Intellectual Property Protection Archives

Business, IT CyberSecurity, SecurityDecember 27, 2025December 27, 2025

When the Fire Took Everything: A Data Center Disaster That Destroyed Backups Too

The Night Everything Burned

It was just after midnight on March 10, 2021, in Strasbourg, France. A fire broke out at a facility operated by OVHcloud—Europe’s largest cloud hosting provider and the third-largest in the world. Thousands of businesses trusted OVHcloud to keep their websites running, their applications online, and their data safe.

Within hours, one building was completely destroyed and several others were damaged. Hundreds of businesses across Europe woke up to discover their websites were down. Their applications weren’t working. Their data was gone.

The shocking part wasn’t that a fire happened. Fires happen. The shocking part was how many businesses lost everything—not because they didn’t have backups, but because their backups burned alongside their primary data.

Same building. Same fire. Same outcome.

Take Our 2-Minute Security Assessment

The Backup That Wasn’t Really a Backup

Bati Courtage, a French insurance brokerage company, had been paying OVHcloud for backup services. They believed their data was protected. Their contract stated that backups were “physically isolated from the infrastructure.”

They weren’t.

When the fire destroyed the data center, Bati Courtage discovered that their backup servers were in the same building as their production servers. A decade of business data—client records, transaction histories, the SEO rankings they’d built over years—was gone.

They weren’t alone. Another company, BluePad, a project management software provider, had been told their production server was in one building and their backup server was in another. After the fire, they learned both were actually in the same building that burned.

Both companies sued OVHcloud. Both won. The French court awarded over €400,000 in combined damages, finding that the hosting provider had failed to deliver on its promise of physically isolated backups.

A Major Provider, A Major Failure

This wasn’t some small, obscure hosting company. OVHcloud serves tens of thousands of businesses across Europe and beyond. Their customers included the French government, the UK’s Vehicle Licensing Agency, and the European Space Agency.

The company had been praised as an innovator, using advanced cooling designs and offering competitive cloud services. But when the fire struck, many customers discovered that their “backup” services weren’t what they assumed.

Some customers had been paying for backup servers that were housed in the same facility as their primary servers—sometimes even in the same building. When investigators later examined the situation, they found that OVHcloud’s backup architecture varied by service tier, and many customers simply didn’t realize their backups weren’t geographically separated.

After the fire, OVHcloud’s founder announced that all customers would receive backups by default in the future, acknowledging that the incident “will change the standard of the industry.” But for businesses that had already lost everything, that promise came too late.

The Statistics Nobody Wants to Think About

The OVHcloud fire was dramatic, but it illustrated a problem that affects businesses of all sizes, everywhere.

According to FEMA, 40% of businesses never reopen after a major disaster. Another 25% fail within one year. The Small Business Administration estimates that closer to 90% of businesses fail within two years of being struck by a disaster they can’t recover from quickly.

The key phrase there is “can’t recover from quickly.” FEMA data shows that 90% of businesses that can’t resume operations within five days of a disaster will fail within a year.

The difference between surviving a disaster and closing your doors often comes down to one question: Can you actually recover your data?

The Backup Proximity Problem

The OVHcloud victims made the same mistake countless organizations make: they assumed “backup” meant “protected.”

But backup frequency doesn’t matter if your backup is destroyed by the same event that destroys your primary data.

This mistake takes many forms:

Primary server and backup server in the same building
Backup drives stored in a desk drawer near the computers they back up
“Cloud backup” that’s actually a NAS in the office closet
“Offsite backup” that’s in a different room of the same building

When disaster hits a location, everything in that location is at risk. Fire doesn’t respect which server is primary and which is backup. Floodwater doesn’t avoid the shelf where you keep the backup drives. A burst pipe doesn’t care about your disaster recovery plan.

The 3-2-1 Rule Exists for a Reason

The 3-2-1 backup rule has been around for decades because it works:

3 copies of your data. Your primary copy plus two backups. One copy isn’t backup—it’s just the only copy with a different label.
2 different types of media. Not everything on the same type of hard drive. If that drive type has a flaw, all your copies fail together.
1 copy offsite. Genuinely offsite. Different building. Different city, ideally. Geographically separated from the threats that could affect your primary location.

For modern organizations, “offsite” usually means cloud backup—real cloud backup, with data stored in professionally managed data centers with their own redundancy, security, and geographic separation from your primary location.

What Effective Disaster Protection Looks Like

The companies that survived the OVHcloud fire weren’t lucky. They were prepared. They had their data replicated to geographically distant locations. When the fire destroyed the Strasbourg facility, they switched to their backup infrastructure and kept operating.

Effective disaster protection includes:

Geographic redundancy. Data stored in multiple locations, far enough apart that a single event can’t destroy them all.
Automatic, continuous backup. Not something someone has to remember to do. Systems that back up constantly without human intervention.
Encryption in transit and at rest. Your data should be encrypted before it leaves your systems and remain encrypted in the cloud.
Tested recovery. Backups that can’t be restored aren’t backups—they’re false confidence. Regular testing confirms your backups actually work.
Reasonable recovery time. How long would it take to get back to operational? An hour? A day? A week? Know the answer before you need it.

Physical Threats Beyond Fire

We spend so much time worrying about cyber threats that we forget data has to exist somewhere physical. Servers are machines. Hard drives are objects. They can be destroyed by the same things that destroy any physical object:

Burst pipes, roof leaks, flooding, sprinkler malfunctions, HVAC condensation.
Electrical fires, building fires, fires in adjacent spaces.
Environmental failures. Air conditioning breaks down, equipment overheats, temperature extremes destroy storage media.
Power events. Surges, outages, inconsistent power can damage equipment instantly or degrade it over time.
Human accidents. Someone trips over a power cable. A contractor drills through wiring. A cleaning crew unplugs something they shouldn’t.
Natural disasters. Earthquakes, hurricanes, tornadoes. San Diego doesn’t get hurricanes, but earthquakes are very real.

Questions For Your Organization

Think about where your data physically exists and ask:

If something destroyed our office tonight, where would our backup be?
Is our backup actually offsite, or just in a different room?
When was the last time someone tested whether we could restore from backup?
What physical threats exist to our data that we haven’t thought about?
How long would it take us to be operational again if we lost everything on-site?

The answers reveal whether you’re protected from physical disasters or just hoping they won’t happen.

The Lesson from Strasbourg

The companies that lost everything in the OVHcloud fire weren’t careless. Many of them were paying for backup services. They believed they were protected.

They learned the hard way that backup frequency doesn’t matter if backup location is wrong.

The court cases that followed established an important principle: if a service provider promises isolated backups, they need to actually be isolated. But the legal victory was cold comfort for businesses that lost years of data.

The better approach is making sure you never need that legal victory in the first place.

Take Our 2-Minute Security Assessment

centrexIT has helped San Diego organizations build disaster-resilient backup systems since 2002. If you’re not sure whether your backups would survive a disaster at your location, let’s find out together.

Sources

Data Center Dynamics: “The OVHcloud fire still smolders” (March 2024)
Blocks and Files: “OVHcloud must pay damages for lost backup data” (March 2023)
Uptime Institute: “Learning from the OVHcloud data center fire” (March 2021)
FEMA: Business disaster statistics (2018)
Milken Institute: “Improving Small Business Disaster Response and Recovery”
Invenio IT: “Disaster Recovery Statistics” (September 2025)

IT security team monitoring systems and reviewing backup restoration logs after successfully recovering from a ransomware attack without paying the ransom

Business, IT CyberSecurity, SecurityDecember 23, 2025December 23, 2025

The Tide Is Turning: Ransomware Victims Are Fighting Back—and Winning

Three Out of Four Are Saying No

For years, the ransomware story has been relentlessly grim. Hospitals paralyzed. Schools shuttered. Businesses bankrupted. Every headline reinforced the same terrifying message: the criminals are winning, and there’s nothing you can do about it.

That story is no longer true. Things are getting better.

In the third quarter of 2025, incident response firm Coveware reported that only 23 percent of ransomware victims paid—the lowest rate ever recorded. That means more than three out of four organizations were able to restore operations and manage the crisis without funding the criminals.

This isn’t luck. It’s the result of organizations partnering with managed IT providers who implemented the fundamentals: tested backups, 24/7 monitoring, and incident response plans that actually work.

Take Our 2-Minute Security Assessment

The Numbers Tell the Story

The ransomware economy is in serious trouble—and not because criminals stopped trying.

In Q3 2025, the average ransom payment dropped 66 percent from the previous quarter to $376,941. The median payment fell 65 percent to $140,000. For attacks involving only data theft—no encryption—the payment rate dropped to just 19 percent.

Blockchain analysis firm Chainalysis reported that total ransomware payments fell from $1.1 billion in 2023 to $813.6 million in 2024—a 35 percent drop. This happened even as the number of attacks increased. More victims, less money. The criminals’ business model is breaking.

Meanwhile, Sophos found that 97 percent of organizations whose data was encrypted were able to recover it. The days when encryption meant certain doom are ending—for organizations that prepared.

What Changed: The Rise of Managed Security

Three forces have converged to shift the balance of power—and all three point to the value of professional IT management.

Managed Backup and Disaster Recovery

For years, “we have backups” was the answer organizations gave when asked about ransomware resilience. The problem was that many of those backups didn’t actually work when needed. They were connected to the same network the ransomware encrypted. They hadn’t been tested. They couldn’t be restored quickly enough to matter.
Organizations working with managed IT providers changed that equation. Professional backup solutions include air-gapped storage, immutable backups that can’t be encrypted, and—crucially—regular restoration testing. When ransomware hits, these organizations can actually recover. The criminals’ leverage disappears.
This is exactly the kind of backup infrastructure that managed service providers have been building for clients for years. The organizations that listened are the ones refusing to pay today.

24/7 Monitoring and Early Detection

The average ransomware attack doesn’t announce itself. It starts with a quiet intrusion—a compromised credential, a phishing email that worked, an unpatched vulnerability. What happens next depends entirely on whether anyone is watching.

Organizations with 24/7 security monitoring—the kind provided by managed IT and security operations centers—catch attacks in hours instead of weeks. That’s the difference between a contained incident and a full-blown catastrophe. When you detect the intrusion before the ransomware deploys, you’ve already won.

Small and mid-sized businesses can’t staff a security operations center themselves. But they can partner with providers who do it for them.

Incident Response Planning That’s Actually Been Tested

When ransomware hits, the first 60 minutes determine everything. Who gets called? What gets shut down? Where are the backups? Who has authority to make decisions?

Organizations that work with managed IT providers have answers to these questions before they need them. They’ve documented their response plans. They’ve tested them. They know exactly what to do when the call comes at 3 AM—and they have a partner who answers that call.

There’s also growing awareness that paying rarely delivers what victims hope for. According to Halcyon’s Q4 2024 research, 84 percent of organizations that paid ransoms still failed to fully recover their data. The promise of “pay and get your data back” has proven to be largely false.

A State That Refused to Pay

In late 2024, the state of Nevada discovered that ransomware had infiltrated its systems. The attack had actually begun months earlier, when an employee accidentally downloaded malicious software. By the time it was discovered, the attackers had established a significant presence.

Nevada didn’t pay.

“Nevada’s teams protected core services, paid our employees on time, and recovered quickly—without paying criminals,” Governor Joe Lombardo said. “This is what disciplined planning, talented public servants, and strong partnerships deliver.”

The state spent approximately $1.5 million on recovery—real money, but a fraction of what ransom payments typically cost. More importantly, they didn’t fund the criminals who attacked them or paint a target on their back for future attacks.

This is what preparation looks like in practice. Not immunity from attack—that doesn’t exist—but the ability to survive without surrendering.

The Real Lesson

The organizations refusing to pay aren’t the ones with unlimited budgets or armies of in-house security staff. They’re the ones who partnered with the right IT providers and took the fundamentals seriously before the attack happened.

They implemented managed backup solutions that actually work—and tested them regularly. They invested in monitoring that catches threats around the clock. They built incident response plans with their IT partners and practiced them. They made the hard decisions about what systems were critical and how to protect them.

None of this is glamorous. It doesn’t make headlines until it saves an organization from disaster. But it’s the difference between being a victim who pays and a victim who recovers.

What This Means for Your Organization

The data is clear: preparation works. Organizations that invested in professional IT management and resilience are successfully refusing to pay ransoms. The criminals know this—which is why they’re increasingly targeting the organizations that haven’t prepared.

Ask yourself: If ransomware hit your systems tonight, would you have a choice? Or would paying be the only option?

If you’re not sure, that’s your answer.

The good news is that it’s not too late. The same investments that are helping organizations refuse to pay are available to you: managed backup with tested restoration, 24/7 monitoring, incident response planning. None of it requires building an in-house security team—just a decision to work with partners who take this seriously.

The tide is turning. The question is whether you’ll be ready to swim with it.

Take Our 2-Minute Security Assessment

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT has helped organizations build ransomware resilience since 2002. If you want to be among the organizations that can refuse to pay, let’s find out where you stand.

Sources

Coveware: Q3 2025 Ransomware Report – Payment rate and payment amount statistics (October 2025)

Chainalysis: 2025 Crypto Crime Report – Annual ransomware payment totals (February 2025)

Sophos: The State of Ransomware 2025 – Recovery and encryption statistics

Halcyon: Q4 2024 Ransomware Report – Post-payment recovery statistics

SecurityWeek: “Ransomware Payments Dropped in Q3 2025: Analysis” (October 27, 2025)

Carrier Management: “Nevada Ransomware Attack” (November 2025)

Business, IT CyberSecurityDecember 19, 2025

FBI Most Wanted: Inside the LockBit Ransomware Gang

The $10 Million Question

The FBI doesn’t offer $10 million rewards for petty criminals. That bounty is reserved for terrorists, cartel leaders, and the most dangerous threats to national security.

In 2024, that list includes a ransomware gang called LockBit.

The group has attacked over 2,000 organizations worldwide, extracted more than $120 million in ransom payments, and caused billions in damages. Their victims include hospitals, schools, government agencies, and critical infrastructure.

The FBI wants them badly enough to pay $10 million for information leading to their arrest.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

How LockBit Became the World’s Most Wanted

LockBit emerged in 2019 and quickly became the most prolific ransomware operation in the world. Their business model is brutally efficient:

Ransomware-as-a-Service. LockBit doesn’t conduct every attack themselves. They provide the ransomware, the infrastructure, and the negotiation services. “Affiliates” do the actual hacking and split the profits. It’s a franchise model for cybercrime.

Speed matters. LockBit’s ransomware encrypts files faster than competitors. That matters because faster encryption means less chance of detection and interruption. By the time someone notices something’s wrong, the damage is done.

Double extortion. They don’t just encrypt your files—they steal them first. If you won’t pay to decrypt, maybe you’ll pay to prevent your data from being published. They run a leak site where they publicly shame victims and release stolen data.

Professional operations. LockBit runs like a business. They have a bug bounty program offering $1 million to anyone who can identify their leadership. They issue press releases. They provide “customer service” to victims negotiating payments.

The Takedown That Didn’t Stick

In February 2024, law enforcement agencies from ten countries announced Operation Cronos, a major takedown of LockBit infrastructure. They seized servers, arrested affiliates, and even took over the group’s leak site to post taunting messages.

For a few days, it looked like LockBit was finished.

They weren’t. Within days, LockBit had new infrastructure online and was back to attacking victims. Their leader, known by the alias “LockBitSupp,” posted defiant messages mocking law enforcement.

The $10 million bounty is still active because the core leadership remains free.

Why This Matters to Your Organization

You might think ransomware gangs target big fish—major corporations, government agencies, critical infrastructure. They do. But they also target healthcare clinics, school districts, small manufacturers, law firms, accounting practices, and nonprofits.

LockBit affiliates don’t necessarily choose targets strategically. They look for vulnerable organizations—any organization—and exploit them. Your size doesn’t protect you. Your industry doesn’t protect you. Only your security posture protects you.

How LockBit Gets In

Understanding how these attacks happen is the first step to preventing them:

Phishing emails. Still the most common entry point. One employee clicks one bad link, and the attackers have a foothold.

Stolen credentials. Passwords from previous breaches get reused. Credentials bought on dark web marketplaces provide instant access.

Unpatched vulnerabilities. Known security flaws that haven’t been fixed. Attackers scan the internet for vulnerable systems constantly.

Remote access exploitation. VPNs, remote desktop services, and other remote access tools with weak security or known vulnerabilities.

Supply chain access. Compromising a vendor or partner who has legitimate access to your network.

What Makes Organizations Resilient

The organizations that survive ransomware attacks—or avoid them entirely—share common characteristics:

They assume breach will happen. Instead of just trying to prevent attacks, they prepare to survive them. Backups, incident response plans, communication strategies.

They maintain offline backups. Ransomware specifically targets backup systems. If your backups are connected to your network, they’ll be encrypted too. Offline, tested backups are the difference between a bad week and a business-ending event.

They segment their networks. If attackers get into one area, they shouldn’t have easy access to everything. Segmentation limits blast radius.

They keep systems updated. Most ransomware exploits known vulnerabilities with available patches. Regular, prompt patching eliminates the easy entry points.

They train their people. Since phishing is the most common entry point, employees who can recognize and report suspicious emails provide a critical defense layer.

The Reality of the Threat

LockBit is the most prominent ransomware gang, but they’re not the only one. If LockBit disappeared tomorrow, others would fill the gap. The ransomware-as-a-service model has proven too profitable to abandon.

The question isn’t whether ransomware groups will try to attack your organization. The question is whether you’ll be prepared when they do.

The FBI is offering $10 million to stop LockBit. You don’t need $10 million. You need good security practices, tested backups, and a plan for when things go wrong.

Take Our 2-Minute Security Assessment

centrexIT helps San Diego organizations build ransomware resilience before they become targets. If you’re not sure how your organization would survive a LockBit attack, let’s find out together.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Sources

U.S. Department of State — “Reward for Information: LockBit Ransomware as a Service (RaaS)” — Confirms the $10 million reward and details on LockBit’s 2,000+ attacks and $144 million in ransom payments. state.gov

U.S. Department of Justice — “U.S. Charges Russian National with Developing and Operating LockBit Ransomware” (May 7, 2024) — Announces indictment of Dmitry Yuryevich Khoroshev and confirms LockBit targeted more than 2,000 victims, stealing over $500 million.

UK National Crime Agency — “LockBit leader unmasked and sanctioned” (May 2024) — Details on Operation Cronos, the February 2024 international takedown, and data showing 7,000+ attacks between June 2022 and February 2024. nationalcrimeagency.gov.uk

FBI / CISA — Joint Cybersecurity Advisory on LockBit ransomware — Confirms LockBit as the most deployed ransomware variant globally in 2022-2023.

Split scene showing an office workspace merging with a home interior, illustrating how network intruders make themselves at home inside your systems just like someone secretly living in your house.

Business, IT CyberSecurityDecember 17, 2025

The 204-Day Problem: Why Attackers Live Inside Your Network for Months

The Intruder in Your House

Imagine someone broke into your house. But instead of stealing something and leaving, they moved into your attic. They came and went through a back window you didn’t know was unlocked. They watched your routines. They went through your files. They copied your keys.

For 204 days. Scary right?

That’s not a horror movie scenario. It’s the average amount of time attackers spend inside a compromised network before anyone notices, according to industry research. Nearly seven months of access, observation, and preparation.

By the time the ransomware deploys or the data theft is discovered, the real damage has been happening for months.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

What Attackers Do While You Don’t Know They’re There

Modern cyberattacks aren’t smash-and-grab operations. Sophisticated attackers are patient. They want to maximize their access before they’re detected. Here’s what happens during those 204 days:

Days 1-14: Establishing Persistence. The initial breach might happen through a phishing email, a stolen password, or an unpatched vulnerability. But the first thing attackers do after getting in is make sure they can get back in. They create additional accounts, install backdoors, and establish multiple pathways into the network. If you find and close one door, they still have three more.

Days 15-60: Reconnaissance. Now they start exploring. What systems are connected to what? Where is the sensitive data stored? Who has administrative access? What backup systems exist, and how are they connected? They’re building a map of your entire infrastructure—often a better map than your own IT team has.

Days 61-150: Privilege Escalation. With their map in hand, attackers work on getting more access. They capture credentials. They exploit misconfigurations. They move from a regular user account to an admin account to a domain admin account. By the time they’re done, they often have more access than your CEO.

Days 151-204: Preparation. Now they’re ready. They’ve identified your backup systems and figured out how to disable them. They’ve located your most sensitive data and started quietly exfiltrating it. They’ve positioned ransomware across your network, ready to encrypt everything simultaneously. They’re just waiting for the right moment.

Why Detection Takes So Long

If attackers are active in your network for seven months, why doesn’t anyone notice? Several reasons:

They look like normal users. Attackers use legitimate credentials and legitimate tools. To your security systems, they look like an employee logging in and doing their job.

They’re patient. They don’t move large amounts of data at once. They don’t make sudden changes. They work slowly enough that nothing triggers alarms.

Most organizations don’t look. Many companies don’t have 24/7 security monitoring. They don’t have systems that correlate unusual activities. They don’t have people actively hunting for threats. If no one’s looking, no one finds anything.

The Real Cost of Dwell Time

Every day an attacker spends in your network increases the eventual damage. Research consistently shows that breaches with longer dwell times cost significantly more to remediate.

Longer dwell time means more data exfiltrated, more systems compromised, more credentials stolen, more backdoors installed, more complete knowledge of your environment, and more leverage for extortion.

An attacker who’s been in your network for a week has stolen some data. An attacker who’s been there for six months has stolen everything worth stealing and knows exactly how to hurt you most.

How Organizations Reduce Dwell Time

The good news: 204 days isn’t inevitable. Organizations that actively hunt for threats and monitor for suspicious behavior can reduce dwell time to days or even hours. Here’s what makes the difference:

Continuous monitoring. Not just logging events, but actively analyzing them. Looking for patterns that indicate compromise. Someone watching the watchtower, not just recording who comes and goes.
Behavior analysis. Knowing what normal looks like so you can spot abnormal. When an account that usually logs in from San Diego suddenly logs in from overseas at 3 AM, someone should notice.
Network segmentation. Making it harder for attackers to move laterally. Even if they get into one area, they shouldn’t have easy access to everything.
Regular threat hunting. Not waiting for alerts, but actively looking for signs of compromise. Assuming attackers are already in and trying to find them.
Incident response readiness. When something suspicious is found, having the ability to investigate quickly. A potential indicator of compromise investigated in hours is a contained incident. One that sits in a queue for weeks is a full-blown breach.

The Question You Should Ask

Right now, someone might be in your network. They might have been there for weeks. For months. You’d have no way of knowing.

The question isn’t whether you’ve been breached. The question is: if you had been breached, how would you know?

If you don’t have a good answer, that’s where you start.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT helps organizations understand what’s happening in their networks and reduce the time attackers can operate undetected. If you’re not sure whether you’d know if someone was in your systems right now, let’s find out together.

NCS Hub in Ang Mo Kio serves as the headquarters of NCS Group.

Business, IT CyberSecurityDecember 12, 2025December 12, 2025

He Left the Company, Then Deleted 180 Servers. Let’s Talk Offboarding.

The Access That Outlived the Employment

Kandula Nagaraju was terminated in October 2022 for poor performance. His last day at NCS, a major IT services company in Singapore with over 13,000 employees, was November 16, 2022.

His access to company systems sho offboarding, access management, insider threat, identity management, employee termination should have ended that day. It didn’t.

In January 2023, Nagaraju logged in remotely. Then again in February. Then thirteen more times in March. He wasn’t checking email or grabbing personal files. He was writing and testing deletion scripts.

On March 18-19, 2023, he executed them. One hundred eighty virtual servers disappeared.

The cost estimate: $678,000. His sentence: two years and eight months in prison.

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

The Seven-Day Problem

Most organizations have an offboarding process. HR sends a notification. IT is supposed to disable accounts. Badges get deactivated. Laptops get returned.

But research consistently shows that former employee access persists far longer than it should. Sometimes it’s oversight. Sometimes it’s process failure. Sometimes no one knows all the systems a person could access.

Nagaraju had been a QA team member with access to testing systems. No one thought to check whether his administrator credentials still worked months after his termination.

What Former Employees Still Have Access To

The obvious systems get locked quickly: email, primary login, badge access. But what about:

Cloud services with separate logins? That project management tool. The shared document platform. The analytics dashboard. Each might have its own credentials that nobody remembered to revoke.
Shared accounts and passwords? The generic login everyone uses for that one system. The admin password that hasn’t changed in years. The “emergency access” credentials written on a sticky note.
Personal devices with company data? If someone had company email on their phone, did they remove it? If they saved files locally, do they still have copies?
Third-party access? Could they still log into a vendor portal using their company credentials? Could they still approve purchases or access financial systems?
VPN and remote access? Nagaraju didn’t walk into the NCS office. He connected remotely, six times over several months, without anyone noticing.

Why This Keeps Happening

Offboarding failures aren’t usually malicious. They’re systemic:

No single source of truth. HR knows what departments someone worked in. IT knows what computers they used. But no one has a complete picture of every system and every credential a person accumulated over years of employment.
Shadow IT creates blind spots. When employees sign up for tools without IT approval, those tools aren’t on any offboarding checklist. IT can’t revoke access to systems they don’t know exist.
Separation is often rushed. Involuntary terminations happen quickly. The focus is on legal compliance and security escorts, not methodical access reviews.
Verification rarely happens. Someone checks a box saying access was revoked. Did anyone actually verify it worked? Did anyone try logging in with those credentials to confirm they were disabled?

The Damage Former Employees Can Do

Nagaraju deleted test servers. It could have been worse. Former employees have stolen customer data before competitors hired them, deleted years of work to sabotage projects, downloaded proprietary information to start competing businesses, shared credentials with outsiders seeking access, installed backdoors for future access, and held data hostage until severance disputes were resolved.

The common thread: all of them still had access after they shouldn’t have.

Fixing the Seven-Day Problem

The goal is simple: within seven days of any departure, a former employee should have zero access to any company system. Achieving that requires:

A complete access inventory. You can’t revoke access you don’t know exists. Document every system, every shared credential, every third-party platform that employees touch.
Automated offboarding triggers. When HR processes a termination, that should automatically trigger access revocation across all systems—not create a ticket that sits in a queue.
Separation of duties. The person who has access to critical systems shouldn’t be the only person who knows they have that access. Administrative credentials should be documented and managed centrally.
Verification testing. Don’t just disable accounts. Test that they’re actually disabled. Try logging in. Confirm the door is actually locked.
Regular access reviews. Don’t wait for departures. Periodically audit who has access to what. You’ll find active credentials for people who left years ago.

The Question for Your Organization

Think about the last person who left your organization. Could you list every system they had access to? Every shared password they knew? Every cloud service they’d signed up for?

If someone from your organization was terminated today and wanted to cause damage next month, what could they still access?

Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

centrexIT helps organizations build offboarding processes that actually work. If you’re not sure what a former employee could still access, let’s find out together.

Sources

BleepingComputer: “Former IT employee gets 2.5 years for wiping 180 virtual servers” (June 2024)

Tom’s Hardware: “Disgruntled ex-employee costs company over $600,000 after he deletes all 180 of its test servers” (June 2024)

CNA (Channel News Asia): “Man jailed for deleting 180 virtual servers after being fired from IT job” (June 2024)

Business professional reviewing insurance documents with concerned expression

Business, IT CyberSecurityDecember 10, 2025December 10, 2025

Your Cyber Insurance Might Not Pay: 5 Reasons Claims Get Denied

The Check That Never Came

They had cyber insurance. They’d paid their premiums for years. When ransomware finally hit, they filed a claim expecting to be covered.

The insurance company denied it.

This scenario plays out more often than most business owners realize. Cyber insurance isn’t a magic shield-it’s a contract with specific requirements. Miss one, and you could be on your own when disaster strikes.

Here are five reasons cyber insurance claims get denied, and what you can do to make sure yours doesn’t.

Empty credit union branch with dark computer screens

Business, Finance, IT CyberSecurityDecember 9, 2025December 10, 2025

60 Credit Unions Went Dark The Sunday After Thanksgiving. Let’s Discuss

November 26, 2023. The Sunday after Thanksgiving. Most Americans were recovering from turkey dinners and Black Friday shopping. At Mountain Valley Federal Credit Union in Peru, New York, members started noticing something was wrong. They couldn’t access their accounts. The mobile app wasn’t working. ATM transactions were failing. CEO Maggie Pope knew immediately this wasn’t a simple glitch. “This is not just an MVFCU issue,” she told local news. “It is nationwide.” She was right. Approximately 60 credit unions across America had just gone dark-all at once.

Take Our 2-Minute Security Assessment

The Invisible Target

None of the 60 credit unions were directly attacked. The ransomware hit a company most of their members had never heard of: Ongoing Operations, a cloud services provider owned by a company called Trellance. Ongoing Operations provided the technology backbone for dozens of credit unions. When they went down, every credit union that depended on them went down too. The attackers knew exactly what they were doing. Instead of attacking 60 individual targets, they hit one-and took out 60 at once.

How They Got In

Security researcher Kevin Beaumont analyzed the attack and identified the entry point: CitrixBleed, a critical vulnerability in Citrix networking equipment. The vulnerability, officially designated CVE-2023-4966, had been publicly disclosed months earlier. A patch had been available since May 2023-six months before the attack. The attackers didn’t need sophisticated zero-day exploits or nation-state resources. They just needed to find an organization that hadn’t updated its systems.

The Ripple Effect

For the affected credit unions, the timing couldn’t have been worse. Members couldn’t check balances, transfer funds, or pay bills during the critical end-of-month period. Small businesses that relied on these credit unions for payroll were scrambling for alternatives. Mountain Valley Federal Credit Union, with just 4,600 members, suddenly found itself explaining to customers why a ransomware attack on a company in another state had frozen their accounts. The National Credit Union Administration, the federal agency that oversees credit unions, confirmed the scope of the attack on December 4, 2023-more than a week after it began.

Cybersecurity professional examining network vulnerability on screen — The vulnerability that enabled this attack had a patch available for six months. Sometimes the most devastating breaches exploit the most preventable weaknesses.

The Uncomfortable Truth

Here’s what made this attack so effective: the credit unions did everything right. They chose a reputable vendor. They outsourced their technology to professionals. They trusted their provider to maintain security. But they couldn’t control what their vendor did-or didn’t do. NCUA Chairman Todd Harper had actually testified before Congress about vendor risk management just three weeks before the attack. He warned that credit unions were increasingly dependent on third-party technology providers, and that a single point of failure could affect the entire system. Three weeks later, his warning proved prophetic.

The Recovery

By December 13, 2023-seventeen days after the attack began-affected credit unions were reported to be fully operational again. But for nearly three weeks, millions of Americans had limited or no access to their money. The incident demonstrated something many organizations don’t want to think about: your security is only as good as your weakest vendor’s security.

What This Means for Your Organization

You probably don’t run a credit union. But you almost certainly depend on third-party vendors for critical business functions. Cloud services, payment processing, customer relationship management, email-the list goes on. Ask yourself: Do you know who your critical vendors are? Not just the big names, but the companies behind the companies. The vendors your vendors use. Do you know what happens if they go down? Not just an inconvenience, but completely offline. For days or weeks. Do you have any visibility into their security practices? When was the last time you asked about their patch management? Their incident response plan? Do you have alternatives? If your primary vendor disappeared tomorrow, could you continue operating?

The Lesson

The credit union attack wasn’t about credit unions being careless. It was about the interconnected nature of modern business technology. One unpatched system at one vendor can cascade into a crisis affecting millions of people. You can’t eliminate vendor risk. But you can understand it, plan for it, and make sure you’re not blindsided when something goes wrong.

Take Our 2-Minute Security Assessment

centrexIT helps organizations understand their vendor dependencies and build resilience into their technology strategy. If you’re not sure how a vendor failure would affect your business, let’s find out together.

Sources

• CNN Politics: “Ransomware attack causes outages at 60 credit unions, federal agency says” (December 4, 2023) • Cybersecurity Dive: “Dozens of credit unions confront outages linked to third-party ransomware attack” (December 4, 2023) • The Record: “60 credit unions facing outages due to ransomware attack on popular tech provider” (December 1, 2023)

Smartphone glowing with security alert notifications on nightstand at 3 AM with red digital alarm clock showing the time and hand reaching to answer

Business, Education, IT CyberSecurityDecember 5, 2025December 5, 2025

The Early AM Alert No One Answered: A Christmas Day Ransomware Attack

The week before Christmas, in the early hours of Christmas Day, a security system detected something unusual. A desktop device inside a company’s network had been compromised. Then the attackers moved laterally, reaching two domain controllers. The controllers began making suspicious connections to endpoints linked to known ransomware operations.

The security platform alerted at every stage. Every lateral movement. Every suspicious connection. Every indicator of compromise.

No one acted.

“Although the system had alerted to this activity at every stage,” the security company later reported, “the security team was under great stress during the December period and did not manage to action even these highly critical alerts.”*

The attackers waited. On Christmas Eve, after business hours, the threat re-emerged. Suspicious executables were written. Data was exfiltrated. And in the early hours of Christmas Day, while most employees were offline opening presents with their families, the ransomware payload executed.

The alerts had done their job. The coverage gap turned a detected threat into a full-scale breach.

How would your team manage this situation? Take The 3 AM Test

Office worker at desk with wall clock visible, reviewing computer screen in bright fluorescent-lit corporate office setting, illustrating the critical first hour of a network breach.

Business, Education, IT CyberSecurityDecember 3, 2025

The First 60 Minutes: What Happens When Your Network Is Breached

The Clock Starts Now

A ransomware attack doesn’t announce itself with sirens. It starts with something small-a frozen screen, an error message, a file that won’t open. By the time most organizations realize what’s happening, they’ve already lost precious time.

The first 60 minutes after a breach begins are the most critical. What happens in that window often determines whether an incident becomes a manageable problem or a catastrophic failure.

Here’s what actually happens-minute by minute-when ransomware hits an organization that isn’t prepared.

Take Our 2-Minute Security Assessment

Jackson Hospital, the site of a cyber security attack.

Business, Culture, Healthcare, IT CyberSecurityDecember 2, 2025December 10, 2025

The Hospital IT Director Who Became a Cyber Security Hero

The Call That Changed Everything

It was approaching midnight on a Sunday when the emergency room called. The charting system was down. What happened next would determine whether a 100-bed community hospital in Florida’s panhandle would become another ransomware statistic-or a story of disaster averted.

Jamie Hussey had been IT director at Jackson Hospital in Marianna, Florida, for over 25 years. That Sunday night in January 2022, he got a call from the emergency room: they couldn’t connect to the charting system that doctors use to look up patients’ medical histories.

Hussey investigated and quickly realized this wasn’t a routine technical glitch. The charting software, maintained by an outside vendor, was infected with ransomware. And he didn’t have much time to keep it from spreading.