Developing Cybersecurity Awareness in 9^th –12^th Grades Students through Scenario‑Based Learning

1. Scenario overview

During early 2018, the Colorado Department of Transportation (DoT) was impacted by a large-scale cyberattack, which included distributed denial of service (DDoS) style to network flooding followed by service disruption. The attack forced Colorado DoT to turn off 2000+ computers, including systems connected to highway operation, traffic management servers, roadway monitoring systems, and maintenance scheduling. Though no attack occurred on the traffic lights, the supporting IT infrastructure was hacked to manage road and highway operations. This is a great example of how DDoS attacks can hamper transportation operations without interacting a single traffic light directly.

2. Key assets at risk

The attack affected the road and highway operations significantly by impacting the following assets.

3. Threat event

A large botnet starts flooding the state’s highway traffic-management servers of Colorado DoT with millions of fake requests every second. Due to these messages, the servers become overloaded and stop responding. Due to this service disruption in the centralized traffic management system, the traffic cameras go dark, digital signs freeze, and toll gates malfunction. Furthermore, drivers no longer receive warnings about accidents, speed advisories, construction warnings, and weather hazards. Apart from this, the Emergency responders cannot access real-time road conditions too. Highways and roads become congested and unsafe because the digital systems that normally manage traffic went offline. As an outcome, the transportation agency had to shut down parts of its network and switch to manual operations while cybersecurity teams worked to resolve the attack impact.

4. Impact analysis

5. Cyber risk awareness/quantification

For the ease of explanation, the traffic light metaphor is used for cyber risk quantification. The three signal approach has been used to assign risk scores.

For CDOT’s case study, we can map the traffic light colors to provide risk evaluation.

Total Risk Score = 8/10 (Critical risk).

6. Best practices/mitigation

7. Diagrammatic representation of case study

This above Figure 1depicts the series of events in a DDoS attack targeting transportation infrastructure, illustrating the effect of network flooding to traffic management systems, roadside communications, and digital signage that lead to inefficiency and increase risk factors.

Key terms and definitions

The following terms available in Table 1 have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

GPS spoofing is the act of sending false GPS signals to mislead a GPS receiver about its actual location. This paper refers to a case study that shows how GPS spoofing has become a major problem for air traffic. It has become a prominent global issue. Since September 2023, civil aviation has been significantly impacted because of this. In a single month, from July 15 to August 15, 2024, a total of 41,000 flights experienced spoofing incidents across the globe. A report reflects a clear rise in spoofing incidents starting from April 2024, based on algorithms applied to ADS-B data. However, not all spoofing incidents can be detected this way, so the true number could be significantly higher.

GPS spoofing is a technique that manipulates a GPS receiver by sending fake signals, causing the device to display an incorrect location. The impact is broader and not limited to air travel. It can affect navigation systems, drones, vehicles, and smartphone navigation apps, which can lead to misdirection, theft, and increased security risks.

Unlike jamming, which blocks GPS signals, spoofing actively deceives the receiver by providing stronger, fake signals that override legitimate satellite data.

2. Key assets at risk

While GPS spoofing is primarily associated with navigation and positioning systems, its impact is also seen on time-dependent assets and on operational and economic assets. The following Table 2 reflects the list of assets and their corresponding mapping.

3. Threat event

The case studies explain how threat events occur step by step. The steps are as follows:

4. Impact analysis

Operational

Due to malfunction of FMS, IRS, and EGPWS the unintended route shift, loss of reliable backup navigation, and degraded terrain-avoidance capability are the significant operational overhead. Furthermore, the system instability could increase the manual workload when aircraft enter restricted or controlled zones.

Safety

A spoofed aircraft may unknowingly enter unsafe airspace, terrain, or traffic, creating severe accident potential. The safety issues increase due to occurrence of false alarm, missed real hazards, midair collisions, unsafe proximity to obstacles, and corrupted EGPWS geometric altitude information.

Financial

Flight diversions, delay or cancellations, aircraft damage, increase in insurance premium, cost of investigations, enablement of extended security controls for anti-spoofing defenses, and operational delays are a few of the primary outcomes related to direct financial impacts due to aircraft GPS Spoofing.

Reputational

The reputational impacts are not limited to aircraft companies; they also extend to navigation system providers. Passengers lose confidence in the aircraft service providers, and negative reviews begin to appear, which further generate negative media coverage. The airline’s brand becomes diminished, and trust in GPS-based navigation systems is reduced. Furthermore, regulatory investigations increase security concerns.

5. Cyber risk awareness/quantification

The following formula could be used to quantify cyber risk.

Cyber Risk = Chance of GPS Spoofing * Danger if Spoofed.

Chance of GPS spoofing

The chance of GPS Spoofing could be determined numerically as 1 (Very unlikely), 2 (Unlikely), 3 (Possible), 4 (Likely), 5 (Very likely) on various factors such as exposure, attractiveness to attackers, and control or protection level. The summary is as follows:

The following formula can be used to define Spoof scoring.

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 2 depicts the propagation of spoofed GPS signals throughout aircraft systems including FMS, IRS, and EGPWS that would cause erroneous navigation data and consequently endanger the safety of the flights.

Key terms and definitions

The following terms available in Table 3 have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

On February 5, 2021, a plant operator in the Bruce T. Haddock Water Treatment Plant, a small city of approximately 15,000 people outside of Tampa in Florida, made an alarming discovery. He was sitting at his computer when he saw the cursor on his computer start moving itself. There was somebody seemingly operating his computer remotely (CISA, 2021a).

The plant utilized a remote-access software application known as TeamViewer, which enables the authorized personnel to log in to work from home. The same software has, however, formed a possible access point to any person with the appropriate credentials. As the operator observed, the unknown individual navigated to the sodium hydroxide controls, or lye, as it is generally referred to, which is a small portion of the chemical that is used to treat drinking water and control the acidity. The hacker tried to change the level of a safe 100 parts per million to 11,100 parts per million, 111 times the standard level (CISA, 2021). At such concentrations, the water would lead to serious chemical burns to anyone who drank it.

The operator responded in time, restoring the controls to safe settings and notifying supervisors. None of the polluted water ever got to people. Officials of the city confirmed that even though the change was not noticed, the built-in safety alarms and the 24-36 hour delay in the distribution of water would have given additional time to notice the issue (Cervini et al., 2022).

2. Key assets at risk

3. Threat event

The Pinellas County Sheriff’s Office states that the SCADA (Supervisory Control and Data Acquisition) system of the plant was accessed by an unauthorized individual remotely twice on February 5th, at about 8:00 AM and 1:30 PM (Cervini et al., 2022).

During the second intrusion, the operator watched as the attacker opened software controls and switched the sodium hydroxide set point from 100 to 11,100 ppm and disconnected it before leaving. Within seconds, the operator reverted the change. The Secret Service, FBI, and local police started investigations. CISA used a public warning to state that the computers in the plant were operating Windows 7 - an operating system that Microsoft had officially stopped supporting in January 2020, which means it was no longer being patched or updated. The company was also experiencing poor passwording practices, where passwords could be shared among the workers (CISA, 2021a).

Notably, a subsequent investigation raised questions on whether the event was indeed an external cyberattack or perhaps it was an accident on the part of a worker who altered a value and reported it as a breach. As of 2023, the FBI has not officially confirmed an external attack, and the former manager of the city confirmed privately that investigators had no evidence to suggest that there was external access (Vasquez, 2023). This renders Oldsmar a useful case study in both senses: it demonstrates the actual cybersecurity vulnerabilities of the water systems, and it demonstrates that the reporting and investigation of the incident can be complicated (Tuptuk et al., 2021).

4. Impact analysis

Operational

The water treatment activities were put on hold to investigate them. The authorities of the city made urgent decisions to disconnect remote access tools and check all system logs. The breach initiated cybersecurity assessments in Florida and other water utilities (CISA, 2021a).

Financial

The Oldsmar plant itself did not suffer direct significant financial losses as the change was promptly noticed. Nevertheless, the move triggered the implementation of expensive national security infrastructure improvements in hundreds of water utilities in the U.S. CISA estimated that water delivered to more than 80 percent of Americans is provided by about 153,000 publicly-owned water systems, most of which were observed to have similar vulnerabilities (EPA, 2023).

Safety

Had the sodium hydroxide not been detected early, it would have resulted in serious chemical burns on the throats, skin, and digestive system of residents. The most vulnerable groups, like children, the aged, and those whose immunity is weakened, would have been exposed to the highest risk of the health problem. Even at lower concentrations, lye can cause severe damage (Cervini et al., 2022).

Reputational

The incident resulted in national publicity and congressional interest. It served as a wake-up call that small-town water utilities, which are usually under-resourced and understaffed, could become targets of cyberattacks. Several states issued cybersecurity advisories for water suppliers after the incident (You, 2022).

5. Cyber risk awareness/quantification:

The following Table 4 provide a brief description about evaluation overall risk.

Simple cost example

Imagine a confirmed water contamination event required emergency bottled water distribution to 15,000 residents for 3 days, plus medical response and cleanup. The estimated emergency response cost would be over the roof. This usually does not include long-term health costs, lawsuits, or federal fines for regulatory violations.

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 3depicts the possibility of cyberattacks to affect public health and safety by accessing the SCADA system and manipulating its operations involving chemical dosing process.

Key terms and definitions

The following Table 5 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

The case study focuses on the 2019 Capital one cyberattack, which is one of the most massive data breaches of cloud-based analytics infrastructure. To store and process high amounts of customer information, the company relied on a modern architecture of a data center hosted on Amazon Web Services. These systems facilitated the processes of automated decision-making, analytics, and machine learning. Nevertheless, due to improperly set up web application firewalls, there was a vulnerability through which an attacker accessed sensitive information. This event showed that AI-based and cloud-based data centers are vulnerable to configuration mistakes and lack of monitoring (U.S. Department of Justice, 2019).

2. Key assets at risk

Such assets are critical in the decision-making process using AI, and their security is a necessity.

3. Threat event

The attacker took advantage of the improper firewall configuration in the cloud infrastructure. Due to this, the attacker was able to carry out a Server-Side Request Forgery (SSRF) attack and obtain credentials. After obtaining the credentials, the attacker was able to access the storage containers and obtain the information stored in them. The breach led to the compromise of 100 million citizens in the United States and 6 million citizens in Canada. The attacker was also able to obtain the internal logs, hence allowing them to maintain unauthorized access (FBI, 2019).

4. Impact analysis

Operational: The systems were to be restricted as a means to estimate the level of damage.

Financial: To resolve the problem, Capital One was forced to pay an 80 million dollar fine to regulators. Other expenses incurred by the company were associated with taking measures to deal with the problem (Office of the Comptroller of the Currency, 2020).

Security: Customer data was compromised because the systems were infiltrated, which resulted in credit card application information disclosure.

Reputation: The hack was covered by the media, which affected the organization.

Legal impact: There were various lawsuits and compliance reviews carries out.

5. Cyber risk awareness/quantification

Plausibility: Medium.

Aftermath: High.

Cumulative-risk: High.

Simple quantification example:

• Downtime duration: 48 hours

• Estimated business loss per hour: $150,000

• IT engineers: 30 engineers

• Cost per hour: $100/hour

• Duration: 120 hours (approx. 2 weeks work)

• Firewall upgrades

• Monitoring tools

• Cloud security improvements

• Security monitoring team: 10 members

• Monthly cost per person: $8,000

• Duration: 6 months

• Legal costs and class-action suits

• Regulatory fines and penalties

• Incident response and forensic analysis

• Employee overtime and business disruption

• Loss of customer trust and brand damage (IBM Security, 2023).

6. Best practices/mitigation

The various steps that can be taken to prevent such breaches include:

• Implementing zero-trust security

• Implementing multi-factor authentication for cloud account access

• Monitoring cloud configurations

• Implementing least privilege access

• Encrypting sensitive AI and analytics data

• Conducting regular vulnerability tests

• Implementing real-time threat detection

7. Diagrammatic representation of case study

The above Figure 4 depicts the consequences of misconfigured cloud computing infrastructures by exploiting SSRF, causing an unwanted exposure and exfiltration of stored data.

Key terms and definitions

The following Table 6 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

On May 7, 2021, Colonial Pipeline, the largest refined fuel pipeline in the United States, was hit with a ransomware attack that made national headlines. The pipeline stretches 5,500 miles long, running between Houston, Texas, and New York City, with gasoline, diesel, and jet fuel flowing through it that serve approximately 45% of the fuel demand on the East Coast (CISA, 2021b).

Colonial Pipeline was hacked into its computer systems by a hacker group Darkside using a single stolen employee password of a VPN account that has not been disabled. Their account was not subjected to multi-factor authentication (additional security measures such as a text message code), and this is why the attackers found it easy to access the account (Mittal, 2024).

The hackers stole 100 gigabytes of company data within hours and then put a ransomware (software that scrambles computer files and then requires a payment to unlock them) lock on the billing systems of Colonial Pipeline. The company closed down the fuel delivery operations because they feared that the attackers might cause further havoc by destroying the physical pipeline controls. The closure took six days and caused fuel shortages, panic purchases, and gas station queues throughout the southeastern United States (DOE, 2021). On May 9, 2021, President Biden issued a state of emergency.

2. Key Assets at risk

3. Threat event

The attack began with one compromised password. The password was later discovered by security investigators in a store of stolen credentials sold on the dark web (the hidden part of the internet where stolen data is bought and sold). The password was for a VPN account that was not actively used but not deactivated (Beerman et al., 2023).

Darkside attackers remotely accessed the network of Colonial Pipeline using the password. They had no further barrier since no multi-factor authentication was implemented on the account. While inside, they took their time to move through the network, designating systems and determining the most important files using a method referred to as lateral movement. They stole approximately 100 gigabytes of data within a span of two hours. Then they installed ransomware, encrypted billing systems, and demanded 75 bitcoin (which was at that time valued at about 4.4 million dollars) as a ransom (CISA, 2021b).

The leadership of Colonial Pipeline was uncertain of the level of intrusion that had occurred and therefore decided to close down the entire pipeline as a precautionary measure. The ransom was paid on the same day by the company. The FBI provided a decryption tool, but it was too slow to be of any use, and the company was forced to restore its systems using backups. On May 12, 2021, a few days after the attack, the pipeline operations returned to normal (DOE, 2021). The U.S. Department of Justice subsequently reclaimed some 63.7 Bitcoin (about $2.3 million) of the ransom.

4. Impact analysis

Operational

The six-day shutdown of the pipeline impacted gas supply in 17 states and Washington, D.C. Gas stations were forced to run out of fuel, airlines were concerned with the supply, and the Federal Motor Carrier Safety Administration declared emergency measures to compensate by allowing fuel trucks to work extra hours (DOE, 2021).

Financial

Colonial Pipeline had to pay a ransom of $4.4 million. The company also received nearly 1 million proposed fines by the Department of Transportation due to safety breaches that are related to the incident. Millions were added with recovery expenses, legal fees, and cybersecurity upgrades. According to Mittal (2024), the breaches in the energy sector are the costliest, with the average price of a breach being more than 4.7 million.

Safety

There was a disruption of fuel supply in hospitals, emergency services, and airports on the East Coast. Panic buying also caused unsafe behaviors, including storing fuel in unsafe containers by the people. The incident showed that a cyberattack on the energy infrastructure can pose real physical risks to citizens (CISA, 2021b).

Reputational

Colonial Pipeline experienced heavy scrutiny by the public and Congress. Senate hearings were carried out to analyze how one leaked password could shut down the biggest fuel pipeline in the country. The incident was one of the most cited cases of cybersecurity failure to protect critical infrastructure in the history of the US (Tsvetanov & Slaria, 2021).

5. Cyber risk awareness/quantification

The following Table 7 provide a brief description about evaluation overall risk.

Simple cost example.

Colonial Pipeline had to pay a ransom of $4.4 million. The pipeline supply is more than 100 million gallons of fuel per day. A conservative estimate of the lost economic activity during the 6-day shutdown:

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 5 depicts how compromised credentials would lead to access and lateral movements in a system and ransomware implementation that can cause disturbance in the functioning of critical energy infrastructures.

Key terms and definitions

The following Table 8 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

Flagstar Bank is a large U.S. financial institution headquartered in New York, boasting total assets of more than $31 billion and annual revenue of more than $ 1.9 billion. It belongs to the New York Community Bank and offers its customers such services as retail banking, mortgages, and commercial lending that are offered in the United States (Mascellino, 2023).

Like most modern banks, Flagstar uses external technology vendors, also known as third-party vendors, to support certain areas of its business. One of such vendors is Fiserv, a large payment processing and mobile banking technology company. Fiserv, in turn, used the MOVEit Transfer file transfer program to move large volumes of sensitive financial information across organizations (Ghanbari et al., 2024).

In May 2023, a ransomware gang known as Clop discovered and exploited a previously unknown security vulnerability, or zero-day, in the MOVEit software. By the time the bug was publicly disclosed and fixed, Clop had gained unauthorized access to the data of thousands of organizations worldwide, including Fiserv’s. Consequently, personal data of 837,390 customers of Flagstar Bank were stolen - names and Social Security numbers (Mascellino, 2023).

2. Key assets at risk

3. Threat event

The attack did not originate at Flagstar Bank itself, but at one of its technology vendors. The ransomware group Clop used a zero-day vulnerability in MOVEit Transfer software between May 27 and 31, 2023. A zero-day vulnerability is a security flaw that is unknown to the software developer and the community at large, meaning there is no patch or fix yet. This provides attackers with a significant advantage (Ghanbari et al., 2024).

Clop exploited the weakness to silently gain access to the information being transferred using the Fiserv MOVEit systems, including files belonging to Flagstar Bank clients. Fiserv was unable to detect or prevent the attack in time because it occurred before the flaw was publicly known. On May 31, 2023, the vulnerability was publicly disclosed by Progress Software (the creator of MOVEit), more than two months after the breach itself happened, making Fiserv aware of it on the same day, at which point Flagstar Bank was notified about it (approximately August 8, 2023). On October 6, 2023, Flagstar Bank began notifying affected customers through notification letters (Mascellino, 2023).

By October 2023, it had compromised more than 2,500 organizations worldwide, including banks, government bodies, universities, and corporations, exposing the personal data of more than 64 million people (Mascellino, 2023). Clop took ownership of the attack and posted the names of victim organizations on its own site as a way of pressurizing them to pay the ransom to prevent further data exposure.

4. Impact analysis

Operational

Flagstar Bank had to investigate the breach, track down all affected customers, report to regulators, and implement identity monitoring for more than 837,000 customers. It was achieved over several months and required significant resources and staff beyond regular banking operations (Mascellino, 2023).

Financial

All customers who were impacted by this began receiving free identity monitoring services from Kroll for 2 years, organized by Flagstar Bank. The direct expenses included legal charges, regulatory notification expenses, credit surveillance, and exposure to a class-action lawsuit. According to Lee et al. (2022), financial sector data breaches cost an average of $5.9 million per incident, one of the highest among industries. Research on U.S. commercial banks indicates that breached institutions record considerably lower returns on equity and assets in the quarters following an attack (Erkan-Barlow et al., 2023).

Safety

If a Social Security number is stolen, the thief can commit identity theft by creating a counterfeit credit card, filing a false tax return, and taking out loans in the victim’s name. This may cost people years of money. Victims who do not monitor their credit carefully may not realize they are victims of identity theft until serious harm has already occurred (Kamiya et al., 2021).

Reputational

It is the third large data breach at Flagstar Bank in three years (2021, 2022, and 2023), which has been devastating to customer trust (Kamiya et al., 2021). The bank’s security experts and vendors publicly criticized the lack of proper supply chain risk management. The case illustrated how a bank may fall victim to a significant breach even when its own systems are not directly attacked through a trusted vendor’s vulnerability.

5. Cyber risk awareness/quantification

The following Table 9 provide a brief description about evaluation overall risk.

Simple cost example

837,390 customers each received 2 years of identity monitoring at approximately $20/month per person:

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 6 shows the possible attack on financial information through vulnerability in third-party software applications used for other purposes.

Key terms and definitions

The following Table 10 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

Jaguar Land Rover (JLR) is a British multinational automotive manufacturer and a subsidiary of India’s Tata Motors. The company produces luxury and off-road vehicles under the Jaguar and Land Rover brands, operating major manufacturing plants in Solihull, Halewood, and Wolverhampton in the United Kingdom. JLR is one of the UK’s largest manufacturers, supporting an extensive supply chain of over 5,000 organizations and more than 104,000 supply chain jobs across the country (Burgess, 2025).

The manufacturing sector is one of the most targeted industries for cyberattacks worldwide. According to the Arctic Wolf 2026 Threat and Predictions Report, from 2024 to 2025, the number of victimized manufacturers nearly doubled, making manufacturing the sector with the highest victim count globally. IBM’s X-Force 2025 Threat Intelligence Index also lists manufacturing as the top-targeted industry, a position it has held for four consecutive years. The median cost of a manufacturing ransomware attack is now $600,000 USD (Arctic Wolf, 2026).

On August 31, 2025, a cybercriminal collective known as Scattered Lapsus Hunters launched a devastating ransomware attack on JLR’s IT systems. The attack forced the automaker to shut down all production across its UK plants for over five weeks, making it the most damaging cyberattack in British history, with an estimated total cost to the UK economy of £1.9 billion (BBC News, 2025b).

2. Key assets at risk

3. Threat event

The attack began on August 31, 2025, when threat actors exploited a zero-day vulnerability in a third-party remote-access tool to gain an initial foothold in JLR’s critical systems. Once inside the network, the attackers moved laterally across the infrastructure before deploying ransomware on the company’s systems, including its SAP enterprise resource planning platform. JLR paused production on September 1, 2025, and by September 22, all production lines at the Solihull, Halewood, and Wolverhampton plants had ceased operations entirely, with staff instructed to stay at home (Vallance & Leggett, 2025).

A group calling itself Scattered Lapsus$ Hunters claimed responsibility for the attack on Telegram, suggesting a collaboration between three English-speaking cybercrime groups: Scattered Spider, Lapsus$, and ShinyHunters. Members of the group shared screenshots reportedly taken from inside JLR’s IT networks, including images of internal SAP systems, and claimed to have deployed ransomware and exfiltrated sensitive data (Gatlan, 2025). The same collective was linked to a wave of cyberattacks on major UK retailers, including Marks & Spencer, earlier in 2025 (Milmo, 2025).

Initially, JLR planned to restart production on September 24, but announced on September 23 that the shutdown would continue until October 1. Production finally began restarting on October 8, 2025, following a gradual, controlled approach, but the company did not return to normal production levels until mid-November 2025. A forensic investigation was launched, and a criminal investigation was opened by law enforcement (Young, 2025).

4. Impact analysis

Operational

The ransomware attack forced a complete production shutdown across all three of JLR’s major UK manufacturing plants for over five weeks. Assembly lines stood idle, employees were sent home, and workarounds were introduced to partially restore some functions, but significant disruption continued for months. Internal systems, including automated production lines, ordering platforms, and communication tools, were taken offline to contain the breach. September 2025 car production in the UK fell to its lowest level since 1952 as a direct result of the shutdown (Burgess, 2025).

Financial

In its financial results published in November 2025, JLR revealed that the attack cost £196 million in direct costs during the second quarter of its fiscal year. The company posted a pre-tax loss of £485 million for the July–September 2025 quarter, compared with a profit of £398 million for the same period the previous year. The cyberattack was estimated to cost JLR over £50 million per week of downtime. The broader impact on the UK economy was estimated at £1.9 billion, accounting for supply chain disruptions, lost output, and reduced exports (Pearson, 2025).

Supply chain

The shutdown devastated JLR’s supply chain. According to the Cyber Monitoring Centre, over 5,000 UK organizations were impacted, including first-, second-, and third-tier automotive parts suppliers, logistics companies, service providers, and dealerships. One smaller JLR supplier confirmed that it had laid off 40 people, nearly half of its workforce. The trade union Unite reported that supply chain staff were advised to apply for Universal Credit, the UK’s social welfare benefit. MP Liam Byrne described the situation as a “digital siege” and warned that thousands of jobs were at risk across the supply chain.

Reputational and national impact

The JLR cyberattack attracted national and international media coverage and became a matter of parliamentary debate. The Bank of England cited the attack as one of the key factors contributing to lower-than-expected UK GDP growth in the third quarter of 2025, noting that the production stoppage directly contributed to a 0.17 percentage point contraction in GDP in September (Jones, 2025). The UK government intervened with a £1.5 billion loan guarantee to stabilize the automotive supply chain. The Department for Business and Trade and the Society of Motor Manufacturers and Traders issued a joint statement acknowledging the significant impact on JLR and the broader manufacturing sector (UK Government, 2025). Jamie MacColl of the Royal United Services Institute described the incident as “unprecedented in the UK” in terms of the level of disruption caused by a cyberattack (Burgess, 2025).

5. Cyber risk awareness/quantification

The following Table 11 provide a brief description about evaluation overall risk.

Simple cost example

JLR’s estimated weekly cost of the production shutdown was £50 million. With a shutdown lasting approximately 5 weeks: £50,000,000 × 5 weeks = £250 million in lost production revenue.

This figure accounts only for direct production losses. The total direct cost reported by JLR was £196 million for the quarter, while the broader economic impact, including supply chain losses, reduced exports, and government intervention costs, was estimated at £1.9 billion ($2.5 billion USD) (Pearson, 2025).

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 7 demonstrates the way ransomware propagates between the IT systems and OT systems, causing disruption of manufacturing operations through the supply chain.

Key terms and definitions

The following Table 12 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario overview

Duvel Moortgat is a major Belgian brewery founded in 1871, headquartered in Puurs-Sint-Amands, Belgium. The company is known for producing iconic beer brands including Duvel, Maredsous, and La Chouffe. Duvel Moortgat operates four brewing facilities in Belgium and one in Kansas City, Missouri, in the United States through its subsidiary Boulevard Brewing Company. The brewery relies on interconnected IT systems for production management, inventory tracking, supply chain coordination, and enterprise resource planning across all its international sites (Greig, 2024) [63].

The food and agriculture sector, which includes beverage production, is classified as one of 16 critical infrastructure sectors by the U.S. Department of Homeland Security. This sector is increasingly targeted by cybercriminals due to its reliance on operational technology (OT) and information technology (IT) systems that are vulnerable to cyberattacks (CISA, 2024). In 2021, the FBI issued warnings about ransomware groups specifically targeting the food and agriculture sector, noting that disruptions could have cascading effects on food supply chains (FBI, 2022).

On the night of March 5, 2024, the Stormous ransomware gang launched a ransomware attack on Duvel Moortgat Brewery, causing all production to halt at the company’s Belgian and U.S. facilities. The attackers claimed to have stolen 88 gigabytes of data from the brewery’s systems and demanded a ransom payment by March 25, 2024 (Gatlan, 2024).

2. Key assets at risk

3. Threat event

At approximately 1:30 AM on March 6, 2024, automated threat detection systems in Duvel Moortgat’s IT department flagged the presence of ransomware on the company’s network. Spokesperson Ellen Aerts confirmed that the IT team immediately initiated incident response procedures, shutting down servers across all sites to contain the spread of the malware. This decision brought production to a standstill at all four Belgian facilities and the Kansas City brewery in the United States (Gatlan, 2024).

The Stormous ransomware group, a pro-Russian cybercriminal organization, claimed responsibility for the attack. Stormous added Duvel Moortgat to its leak site on March 7, 2024, claiming to have exfiltrated 88 gigabytes of data and setting a ransom deadline of March 25, 2024. According to Cisco Talos research, Stormous had been collaborating with another hacking group called GhostSec since July 2023, jointly conducting double extortion ransomware attacks using the GhostLocker and StormousX ransomware programs against victims across more than 15 countries (Raghuprasad, 2024). The groups operated a ransomware-as-a-service (RaaS) platform called STMX_GhostLocker, which allowed affiliates to deploy ransomware or sell stolen data through their infrastructure (Raghuprasad, 2024).

The situation was further complicated when, on March 13, 2024, a second ransomware group called Black Basta also claimed to have stolen more than one terabyte of data from Duvel Moortgat and its U.S. subsidiary Boulevard Brewing, including accounting and human resources information. Duvel Moortgat refused to pay the ransom, and the stolen data was subsequently published on the attackers’ leak sites (Cyber-Plan, 2024). The Antwerp public prosecutor’s office opened an investigation into the cyberattack.

4. Impact analysis

Operational

The ransomware attack caused a complete production shutdown across all five of Duvel Moortgat’s brewing and bottling facilities in Belgium and the United States. Production at the main Puurs-Sint-Amands brewery was not restored until March 8, approximately three days after the attack was detected. During this period, no beer was brewed, bottled, or shipped from any facility. The company was forced to rely on existing inventory to fulfill orders. IT teams worked around the clock to restore systems, investigate the breach, and implement additional security measures before resuming operations (Gatlan, 2024).

Financial

The financial impact included direct costs from lost production revenue during the multi-day shutdown, IT incident response and forensic investigation expenses, system restoration costs, and potential legal liabilities related to the exfiltration of employee data. According to Kulkarni et al. (2025), ransomware attacks on the food and agriculture sector have resulted in ransom demands ranging from tens of thousands to millions of dollars, with the JBS Foods attack in 2021 resulting in an $11 million ransom payment. While Duvel Moortgat refused to pay the ransom, the indirect costs of operational downtime, data breach remediation, and reputational damage are significant.

Safety/Food supply

Although the Duvel Moortgat attack did not directly compromise food safety, it demonstrated how cyberattacks on the food and agriculture sector can disrupt supply chains. The FBI has warned that ransomware attacks on this sector risk causing shortages in food availability, particularly when attacks coincide with critical production periods (FBI, 2022). In a more extreme case in the same sector, a ransomware attack on a Swiss farm in November 2023 disabled livestock monitoring systems, leading to the death of a calf and the euthanasia of the mother cow, showing that cyberattacks on agriculture can directly endanger animal welfare and food production (James, 2024).

Reputational

The public disclosure of the attack, combined with the publication of stolen data on dark web leak sites by both Stormous and Black Basta, caused reputational harm to Duvel Moortgat. Extensive media coverage of the attack drew global attention to the brewery’s cybersecurity vulnerabilities. The fact that two separate ransomware groups claimed to have breached the company’s systems raised questions about the adequacy of its cybersecurity posture. For a premium brand built on heritage and trust, such exposure can erode consumer and business partner confidence (Kulkarni et al., 2025).

5. Cyber risk awareness/quantification

The following Table 13 provide a brief description about evaluation overall risk.

Simple Cost Example

Assuming Duvel Moortgat’s five facilities generate combined daily revenue of approximately $1.5 million and production was halted for 3 days:

6. Best practices/mitigation

Deploy endpoint detection and response (EDR) systems across all production and IT environments to detect ransomware activity early, as Duvel’s automated threat detection enabled rapid response (CISA, 2024).

Implement network segmentation to isolate production OT systems from corporate IT networks, preventing lateral movement of ransomware across facilities.

Maintain regular offline backups of critical production data and enterprise systems to enable rapid recovery without paying ransom demands (CISA, 2024).

Enforce multi-factor authentication (MFA) on all remote access points, VPNs, and privileged accounts to reduce the risk of unauthorized access (CISA, 2024).

Develop and regularly test an incident response plan that includes procedures for multi-site shutdowns, communication protocols, and coordination with law enforcement agencies.

Conduct regular cybersecurity awareness training for all employees, focusing on recognizing phishing attempts and social engineering tactics commonly used by ransomware groups (Kulkarni et al., 2025).

7. Diagrammatic representation

The above Figure 8 represents the propagation of ransomware among the IT systems and OT systems of food production operations, which cause supply chain disruptions.

Key terms and definitions

The following Table 14 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.

1. Scenario Overview

Change Healthcare is a large healthcare technology and Payments Company and a subsidiary of UnitedHealth Group, one of the largest healthcare companies in the world. Change Healthcare operates as the largest medical claims clearinghouse in the United States, processing approximately 15 billion healthcare transactions annually and touching one in every three patient records. The company handles an estimated $2 trillion in annual medical claims, representing approximately 44% of all funds flowing through the U.S. medical system. About 189,000 medical providers rely on its software and services for eligibility verification, prior authorization, claims processing, and payment facilitation (Fliegelman & Stemp, 2024).

The American Hospital Association (AHA) has described Change Healthcare as the predominant source for “more than 100 critical functions that keep the healthcare system operating” (AHA, 2024a). Because of this central role, Change Healthcare functions as a single point of failure in the U.S. healthcare system. A court filing made by the Department of Justice quoted Change Healthcare as stating that “the healthcare system, and how payers and providers interact and transact, would not work without Change Healthcare” (Fliegelman & Stemp, 2024).

On February 21, 2024, the ALPHV/BlackCat ransomware gang launched a devastating ransomware attack on Change Healthcare, encrypting the company’s systems and stealing up to 6 terabytes of sensitive data, including patient Social Security numbers, medical records, and information on active military personnel. The attack disrupted healthcare operations across the entire United States and has been described as “the most significant and consequential incident of its kind against the U.S. healthcare system in history” (AHA, 2024a).

2. Key Assets at risk

3. Threat event

The attack began on February 12, 2024, when the ALPHV/BlackCat ransomware group gained initial access to Change Healthcare’s systems using stolen credentials. According to testimony by UnitedHealth Group CEO Andrew Witty before the U.S. Congress, the attackers used the compromised credentials to remotely access a Change Healthcare Citrix portal that enabled remote desktop access. Critically, this portal did not have multi-factor authentication (MFA) enabled, allowing the attackers to gain access with stolen credentials alone. As Senator Ron Wyden summarized, “This hack could have been stopped with cybersecurity 101” (Hyperproof, 2026).

After gaining initial access, the attackers moved laterally within Change Healthcare’s network for nine days, exfiltrating approximately 6 terabytes of data before deploying ransomware on February 21, 2024, which encrypted the company’s systems. Change Healthcare detected the attack on February 21, disconnected its networks, and took all operations offline. The ALPHV/BlackCat group claimed responsibility for the attack on February 26 and stated it had stolen patient Social Security numbers, medical records, and information on active military personnel. UnitedHealth Group, through its subsidiary Optum, paid a $22 million ransom in Bitcoin on March 3 to secure the deletion of the stolen data. However, the ransomware group performed an exit scam, and the payment did not secure the data (Alder, 2026).

The situation worsened in April 2024 when a second ransomware group, RansomHub, claimed to have obtained the stolen data from a former ALPHV affiliate and issued an additional extortion demand, threatening to sell the data to the highest bidder. RansomHub leaked screenshots that appeared to include Change Healthcare patient files. The demand was later removed from RansomHub’s website, though it remains unclear whether a second ransom was paid (Hyperproof, 2026).

4. Impact analysis

Operational

The attack caused an immediate and nationwide disruption to the U.S. healthcare system. When Change Healthcare took its systems offline, hospitals could not verify patient insurance eligibility, pharmacies could not process prescriptions, and physicians could not submit claims or receive payments for services rendered. The AHA reported that nearly 94% of hospitals experienced financial repercussions from the attack (AHA, 2024b). According to Kodiak Solutions, the value of claims submitted dropped by $6.3 billion across its 1,850 hospitals and 250,000 physician clients in just the first three weeks after the attack. UnitedHealth reported that it took months to restore full functionality, with 99% of pharmacy network services restored by March 18, 2024, while other systems took significantly longer (Hyperproof, 2026).

Financial

The financial impact of the Change Healthcare attack has been staggering. UnitedHealth Group reported $872 million in losses in Q1 2024 alone. By the end of Q3 2024, the total cyberattack cost had risen to $2.457 billion, including $1.521 billion in direct response costs. The total anticipated cost for 2024 was revised to $2.87 billion. UnitedHealth Group advanced more than $9 billion to struggling healthcare providers to mitigate the cash flow crisis caused by the disruption. Large health systems reported losing more than $100 million per day during the outage. An American Medical Association survey revealed that 80% of physician practices lost revenue from unpaid claims (Healthcare IT, 2024).

Safety/patient care

The disruption to claims processing and eligibility verification directly endangered patient care. Patients experienced delays in receiving medications as pharmacies could not verify insurance coverage. Hospitals postponed elective procedures due to uncertainty about reimbursement. The financial strain was particularly severe for smaller practices and rural hospitals, with some facing the risk of closure due to prolonged inability to process claims and receive payments. The AHA warned that the attack endangered patients and threatened the solvency of U.S. healthcare providers across the country (AHA, 2024a).

Reputational and legal

The breach triggered massive legal and regulatory consequences. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched an investigation into potential HIPAA violations. By June 2024, a judicial panel had consolidated over 50 federal lawsuits into a single multidistrict litigation case in Minnesota (MDL No. 3108). Multiple state attorneys general, beginning with Nebraska, filed lawsuits against Change Healthcare. U.S. Senators demanded answers from UnitedHealth Group CEO Andrew Witty, and Senator Mark Warner introduced legislation proposing cybersecurity conditions for Medicare payments during cyberattacks. The revelation that the breach was caused by the absence of basic multi-factor authentication on a critical access portal drew widespread criticism of UnitedHealth Group’s cybersecurity posture (Hyperproof, 2026).

5. Cyber risk awareness/quantification

The following Table 15 provide a brief description about evaluation overall risk.

Simple cost example

UnitedHealth Group reported total cyberattack costs of $2.87 billion for 2024, broken down as follows:

6. Best practices/mitigation

7. Diagrammatic representation of case study

The above Figure 9 reflects the diagrammatic representation of how credential compromise leads to data breach and ransomware infection, causing disruptions in the national healthcare systems.

Key terms and definitions

The following Table 16 reflects the key terms, which have been used throughout this case study. Each definition is written in plain language for easy understanding.