An Attack Without Hackers
Published on Friday, October 31, 2025
The company experienced no intrusion, no malware, and no ransomware. Systems operated flawlessly, processes complied with policy, and performance metrics remained positive.
Yet it incurred losses of tens of millions. The source was not technical: a coordinated network of automated customers exploited a contractual loophole. Actions included purchasing, returning, and claiming refunds at high velocity, repeated thousands of times per minute.
This was not a traditional cyberattack, but a behavioral attack, leveraging existing operational rules. Even robust systems could not detect perfectly legal misuse.
The executive committee quickly realized that IT security alone was insufficient: anticipating adversarial behaviors in an automated environment was critical. The risk was not technological — it was human and systemic.
Measures included monitoring transactional patterns, imposing frequency limits, and running adversarial scenario simulations to test operational resilience. The company turned the vulnerability into a strategic lesson: infrastructure protection must be accompanied by a deep understanding of actor behaviors, internal and external.
For boards, the insight is clear: technical robustness must be complemented by anticipating rule-exploiting behaviors. In an automated world, risk no longer lies solely in systems, but in how humans and machines interact with them.
Depending on its business sector and the nature of its activities, your organization may be impacted, directly or indirectly, by this global risk over the coming years.
Whether you are a director, an executive or a manager, you may be wondering if your company is exposed to this global risk or other potential events. And if so, are you and your organization ready to face these challenges?
Should you need advice on the appropriate risk governance and enterprise risk management approach for your organization, please contact us.
Baldwin Global is an independent advisory group offering professional services, education and training in risk governance and enterprise risk management. We help our clients’ boards of directors and management teams attain their objectives by embedding sound risk oversight and management practices into their decision-making process to have a significant positive impact on their business.
Photo by Kevin Ku