subscription Edition.

What made this particularly alarming was that attackers didn't need a password or any prior access to your system. If they could reach your SharePoint server, they could get in.

Before Microsoft could fully patch the issue, more than 400 organisations globally had already been compromised, including US government agencies. Chinese state-sponsored threat actors were among those identified, alongside ransomware groups who exploited the same vulnerability for financial gain.

That was 2025. In 2026, the attacks have continued.

In January 2026, Microsoft disclosed a new critical SharePoint vulnerability (CVE-2026-20963, also rated 9.8) affecting all supported on-premises versions. By March 2026, CISA (the US Cybersecurity and Infrastructure Security Agency) added it to their Known Exploited Vulnerabilities catalogue, confirming it was being actively used in attacks. Federal agencies were ordered to patch immediately.

Then, just this month in April 2026, Microsoft's Patch Tuesday (the largest in Microsoft's history by CVE count) included yet another actively exploited SharePoint zero-day: CVE-2026-32201. This is a spoofing vulnerability that allows an unauthenticated attacker to inject malicious scripts into SharePoint pages, potentially stealing session tokens, redirecting users to malicious content, or enabling broader phishing and ransomware campaigns. It was being exploited in the wild before today's patch was available.

And there is one more date that SharePoint Server 2016 and 2019 customers need to know: 14 July 2026. That is when both versions reach end of support. After that date, Microsoft will no longer release security patches for SharePoint Server 2016 or 2019, meaning any vulnerability discovered after July 2026 will remain permanently unpatched on those versions. SharePoint Server Subscription Edition is not affected by this deadline and remains supported under Microsoft's Modern Lifecycle Policy with no fixed end date.


In less than 12 months, SharePoint On-Premises has been the subject of multiple critical, actively exploited vulnerabilities. 
This is not a one-off event. It is a pattern. And for SharePoint Server 2016 and 2019 customers specifically, the safety net 
of Microsoft security patches disappears entirely in 90 days.

Why should a business leader care?

SharePoint is not just a file storage system. For many organisations, it is the central nervous system of the business, holding sensitive documents, running workflows, storing employee data, and connecting to other Microsoft services like Teams, Outlook, and OneDrive.

When an attacker gets into SharePoint, they don't just see your files. They can:

  Move laterally across your entire Microsoft environment

  Access sensitive business and personal data

  Install backdoors that persist even after patches are applied

  Deploy ransomware across your network

  Steal credentials and impersonate trusted users

And here is the part that should concern every business leader most: you may not know it has happened. These attacks are designed to be quiet. By the time you notice something is wrong, the attacker may have been inside your systems for weeks or months.

Do you run SharePoint On-Premises (not SharePoint Online)?

If yes, read on.

When last did your IT team apply Microsoft security patches

to your SharePoint servers?

Is your SharePoint accessible from outside your office network

(via VPN or directly)?

Do you have monitoring in place

to detect unusual activity on your SharePoint environment?

Has your team assessed whether you may have been compromised

during the 2025 or early 2026 attack waves?

If you answered yes to the first question and no to any of the others, your organisation is carrying unnecessary risk.


Important note: If you run SharePoint Online (part of Microsoft 365), you are not affected. Microsoft patches cloud 
environments automatically. This risk applies specifically to organizations hosting their own SharePoint servers.

Why should a business leader care?

This is not a moment for a committee to review and report back in 30 days. The following actions need to be on your IT team's desk this week:

1. Patch immediately

Microsoft has released security updates for all supported SharePoint On-Premises versions. Your IT team needs to apply the latest cumulative security patches. For the Subscription Edition, this means applying January, February, and March 2026 updates in sequence, as well as the April 2026 Patch Tuesday updates released this week.

2. Rotate your cryptographic keys

Patching alone is not enough. Microsoft explicitly advises that organisations rotate their SharePoint server ASP.NET machine keys and restart IIS on all SharePoint servers after patching. This closes a backdoor that attackers may have established even before you patched.

3. Assume you may already be compromised

If your SharePoint was accessible from the internet at any point between July 2025 and now and you have not already conducted a compromise assessment, security experts strongly recommend you assume a breach has occurred and investigate accordingly. Patching closes the door, but it does not evict anyone already inside.

4. Enable monitoring

Set up alerts for unusual activity: failed login spikes, unusual outbound traffic, PowerShell executions on SharePoint servers, and large unexpected data downloads. These are the warning signs of an active attack or a persistent threat already inside your environment.

5. Plan for the future

This is not the last SharePoint vulnerability we will see. Organisations that run on-premises SharePoint need a structured, recurring patch management process, not a reactive scramble every time a critical CVE makes the news.

The hard question: is On-Premises still the right choice?

We are not here to tell every organisation to move to the cloud. There are legitimate reasons (regulatory requirements, data sovereignty, legacy integrations) why some organisations must keep SharePoint On-Premises.

But the security overhead is real and growing. Every critical vulnerability that Microsoft patches in the cloud automatically means nothing to an on-premises customer who hasn't applied the update. The responsibility sits squarely with your IT team, and the window between disclosure and exploitation is shrinking.

And then there is the end-of-life reality. SharePoint Server 2016 and SharePoint Server 2019 both reach end of support on 14 July 2026, just 90 days from now. After that date, Microsoft will release no further security patches for either version. Any vulnerability discovered after July 2026 will remain permanently unpatched on those platforms. If you are running SharePoint Server Subscription Edition, you are not affected by this deadline — it remains supported with no fixed end date. But if you are on 2016 or 2019, the options are clear: migrate to SharePoint Online, upgrade to SharePoint Server Subscription Edition, or accept an ever-growing security exposure with no vendor safety net.

If you are running On-Premises purely out of habit, inertia, or because it has always been that way: the clock is no longer just ticking. It has nearly run out.

Where GTconsult can help

We work with organisations on exactly these challenges. Whether you need help patching and hardening your current SharePoint environment, assessing whether you have already been compromised, setting up monitoring and alerting, evaluating a migration to SharePoint Online, or conducting penetration testing and vulnerability assessments: we have the expertise to help.

Not sure where to start?

Chat to us and let's help you navigate this change.

Book a Free Consultation with Our Technical Account Manager, Trevin
]]>Thu, 23 Apr 2026 11:47:43 +0000<![CDATA[If You Haven't Tested Your Security, You Don't Actually Know If It Works]]>https://www.gtconsult.com/blogs/post/if-you-haven-t-tested-your-security-you-don-t-actually-know-if-it-worksMost businesses have security in place. But when last did anyone test if it actually works? Discover why penetration testing is the difference between assuming you're secure and knowing you are.]]>

Most businesses have some form of security in place. Firewalls. Antivirus. Maybe an MFA policy that someone set up a while back. And on paper, that feels like enough.

But here's the uncomfortable question: when last did anyone actually test whether it holds up?

Not a checklist. Not a vendor assurance. An actual, deliberate attempt to break through it, the way an attacker would.

Because there's a significant difference between having security and having security that works.

The gap most businesses don't see

Cyber threats aren't theoretical anymore. South Africa is consistently ranked among the most targeted countries on the continent for cyber attacks (and attackers aren't just going after the big corporates). SMEs are increasingly in the crosshairs precisely because they tend to have fewer defences.

What makes this particularly tricky is that most vulnerabilities aren't obvious. They don't announce themselves. They sit quietly in your environment, in a misconfigured permission, an unpatched API, a login page that accepts inputs it shouldn't — waiting for someone who knows what to look for.

And the reality is, the people building and maintaining your systems are focused on making things work. That's the job. Security is a different discipline entirely, and it requires a very different mindset — one that's actively looking for what can go wrong, not just what works.

Most breaches don't happen because nobody checked whether the security they had was actually doing its job. businesses had no security. They happen because

What a penetration test actually does

A penetration test (done properly) is a controlled, authorised attempt to compromise your systems before a real attacker does.


It's not a automated scan. It's not a report that lists every CVE in your environment and calls it a day. It's someone thinking the way an attacker thinks, probing for the paths that matter, and documenting exactly what they found, how they found it, and what the business impact actually is.


The output isn't just a list of vulnerabilities. It's clarity. You walk away knowing:


Where your real exposure is, not just theoretical risk
What an attacker could realistically access or do
Which fixes will have the biggest impact on actual security
Whether your existing controls are doing what you think they're doing

That last one matters more than people realise. It's not uncommon to find a control that's been in place for years, that everyone assumes is working, that a pen tester can walk straight through in under an hour.

The business case for testing before something goes wrong

There's a version of this conversation that happens after an incident. After a breach. After data has been exfiltrated, or systems have been locked down by ransomware, or a client calls asking why their data appeared somewhere it shouldn't.


That conversation is expensive. Remediation is expensive. Reputational damage is expensive. Regulatory exposure (especially under POPIA) can be very expensive.


A penetration test, run proactively, finds the same problems before they become incidents. It's the difference between fixing a lock and explaining to your clients why their data is gone.


We've seen it go both ways. Businesses that test regularly catch things early and fix them quietly. Businesses that don't, often find out the hard way — and at the worst possible time.

Read about what happens when you are proactive.

How often should you be testing?

There's no universal answer, but a good rule of thumb: any time something significant changes in your environment, test it. New application deployed. Major infrastructure change. New cloud integration. After a security incident, even a minor one.

Beyond that, most organisations benefit from at least an annual assessment, more frequently if you're in a regulated industry or handle sensitive data at scale.

The point isn't to test for the sake of testing. It's to make sure that as your environment evolves, your security posture evolves with it. Because attackers aren't standing still, and neither are the techniques they use.

Find out where your exposure actually is, before someone else does.

GT Consults offers penetration testing for web applications, internal networks, APIs, and cloud environments. We give you a clear picture of your real risk — and exactly what to do about it.

Book a Pen Test Consultation
]]>Tue, 17 Mar 2026 10:52:00 +0000<![CDATA[The Secure Score Improvement Trap (And How to Avoid It) ]]>https://www.gtconsult.com/blogs/post/the-secure-score-improvement-trap-and-how-to-avoid-itMost IT teams chase high-point Secure Score recommendations without strategy, leading to wasted effort and declining scores. Learn why "quick wins" fail, how to prioritize based on actual risk instead of points, and build sustainable improvements that stick—avoiding the trap of configuration drift.]]>

You know your Secure Score should be higher. You've read about configuration drift eating away at your security posture. You understand that lack of capacity is keeping your score stuck.

This is the trap most IT teams fall into: they start implementing recommendations in order of points or ease, without understanding which changes actually matter for their specific risk profile—or how to sustain improvements once they're made.


The result? Wasted effort on low-impact changes, broken workflows from poorly planned implementations, and scores that plateau or even decline despite your best efforts.

Why Most Secure Score Improvement Efforts Fail

The typical approach looks something like this: open the Microsoft Defender portal, see a list of recommendations, pick the ones worth the most points or that seem easiest, and start implementing.


Three months later, your score has barely moved. Or it moved briefly and then dropped back down. Or you've spent weeks on improvements that broke critical workflows and had to be rolled back.


The problem isn't lack of effort. It's lack of strategy.


Effective Secure Score improvement requires understanding three things most teams skip:

Which improvements actually address your organization's risk profile

A 10-point recommendation that protects against threats you don't face is wasted effort. Meanwhile, a 3-point recommendation that closes a critical gap specific to your industry might be essential. Points don't equal priority.

The sequence and dependencies between changes

Some security improvements need to happen in specific order. Others interact in ways that can break functionality if you don't understand the technical relationships. Implementing changes in the wrong sequence wastes time on rework and troubleshooting.

How to build monitoring and maintenance into your workflows

Configuration drift is inevitable. The question isn't whether your settings will drift from their intended state—it's whether you'll catch it when they do. Without systematic monitoring, improvements degrade over time and your score reflects it.

The Hidden Complexity of "Simple" Recommendations

Let's take what seems like a straightforward recommendation: enable MFA for all users.


Sounds simple, right? But actually implementing it requires understanding:

  • Which users already have MFA and which don't
  • Whether you have Conditional Access policies that conflict
  • Which applications might break with MFA enforcement
  • How to handle service accounts and automated processes
  • What exceptions might be legitimately needed
  • How to communicate changes to users effectively

Get any of these wrong and you'll spend more time fixing problems than you saved by implementing the recommendation.


This pattern repeats across every recommendation in your Secure Score. What looks like a configuration change on the surface requires strategic thinking about business impact, technical dependencies, and change management.

Why Quick Wins Aren't Always Quick

IT teams often start with "quick wins"—recommendations that promise high point values with supposedly minimal effort.


The problem is that "quick" depends entirely on your environment's current state and complexity. Blocking legacy authentication might take 15 minutes in one organization and require weeks of application modernization in another.


More importantly, chasing points without understanding impact leads to a dangerous pattern: implementing changes that raise your score but don't actually improve your security posture in meaningful ways for your specific risk profile.


The organizations that successfully improve their Secure Score don't focus on quick wins first. They focus on right wins—improvements that align with their actual threat landscape and business priorities, regardless of point value.

The Sustainability Problem

Here's what happens in most organizations: someone dedicates focused time to Secure Score improvements. Over a few weeks or months, the score increases. Victory!


Six months later, the score has drifted back down. Temporary exceptions became permanent. New users onboarded without inheriting security policies. Applications deployed without security review.


The improvements weren't sustained because they weren't integrated into operational processes. Security became a project with an end date, not an ongoing practice.


Sustainable Secure Score improvement requires building security into your regular workflows:

  • User onboarding processes that automatically apply security policies
  • Regular reviews of exceptions and elevated access
  • Monitoring that flags when configurations drift from baseline
  • Documentation that survives staff turnover


Without these processes, you're constantly fighting to maintain improvements instead of compounding them over time.

What Actually Works

Organizations that successfully improve and maintain their Secure Score approach it systematically:


They understand their current state before implementing anything. Where are the critical gaps? Which recommendations address real risks versus checking compliance boxes? What's the business impact of each change?


They prioritize strategically, not by points. High-impact security improvements for their specific environment come first, even if they're worth fewer points than easier changes.


They test before deploying widely. Pilot changes with a small group. Identify and address issues. Then expand systematically with proper change management.


They build monitoring into operations. Regular review processes catch drift before it becomes significant. Documentation ensures knowledge doesn't live in one person's head.


They know when to get help. Some improvements require specialized expertise most internal teams don't have time to develop. Recognizing this early prevents wasted effort on approaches that won't work.

The Path Forward Depends on Your Situation

Some organizations can improve their Secure Score significantly with internal resources—if they have the right strategic approach and dedicate consistent effort over time.


Others reach a plateau where further improvement requires either:

  • Specialized Microsoft 365 security expertise their team hasn't developed
  • Time investment their team genuinely doesn't have capacity for
  • Licensing and tools their current budget doesn't include


Neither scenario is wrong. The question is whether you're willing to accept your current risk level or invest in further improvement.


But regardless of which path you choose, attempting Secure Score improvement without a systematic approach leads to wasted effort, broken workflows, and minimal sustained progress.

See the Strategic Approach In Action

Understanding why most Secure Score improvement efforts fail is one thing. Knowing how to avoid those pitfalls and implement changes that actually stick is another.

Join our security analyst, Kyle Farr, on 10th of February 2026 for a live demonstration of strategic Secure Score improvement:

  • Current state analysis - How to assess your score breakdown and identify what actually matters for your risk profile (not just point values)
  • Prioritization framework - The decision criteria for determining which recommendations to tackle first based on business impact and technical dependencies
  • Live implementation walkthrough - Watch a real security control get configured with proper testing and rollback planning
  • Monitoring and sustainability - Building the processes that catch drift before it degrades your security posture
  • Q&A for your specific challenges - Get answers about your environment's blockers and constraints

This isn't theory or generic advice. It's a practical demonstration of the systematic approach that separates successful Secure Score improvement from wasted effort.

📅 February 10, 2026 | 4:00 PM - 5:00 PM SAST

Register For FREE

If you've been stuck between understanding your security gaps and actually addressing them effectively, this is the bridge you need.

]]>Thu, 05 Feb 2026 20:45:54 +0000<![CDATA[The Five Most Common Vulnerabilities Uncovered During Penetration Testing ]]>https://www.gtconsult.com/blogs/post/the-five-most-common-vulnerabilities-uncovered-during-penetration-testing-real-life-lessonsDiscover the five most common vulnerabilities from real 2023-2025 breaches. Learn how weak passwords bankrupted 23andMe and unpatched systems exposed 193M records—and how penetration testing prevents these devastating attacks.]]>

Real-Life Lessons

Now, more than ever, most organizations only discover their security weaknesses after an attack. But it does not have to be that way, a lot these attacks could have been prevented if organizations just had a proactive approach rather than a reactive one when it comes to their cybersecurity. 

Penetration testing simulates real-world attacks to identify and help remediate security vulnerabilities before malicious actors can exploit them.

The Uncomfortable Truth About Modern Cybersecurity

If you’re a security professional, and even if you aren’t actually, this question may have crossed your mind before:

 

**If Microsoft, Google, and healthcare giants with unlimited security budgets can be breached, what chance do we have?**

 

The answer might surprise you—and it starts with understanding that these breaches weren't the result of sophisticated attack chains or unknown zero-day exploits.

 

They failed because of the same vulnerabilities we discovered in majority of penetration tests.

Why This Matters to Your Organization 

You might be thinking: 


*"We're not Microsoft. We're not a target for these attacks."*

 

That's precisely the mindset that creates vulnerability.

 

The attacks that compromised Microsoft or any of the organizations in this blog weren't sophisticated. They were opportunistic. Attackers used password spraying—a technique so basic it's covered in entry-level security courses.


Your organization doesn't need to be "important enough" to be targeted. You just need to be vulnerable enough to be profitable.


Let's have a look at the five common vulnerabilities we've uncovered during penetration testing.

 

1. Weak or Reused Passwords

23andMe (2023-2024): In 2023, 23andMe experienced a credential stuffing attack that exposed genetic data of approximately 7 million customers—roughly half of the service's userbase. The breach had devastating consequences, with the biotech company filing for Chapter 11 bankruptcy in March 2025. The UK Information Commissioner's Office fined 23andMe £2.3 million for failing to implement mandatory multi-factor authentication and secure password requirements. This demonstrates the catastrophic business impact that credential-based attacks can have on organizations.


Snowflake Breaches (2024): The Snowflake breach in late 2024 exposed customer data where improperly secured accounts—some without multifactor authentication—were used to exfiltrate information. This breach affected multiple organizations using the platform and highlighted how weak authentication practices can have cascading effects across an entire ecosystem.


The Scale of the Problem: In 2025, researchers discovered 16 billion exposed credentials from 30 different databases, primarily harvested by infostealer malware campaigns, representing the largest credential breach compilation recorded to date. Analysis of data leaks from 2024-2025 reveals that 94% of passwords are reused or duplicated, with only 6% being unique.

Weak or reused passwords are one of the easiest ways for attackers to gain unauthorized access. Despite widespread use of multi-factor authentication (MFA), poor password practices remain a primary entry point for attacks.


Prevention:

  • Enforce complex, unique passwords and implement MFA
  • Conduct regular password audits
  • Educate employees about password hygiene

Pen Test Role: Pen testers use brute-force attacks, credential stuffing, and password spraying to uncover weak or reused passwords across systems.

2. Unpatched Systems & Software

Change Healthcare (2024): In February 2024, United Health-owned prescription processor Change Healthcare suffered a massive ransomware attack that cost the company $2.457 billion and exposed the private data of approximately 193 million individuals—making it the largest healthcare data breach ever reported. The ALPHV/BlackCat ransomware group exploited a Citrix remote access service that lacked multi-factor authentication. This breach disrupted healthcare services across the United States, affecting 94% of hospitals and preventing billions of dollars in claims processing.


MOVEit Transfer (2023): In May 2023, the CLOP ransomware gang exploited a zero-day SQL injection vulnerability (CVE-2023-34362) in Progress Software's MOVEit Transfer application. By the end of 2023, the attack had compromised more than 2,700 organizations and exposed approximately 93.3 million personal records, with total damages estimated at $12.15 billion. High-profile victims included British Airways, the BBC, Shell, the U.S. Department of Energy, and numerous universities. This breach highlighted the critical importance of rapid vulnerability patching and the devastating consequences of zero-day exploits.


AVTECH IP Cameras (2024): In August 2024, security researchers discovered an unpatched vulnerability in AVTECH IP cameras used in critical infrastructure was being exploited to spread Mirai malware, despite the vulnerability being known since 2019. This five-year delay in addressing a known vulnerability put essential services at risk.

Outdated systems and unpatched software are among the most common vulnerabilities exploited by attackers. Missing security updates can allow attackers to leverage known vulnerabilities to compromise systems.


Prevention:

  • Maintain a robust patch management program
  • Conduct regular vulnerability scans
  • Prioritize patching critical systems


Pen Test Role: Pen testers identify unpatched systems and attempt to exploit publicly known vulnerabilities (CVEs) to assess the potential impact.


3. Misconfigured Permissions & Access Controls

Microsoft Breach (2024): In late 2023 (discovered January 2024), state-backed cyber espionage group Midnight Blizzard (also known as APT29, Nobelium, and CozyBear) gained access to Microsoft leadership and cybersecurity team emails. The attackers used password spraying attacks against a legacy test account that lacked multi-factor authentication and had elevated access. They then exploited a legacy OAuth application that granted full access to all mailboxes in the organization. Even one of the world's leading technology companies fell victim to misconfigured access controls and orphaned test accounts.

Marks & Spencer (2025): In May 2025, M&S suffered a major cyberattack attributed to the "Scattered Spider" group deploying DragonForce ransomware, potentially linked to vulnerabilities in its IT outsourcing partner Tata Consultancy Services, with an expected £300 million profit loss. This breach demonstrates how misconfigurations in third-party relationships can have massive financial consequences.

Western Alliance Bank (2025): Western Alliance Bank experienced a data breach in March 2025, stemming from exploitation of a zero-day vulnerability in a third-party secure file transfer tool provided by Cleo. The Clop ransomware group gained unauthorized access to approximately 22,000 customers' sensitive information, highlighting vulnerabilities in supply chain security.

Prevention:

  • Enforce least-privilege access principles
  • Regularly review and audit permissions
  • Segment networks and sensitive data appropriately
  • Remove legacy and test accounts with elevated privileges


Pen Test Role: Pen testers attempt privilege escalation, unauthorized access, and lateral movement to uncover misconfigurations.



4. Insufficient Network Monitoring & Logging

Office of the Comptroller of the Currency (2025): In early 2025, the U.S. OCC identified suspicious interactions between a system administrative account and internal user mailboxes—activity that had gone undetected for months, raising concerns about the agency's visibility into its systems and the effectiveness of its logging practices. This breach at a federal financial regulator highlighted how even government agencies struggle with monitoring gaps.


AT&T Breach (2022-2024): AT&T confirmed a significant data breach involving unauthorized access to its Snowflake cloud storage environment. The breach occurred between May 1, 2022, and October 31, 2022, but wasn't detected until April 2024—a detection delay of nearly two years. The breach exposed over 86 million records, including Social Security Numbers. This prolonged detection window allowed attackers extensive time to access and potentially monetize sensitive customer data.

Without effective monitoring and logging, suspicious activity can go undetected, giving attackers more time to exploit vulnerabilities and exfiltrate data.

Prevention:

  • Implement centralized logging and real-time monitoring solutions
  • Regularly analyze logs for anomalies
  • Set up automated alerts for suspicious activity
  • Establish baseline behavior to detect deviations


Pen Test Role: Pen testers attempt to bypass detection and exfiltrate data to identify gaps in monitoring systems and incident response processes.

5. Human Error & Social Engineering Vulnerabilities

Coinbase (2025): In May 2025, Coinbase confirmed a breach when cybercriminals bribed overseas support staff to leak sensitive customer data, including names, birthdates, email addresses, and partial Social Security numbers. Attackers used this data to orchestrate highly targeted social engineering attacks against customers. This breach highlighted the vulnerability of outsourced operations and the human element in security, demonstrating that even financial incentives can compromise insider threats.


Google Salesforce Breach (2025): In August 2025, Google confirmed a data breach from a compromised Salesforce-hosted corporate database. The hacking group ShinyHunters gained access through social engineering by impersonating IT support staff and tricking a Google employee into approving a malicious application. Even at tech giants with sophisticated security teams and trained personnel, social engineering remains remarkably effective.


Workday Breach (2025): On August 18, 2025, Workday disclosed a data breach stemming from a social engineering campaign where threat actors impersonated HR or IT staff. They contacted employees by phone or text to trick them into granting access to a third-party CRM platform. This demonstrates the evolving sophistication of social engineering tactics and the importance of verification procedures for access requests.

Humans are often the weakest link in cybersecurity. Attackers use phishing, pretexting, impersonation, and other social engineering tactics to manipulate employees into granting access.

Prevention:

  • Conduct ongoing security awareness training
  • Simulate phishing campaigns regularly
  • Implement multi-factor authentication and verify requests for sensitive actions
  • Establish clear protocols for verifying identity before granting access
  • Create a culture where employees feel comfortable questioning suspicious requests


Pen Test Role: Pen testers simulate phishing attacks and social engineering scenarios to assess employee awareness and identify weak points in organizational security culture.

Conclusion

Penetration testing serves as a proactive approach to identifying and mitigating security vulnerabilities. By addressing these common weaknesses, organizations can significantly enhance their security posture. The breaches highlighted above demonstrate that no organization—regardless of size, industry, or technical sophistication—is immune to cyber attacks when fundamental security controls are not properly implemented and maintained.

At GTconsult, we specialize in penetration testing services tailored to your organization's needs. Our team of experts utilizes the latest tools and methodologies to uncover vulnerabilities and provide actionable recommendations to fortify your defences.


Don't wait for a breach to occur. Contact GTconsult today to schedule a penetration test and take the first step towards securing your organization's future.

Get a Penetration Test
]]>Wed, 22 Oct 2025 13:25:44 +0000