What are the most common types of cyber attacks in USA?

Common attack types in the USA include phishing and social engineering, ransomware, credential theft, supply chain compromises, and data exfiltration from cloud and SaaS systems.

Which sectors in the USA are most targeted by cyber attacks?

Healthcare, government, financial services, transportation, and technology supply chains are frequent targets because they hold sensitive data and run high-availability operations.

How can businesses protect themselves from ransomware attacks?

Reduce ransomware risk with strong identity controls, patching, network segmentation, tested offline backups, endpoint detection, and continuous monitoring to catch pre-encryption behavior.

How does a cyber attack typically start?

Many attacks start with stolen credentials, phishing, exposed services, or compromised third-party access that enables initial foothold and lateral movement.

What is the difference between a data breach and a cyberattack?

A cyberattack is the malicious action (intrusion, disruption, or extortion); a data breach is the outcome where sensitive information is accessed or exposed without authorization.

Top 10 Recent Cyberattacks in USA

Author: Jay Thakker

Reviewed By: Rahul Katiyar

Updated on: January 28, 2026

Reading Time: 12 Min

Published:

January 27, 2026

Table of Contents

One breach can freeze an entire industry overnight. This article reviews recent major U.S. cyberattacks, summarizing their dates, attack types (ransomware, supply-chain, social engineering), breach scale, likely causes, and real-world impact across healthcare, government, and transportation, then distills the key learnings for tighter security and faster recovery.

Table of Contents

What Are The Major Top 10 Recent Cyberattacks in USA?

Grubhub (Jan 2026)
Ingram Micro (July 2025)
Allianz Life (July 16, 2025)
City of St. Paul, Minnesota (July 2025)
DaVita (Apr 2025)
Port of Seattle / Seattle-Tacoma International Airport (Aug 2024)
City of Columbus, Ohio (July 2024)
CDK Global (June 2024)
Ascension (May 2024)
Change Healthcare (UnitedHealth) (Feb 2024)

Below are 10 major cyberattacks and threats in the USA, based on 2025–2026 reports:

1. Grubhub (Jan 2026)

Data theft tied to the broader Salesloft Drift/Salesforce-token incident; Grubhub said attackers downloaded data from certain systems (the company said financial info and order history were not affected), and 24/7 SOC services of Eventus Security can help catch this faster by watching cloud audit logs continuously, flagging abnormal token-based exports, and escalating immediate containment when unusual downloads begin.

Date: Jan 2026 (publicly confirmed on Jan 16, 2026).

Type of Cyber Attack: Cyberattack / hack resulting in data theft (unauthorized individuals downloaded data), linked by reporting to the Salesloft Drift supply chain attack.

Scale of breach: Not publicly quantified (Grubhub did not publish affected counts or exact datasets).

Breach cause: Reporting indicates access was enabled via secrets/credentials stolen during the 2025 Salesloft Drift OAuth-token compromise (third-party integration risk).

Impact of Cyber Attack: Data breach with data downloaded from some systems; Grubhub stated financial information and order history were not affected; extortion attempts were reported.

Key Sectors Affected by Cyber Attack: Food delivery / consumer services (Grubhub) and its third-party SaaS stack (e.g., Salesforce/Zendesk mentioned in reporting).

Key learning of Cyber Attack: Treat OAuth/SaaS integrations as high cyber risk: enforce least-privilege scopes, rotate tokens fast, restrict bulk exports, and monitor unusual download/export activity as core cybersecurity strategies.

See how Eventus Security detects ransomware and token abuse early.

Talk To Us!

2. Ingram Micro (July 2025)

Ransomware/data theft; filing and reporting indicate 42,521 people affected (employee/applicant data including government ID numbers).

Date: Jul 2–3, 2025 (unauthorized access window); Jul 5, 2025 (company statement that it identified ransomware on internal systems).

Type of Cyber Attack: Ransomware attack (cyber incident) with confirmed data exfiltration from internal file repositories.

Scale of breach: 42,521 individuals impacted; sensitive personal data tied largely to employment and job applicant records (data elements vary by person).

Breach cause: Unauthorized actors accessed internal repositories during Jul 2–3 and ransomware was found on internal systems; the initial access method was not publicly disclosed.

Impact of Cyber Attack: Operations disruption/outage plus personal data stolen risk (identity fraud exposure), with victim support such as credit monitoring reported.

Key Sectors Affected by Cyber Attack: IT distribution and the downstream reseller supply chain dependent on Ingram Micro ordering and provisioning systems.

Key learning of Cyber Attack: Treat distributors as a supply-chain cyber threat surface; minimize PII in shared repositories, enforce least-privilege access, monitor bulk access/exfiltration, and rehearse ransomware recovery to strengthen data security.

3. Allianz Life (July 16, 2025)

Data breach via a third-party cloud system and social engineering; affected the majority of its ~1.4M U.S. customers, per the company, and the best SOC as a Service like Eventus Security helps prevent this kind of vendor-CRM compromise by enforcing phishing-resistant access controls, continuously monitoring identity events, and alerting on abnormal data pulls from cloud systems.

Date: July 16, 2025 (breach occurred), discovered July 17, 2025 per the Maine AG filing.

Type of Cyber Attack: Social engineering attack against a third-party cloud-based CRM that led to unauthorized access and data theft.

Scale of breach: Customer data for the “majority” of ~1.4M U.S. customers (company statement); third-party breach listings referenced ~1.1M records.

Breach cause: A threat actor accessed the vendor CRM using a social engineering technique (not described as an exploited vulnerability in company disclosures).

Impact of Cyber Attack: Exposure of sensitive customer data (PII); Allianz said internal systems were not compromised, and it offered 24 months of identity theft protection/credit monitoring.

Key Sectors Affected by Cyber Attack: Insurance (life/annuity services) and affiliated financial professionals using the CRM workflow.

Key learning of Cyber Attack: Treat SaaS CRM as a high-risk data store and harden against social engineering attacks with phishing-resistant MFA, least-privilege access, vendor controls, and export/anomaly monitoring to reduce data-leak risk.

4. City of St. Paul, Minnesota (July 2025)

Major city systems disruption; emergency declared and Minnesota National Guard cyber unit activated during response; later described publicly as a ransomware incident.

Date: Suspicious activity detected July 25, 2025, with a city emergency declaration and National Guard activation on July 29, 2025.

Type of Cyber Attack: Attack targeted at city government systems, later described in reporting as a ransomware attack.

Scale of breach: City-wide IT disruption; a ransomware group claimed it stole data and posted ~43 GB online (data-leak claim not independently verified in public reporting).

Breach cause: The city has not publicly confirmed the initial entry method (no confirmed link to phishing attacks or exploited vulnerabilities in official updates).

Impact of Cyber Attack: Major outages to online payments and internal systems, plus resident-facing fraud risk (the city warned about fraudulent invoices during the incident).

Key Sectors Affected by Cyber Attack: Government agencies (municipal operations), including libraries and city billing services, while 911 remained operational throughout.

Key learning of Cyber Attack: Assume municipal networks contain sensitive data; prioritize rapid containment (network shutdown), endpoint detection rollout, and forced credential resets as baseline resilience controls.

5. DaVita (Apr 2025)

Ransomware attack encrypted parts of its network and disrupted some operations; later reporting cited 2.7M individuals impacted per HHS posting, and AI driven SOC as a Service helps spot pre-encryption behaviors by correlating identity misuse, lateral movement, and abnormal file activity, then accelerating triage and automated isolation to limit spread.

Date – DaVita disclosed it became aware of the incident on April 12, 2025, and later notifications state unauthorized access began March 24, 2025 and was blocked April 12, 2025.

Type of Cyber Attack – Ransomware encrypted parts of DaVita’s network after attackers accessed lab-related servers.

Scale of breach – ~2.7 million individuals were reported as affected (HHS posting reported by Reuters).

Breach cause – The company confirmed unauthorized access to certain network servers but did not publicly disclose the initial access method.

Impact of Cyber Attack – Attackers accessed and potentially removed sensitive data from a dialysis labs database, while operations were disrupted but patient care continued under contingency plans.

Key Sectors Affected by Cyber Attack – Healthcare, specifically U.S. kidney dialysis services and supporting laboratory workflows.

Key learning of Cyber Attack – Treat lab databases as high-risk assets: tighten privileged access, segment lab systems, harden backups, and monitor for “bulk read + encryption” patterns to reduce outage and data-loss risk.

6. Port of Seattle / Seattle-Tacoma International Airport (Aug 2024)

Ransomware that disrupted Port systems; officials attributed the incident to Rhysida.

Date: Aug 24, 2024 (the Port identified system outages consistent with a cyberattack).

Type of Cyber Attack: Ransomware (the Port attributed the attack to the Rhysida group).

Scale of breach: ~90,000 individuals notified; attackers accessed files containing PII such as names, DOB, SSN (or last 4), government ID numbers, and some medical info.

Breach cause: Initial entry method was not publicly disclosed; the Port confirmed an unauthorized actor gained access to parts of its systems and encrypted some data.

Impact of Cyber Attack: Operational disruptions (e.g., kiosks, Wi-Fi, display boards, website/app, parking) plus attackers stole sensitive data, with ongoing data leak risk if posted on the actor’s site.

Key Sectors Affected by Cyber Attack: Transportation critical infrastructure (airport operations and maritime facilities managed by the Port).

Key learning of Cyber Attack: Treat ransomware as both an availability and data-theft event: reduce legacy PII retention, segment and isolate fast, and maintain tested offline backups and breach-notification playbooks.

Get an incident-ready assessment for your environment.

Contact Us!

7. City of Columbus, Ohio (July 2024)

Confirmed ransomware incident; later city updates and reporting described impacts including exposure concerns (including limited PHI findings in a Fire division database), and a managed security service provider supports municipal response by running 24/7 monitoring, coordinating forensics, and guiding evidence-driven containment and notification workflows.

Date: July 18, 2024 (city discovered the cyber incident), with follow-on public notifications in August 2024 and breach filings reported in November 2024.

Type of Cyber Attack: Ransomware and data breach involving attempted extortion and exposed data later posted on the dark web.

Scale of breach: The city disclosed a data breach affecting ~500,000 people, while the ransomware group claimed 6.5 terabytes of data

Breach cause: Columbus said a foreign cyber threat actor gained unauthorized access; the initial entry method was not publicly confirmed in official notices.

Impact of Cyber Attack: Sensitive data was compromised, including financial data elements (e.g., SSNs/bank details listed in notices) and later the city reported patient data (PHI) for <1,000 individuals in a Fire division database.

Key Sectors Affected by Cyber Attack: Local government services (municipal operations and public-sector systems), including public safety related databases referenced by the city.

Key learning of Cyber Attack: Assume ransomware includes compromised data risk; reduce long-retained legacy datasets, harden backups, segment critical systems, and monitor for bulk access and dark-web leakage.

8. CDK Global (June 2024)

Cyberattack caused widespread outage for U.S. auto dealerships relying on CDK systems; reporting linked it to a ransomware actor and extortion demand.

Date: June 19, 2024 (systems shut down to investigate), with an additional second cyberattack confirmed by CDK on June 19–20, 2024.

Type of Cyber Attack: Ransomware-led cyberattack on a behind-the-scenes software supplier, described as part of a broader series of attacks targeting such vendors.

Scale of breach: Operational impact across dealerships using CDK’s dealer-management software, reported as more than ~15,000 retail locations.

Breach cause: Public reporting attributed the incident to the BlackSuit ransomware group (per analysts), while CDK did not immediately confirm attribution in early reporting.

Impact of Cyber Attack: Widespread outage forced many dealers onto manual “pen-and-paper” workflows; CDK projected most dealers would be back live by late July 3 or early July 4, 2024.

Key Sectors Affected by Cyber Attack: Automotive retail (U.S. car dealerships relying on CDK DMS for sales, finance, service, inventory, and back-office operations).

Key learning of Cyber Attack: Treat major SaaS vendors as a high-impact third-party dependency: maintain offline fallbacks, test continuity for core workflows, and reduce single-vendor blast radius for critical operations.

9. Ascension (May 2024)

Large U.S. hospital operator hit by ransomware/cyberattack disrupting clinical operations; later disclosure put impact at ~5.6M people, and SOC as a Service solutions of Eventus Security can reduce such disruption by continuously monitoring EHR and network activity, escalating high-confidence alerts fast, and coordinating containment so clinical systems can be restored safely.

Date: May 7–8, 2024 (incident window; detected around May 8, 2024).

Type of Cyber Attack: Ransomware attack (widely reported as Black Basta).

Scale of breach: Ascension reported a data breach affecting ~5.6 million people (per Maine AG filing cited by Reuters and others).

Breach cause: Ascension stated attackers gained access after an employee downloaded a malicious file believing it was legitimate.

Impact of Cyber Attack: Critical systems (including EHR/patient portal) were taken offline and some facilities diverted care, while sensitive personal and medical data plus payment/insurance and government ID data was potentially exposed.

Key Sectors Affected by Cyber Attack: Healthcare delivery (hospitals, patient services, and senior living operations within Ascension’s network).

Key learning of Cyber Attack: Assume “single endpoint mistake → enterprise-wide outage + data exposure,” so harden against malicious downloads, segment clinical systems, and maintain tested downtime workflows and offline recovery.

10. Change Healthcare (UnitedHealth) (Feb 2024)

Ransomware attack that disrupted U.S. healthcare billing/claims; later disclosures put impact as high as ~190M people.

Date: Feb 21, 2024 (ransomware deployed; outage triggered nationwide disruption in claims and pharmacy processing).

Type of Cyber Attack: Ransomware attack attributed to ALPHV BlackCat (a significant cyber incident).

Scale of breach: Change reported a data breach impacting ~190M people (Jan 2025 estimate) and later ~192.7M people (OCR notice dated July 31, 2025), making it one of the biggest data breaches in U.S. healthcare.

Breach cause: Attackers used stolen credentials to access a Citrix remote access portal that did not have MFA enabled, then moved laterally and deployed ransomware.

Impact of Cyber Attack: Sensitive personal and medical data was at risk (e.g., member IDs, diagnoses, treatment info, SSNs), and the outage disrupted critical claims and payment flows across the U.S. healthcare system.

Key Sectors Affected by Cyber Attack: Healthcare payments and claims clearinghouse operations, impacting providers, pharmacies, and payers dependent on Change Healthcare services.

Key learning of Cyber Attack: Treat remote access as a top-tier risk for attacks on critical infrastructure—enforce phishing-resistant MFA, restrict privileged access, and maintain tested downtime workflows for claims and pharmacy operations.

Conclusion

These incidents show a consistent pattern: attackers exploit identity, third-party access, and weak segmentation to disrupt operations and expose regulated data. Reduce impact with phishing-resistant MFA, least-privilege SaaS scopes, rapid credential rotation, offline-tested backups, continuous logging, and rehearsed downtime procedures. Measure readiness consistently with RTO/RPO targets and export-alert response times.

FAQs

How do attackers usually get initial access in these incidents?
Most start with stolen credentials, social engineering, or compromised third-party access.
What signals indicate ransomware is in the “pre-encryption” stage?
Abnormal privilege escalation, lateral movement, mass file reads, and backup or EDR tampering.
What evidence should an organization preserve immediately after a breach?
Identity logs, VPN/remote access logs, endpoint telemetry, cloud audit logs, and firewall/DNS records.
How can companies reduce SaaS token and OAuth integration risk?
Use least-privilege scopes, short token lifetimes, rapid rotation, and export/anomaly monitoring.
What should a 30-day post-incident hardening plan prioritize?
MFA everywhere, segmentation of critical systems, immutable backups, and tabletop-tested response playbooks.

Jay Thakker

Jay is cybersecurity professional with over 10 years of experience in Application Security, specializing in the design and implementation of Breach and Attack Simulation (BAS) programs to proactively assess and strengthen organizational defenses against evolving cyber threats. Possesses strong expertise in Threat Hunting, leveraging advanced analytical techniques to identify, investigate, and neutralize emerging and stealthy adversary activity before impact.

Report an Incident

free consultation

Our team of expert is available 24x7 to help any organization experiencing an active breach.

Free Consultation Call Us Now