Mainframe hacks and consequences
The true cost of a data breach is notoriously difficult to calculate, but one thing is clear: it can be staggering. Multi-year litigation, ongoing response efforts, and settlement costs can sometimes reach into the billions. Moreover, most breaches are not direct attacks on mainframe systems, but rather exploits of open systems and web components that then move laterally, causing significant harm to mainframe data. While details on mainframe involvement are often scarce, the high-profile companies listed in this article all utilize mainframes.
Notable cyber attacks involving mainframes
- Equifax
- Anthem
- U.S. Office of Personnel Management
- UnitedHealth / Change Healthcare
- Industrial & Commercial Bank of China
These examples highlight breaches where mainframes might have been involved due to the industries and data types affected. However, specific details about the role of mainframes in each incident are typically not disclosed by the companies involved.
#1. Equifax — 2017
What happened
In one of the most infamous data breaches in U.S. history, Equifax announced on September 7, 2017, that hackers had exfiltrated the personal data of approximately 147 million Americans—nearly half the country. The breach stemmed from an unpatched Apache Struts vulnerability (CVE-2017-5638) in a consumer-facing web application. Though the patch had been available for months, Equifax failed to apply it across all systems.
Attackers used the exploit to gain root access to a public-facing web server, then moved laterally into internal systems. They stole certificates, accessed encrypted credentials, and eventually reached core infrastructure, including the systems that housed credit reports, identity records, and dispute-processing applications.
The hackers maintained access for at least 76 days, operating undetected. They built 30+ custom SQL queries, triggering thousands of data pulls, all while hiding in encrypted outbound traffic. The breach went unnoticed until July 29, 2017, when suspicious outbound activity was finally flagged.
By then, the attackers had made off with names, Social Security numbers, dates of birth, driver’s license details, and in some cases, credit card numbers and dispute records. The fallout led to a CEO resignation, multiple congressional hearings, and at least $1.38 billion in remediation costs.
Mainframe involvement
Equifax’s core credit database systems—including the platforms used for scoring, identity resolution, and dispute processing—run on IBM z/OS mainframes. The stolen data resided in systems deeply integrated with z/OS, DB2, and legacy transaction platforms.
Key evidence of mainframe impact:
- Nature of data: The breach included raw credit files and structured dispute histories—high-throughput data that Equifax manages using mainframe-based batch jobs and real-time applications.
- Lateral movement: Once inside, attackers accessed both distributed and mainframe network segments, exploiting shared identity stores and middleware pipelines.
- Duration: The extended dwell time and query behavior suggest the attackers were able to navigate into backend DB2 repositories typically hosted on mainframes.
While Equifax has not released a forensic breakdown of which LPARs or datasets were accessed, the nature of the breach—centralized credit data, deeply structured queries, and large-scale extraction—indicates that mainframe-hosted systems were accessed if not directly exfiltrated.
Key lessons
- Patch management can’t stop at the edge. A web server exploit led to access across distributed and mainframe platforms.
- Mainframe data needs lateral movement barriers. Even if the entry point was not z/OS, attackers exploited shared credentials and roles that spanned platforms.
- Silent queries are still queries. Without dataset-read monitoring or query profiling on mainframe-resident DB2, the exfiltration continued unchecked.
- Distributed-to-mainframe trust boundaries are dangerous. Middleware and internal APIs often have broader access than external-facing services, and were used here to devastating effect.
References
- Dark Reading — “2017 Data Breach Will Cost Equifax at Least $1.38 Billion”
- FTC — Equifax Data Breach Settlement Overview
- GAO — “Data Protection: Actions Taken by Equifax and Federal Agencies”
#2. Anthem — 2015
What happened
In late 2014, attackers launched a phishing campaign targeting Anthem, one of the largest health insurers in the United States. A single employee clicked a malicious link, enabling attackers to gain access to internal systems. They quickly escalated privileges, established remote command and control, and spent several weeks mapping out Anthem’s infrastructure.
Ultimately, they were able to access a database containing nearly 79 million member records—names, birthdates, Social Security numbers, addresses, phone numbers, and email accounts. Unlike many other healthcare breaches, no medical records were stolen—only identity-related PII. Still, the scale of the breach made it the largest healthcare-related breach in U.S. history at the time.
Anthem disclosed the breach in early February 2015. The U.S. Department of Health & Human Services (HHS) later imposed a $16 million HIPAA settlement, the largest to date. Total costs exceeded $260 million, including legal fees, credit monitoring, and technology upgrades.
Mainframe involvement
Anthem’s claims and member management systems have historically run on IBM z/OS, using COBOL-based applications and batch workflows for eligibility checks, billing, and adjudication.
Evidence of mainframe exposure:
- Record type: The stolen records came from identity management and enrollment systems deeply integrated with mainframe data flows.
- Access chain: Attackers gained access to RACF-protected systems, suggesting they penetrated into the mainframe environment or its integrated components.
- No segmentation: The same credentials could access distributed front ends and backend mainframe services, facilitating end-to-end compromise.
Anthem has not confirmed whether core datasets were stolen directly from mainframe volumes or extracted via middleware, but the loss of identity data at this scale suggests deep integration with z/OS-based storage.
Key lessons
- Identity data is still crown-jewel data. You don’t need to touch health records to cause compliance nightmares.
- RACF isn’t a silver bullet. Without privilege segmentation and alerting, stolen credentials create invisible access.
- Internal gateways are attack surfaces. Even if the mainframe is locked down, the pipes leading to it often aren’t.
References
- HHS — “Anthem pays OCR $16 Million in record HIPAA settlement”
- HIPAA Journal — “Anthem HIPAA Breach Settlement Cost Breakdown”
- Krebs on Security — “Anthem Breach May Have Started in April 2014”
#3. U.S. Office of Personnel Management — 2015
What happened
Between 2014 and 2015, attackers believed to be linked to Chinese state-sponsored groups infiltrated the U.S. Office of Personnel Management (OPM) in one of the most consequential breaches of U.S. government data. The hackers initially gained access using stolen credentials from a contractor with privileged access. Over time, they escalated privileges, moved laterally, and remained undetected for more than a year.
The breach exposed the sensitive background investigation files of 21.5 million people—including federal employees, military personnel, and contractors—along with 5.6 million sets of fingerprints. These files, stored as SF-86 forms, contain deeply personal data such as family relationships, foreign contacts, mental health history, financial details, and security clearances.
Much of this information resided in legacy systems, many of which were hosted on IBM z/OS mainframes. Attackers exfiltrated data using custom malware that mimicked normal network traffic, allowing them to bypass intrusion detection systems and avoid setting off alarms.
The breach was disclosed in two phases during June and July 2015. Fallout included the resignation of OPM’s director, a full IT system overhaul, and over $500 million spent on credit monitoring, system modernization, and breach response.
Mainframe involvement
OPM’s personnel databases were stored on mainframe systems with flat file structures and relational DB2 tables. These systems were central to the clearance and background investigation process.
Signs of mainframe impact:
- Dataset type: SF-86 forms and biometric data were historically managed by z/OS-based applications.
- Access patterns: Long-term data exfiltration occurred via API gateways and legacy file shares tied to mainframe processes.
- Lack of monitoring: There were no dataset-read alerts, and access to large, sensitive volumes went unnoticed due to the lack of visibility into mainframe access logs.
The breach illustrates how attackers targeting credentials and bypassing traditional perimeter defenses can ultimately reach highly protected z/OS datasets through trusted internal paths.
Key lessons
- Privileged access requires visibility, not just credentials.
- Legacy doesn’t mean invisible. Just because systems are stable doesn’t mean they’re safe.
- Dataset-level integrity baselining is critical. Mainframe access logs alone weren’t enough to detect abnormal reads.
- Segment credentials by platform. A stolen domain password should never enable access to mainframe-resident datasets.
References
- Wired — “The Massive OPM Hack Actually Affected 21 Million People”
- Fortra — “The OPM Breach: Timeline of a Hack”
- GAO Report — “Information Security: OPM Has Improved Controls, but Further Efforts Are Needed”
#4. UnitedHealth / Change Healthcare — 2024
What happened
On February 21, 2024, Change Healthcare—a major U.S. healthcare clearinghouse and UnitedHealth Group subsidiary—was hit by a ransomware attack attributed to the ALPHV/BlackCat group. Attackers gained access via compromised credentials to a Citrix remote-access server that lacked multi-factor authentication. They escalated privileges, exfiltrated approximately 6 terabytes of protected health information (PHI), and deployed ransomware across hundreds of systems.
The breach paralyzed Change Healthcare’s transaction pipelines, including pharmacy claims, insurance eligibility verification, prior authorization systems, and back-end medical billing. For weeks, providers nationwide resorted to paper-based workarounds or paused billing altogether. Many practices suffered severe revenue disruption, with some on the verge of closure. UnitedHealth Group confirmed a $22 million ransom was paid, although the attackers reportedly conducted an exit scam—keeping the money without returning the data.
As of early 2025, UnitedHealth estimates the breach has cost $2.87 billion in response costs, financial assistance, lost revenue, and recovery. The number of individuals impacted has been updated to approximately 190 million, making this the largest healthcare data breach ever reported in the U.S.
Mainframe involvement
Change Healthcare’s transaction infrastructure includes COBOL and DB2 applications running on IBM z/OS, powering batch claims reconciliation and real-time transaction routing.
Signs of mainframe involvement include:
- Prolonged system-wide outage: Clearinghouse and pharmacy operations were down for weeks—functions typically handled through mainframe batch jobs and queue-based workflows.
- Public disclosures from partners and affiliates: Several cited COBOL failures, batch pipeline halts, and billing system freezes.
- Dual LPAR impact: Both production and disaster-recovery environments were reportedly affected—suggesting mirrored or non-isolated architecture, allowing lateral movement to impact both.
While direct z/OS encryption hasn’t been confirmed publicly, the scale, duration, and nature of affected functions point to severe disruption in mainframe-adjacent or mainframe-integrated systems.
Legal and financial fallout
- UnitedHealth issued $9 billion in no-interest emergency loans through Optum; by early 2025, $5.5 billion had been recovered.
- As of April 2025, many small practices report receiving repayment demands or having claims withheld due to outstanding balances.
- The AMA called for flexibility, warning that aggressive repayment enforcement could recreate the same financial distress caused by the original outage.
- Dozens of lawsuits were consolidated into multi-district litigation in Minnesota. In March 2025, Change Healthcare filed a motion to dismiss some of the claims, citing jurisdictional issues. The litigation is ongoing.
Key lessons
- Disable MFA, disable your business. A single remote-access misconfiguration exposed the entire ecosystem.
- DR isn’t DR if it shares credentials. Segmentation between production and backup environments must include authentication domains and policy boundaries.
- Recovery is financial, not just technical. Providers are still suffering from cashflow gaps and reimbursement bottlenecks a year later.
- Dominance increases blast radius. The scale of UnitedHealth’s integration turned a breach into a systemic healthcare disruption.
References
#5. Industrial & Commercial Bank of China — 2023
What happened
On November 8, 2023, the U.S. broker-dealer unit of the Industrial and Commercial Bank of China (ICBC), the world’s largest bank by assets, was hit by a major ransomware attack. The perpetrators were linked to LockBit 3.0, a notorious ransomware-as-a-service group with ties to Russian-speaking cybercriminal networks.
The attack exploited a critical zero-day vulnerability known as Citrix Bleed (CVE-2023-4966), which allowed unauthenticated access to internal Citrix systems. Once inside ICBC’s environment, the attackers moved quickly—dumping credentials, disabling endpoint protection, and deploying encryption payloads across both distributed systems and core infrastructure.
What made this attack globally significant was its timing and target. ICBC’s U.S. operation handles the clearing and settlement of U.S. Treasury trades. Following the attack, the bank was forced to revert to manual operations. Staff resorted to using USB drives to transfer trade details between systems and relied on Gmail accounts to coordinate with partners like BNY Mellon and the Depository Trust & Clearing Corporation (DTCC). The disruption caused an estimated $9 billion in unsettled trades and rattled confidence in one of the world’s most liquid markets.
Although ICBC did not publicly confirm whether z/OS systems were directly encrypted, numerous indicators point to core back-office infrastructure—likely powered by IBM mainframes—being at least partially disabled during the incident. The attack also exposed broader risks in how distributed front-ends and centralized back-ends are interconnected in hybrid banking architectures.
Mainframe involvement
ICBC has long used IBM z/OS systems for high-volume financial processing, including SWIFT messaging, bond settlement, and internal accounting. The U.S. unit’s Treasury clearing workflow—an area requiring extreme throughput and reliability—is almost certainly powered by such systems.
Key indicators of mainframe involvement:
- Business function: Treasury trade clearing is historically mainframe-resident due to its batch processing needs and integration with secure messaging.
- Workaround: The shift to USB drives implies that automated pipelines—likely built on JCL batch jobs or JES-managed workflows—had failed.
- Attack pattern: LockBit variants have evolved to target both UNIX System Services (USS) on z/OS and datasets mounted via NFS or FTP gateways—often the bridge points between Windows/Linux and mainframe data.
While there’s no statement confirming VSAM dataset encryption or JES queue compromise, the consequences—loss of settlement capability, manual failover, and liquidity exposure—align closely with a partial or full loss of access to z/OS systems or their interfaces.
Key lessons
- Mainframes aren’t immune—they’re just last to fall. In hybrid environments, attackers often land on distributed servers but target the high-value systems next.
- Isolation isn’t enough without monitoring. Even if the core LPARs weren’t breached, shared mounts or trusted middleware channels were enough to cripple the clearing flow.
- Segment your blast radius. Mainframe-connected systems must be treated as privileged, and lateral movement controls need to include real-time integrity checking and task suspension.
- Operational fallback matters. Reliance on USB drives and email highlights the fragility of real-time financial infrastructure without resilient automation or segmented DR paths.
References
- Reuters — “ICBC paid ransom after hack that disrupted US Treasury market”
- BleepingComputer — “World’s largest commercial bank ICBC confirms ransomware attack”
- Illumio — “Lessons from the ICBC cyber crisis”
The slew of high-profile hacks, including Home Depot (2014), Anthem (2015), and Experian (2015), has compromised the personal information of millions of users, leaving them vulnerable to identity theft, phishing, and financial loss. Although the mainframe was not directly breached in every case, in many cases, sensitive data typically managed on mainframes was accessed or exfiltrated, even if the breach originated elsewhere, underscoring the importance of robust security measures and vigilant monitoring.
An analysis of these major hacks reveals a stark truth: many breaches can be traced back to preventable errors. Phishing attacks, third-party vulnerabilities, weak passwords, outdated software, lack of encryption, inadequate monitoring, human error, and poor segmentation all contributed to these devastating breaches. By addressing these common vulnerabilities and prioritizing proactive security measures, companies can significantly reduce the risk of falling victim to a similar breach, safeguarding their customers’ sensitive information and their own reputation. By learning from these incidents, we can work towards a safer, more secure digital landscape.
The total cost of a breach is difficult to calculate, and published figures often only reflect the initial costs of response and remediation. The long-term expenses, including litigation, legal settlements, and reputational damage, can far exceed the initial estimates, making proactive security measures a wise investment for any organization handling sensitive data.