Georgia Cybersecurity Incidents: Notable Breaches & Ransomware Attacks

Georgia sits at the intersection of several industries that make it one of the most cyber-targeted states in the country. Atlanta serves as the operational hub for UPS and Delta Air Lines, hosts a dense concentration of fintech companies processing billions in transactions daily, and anchors a healthcare sector that spans major systems like Emory Healthcare and Grady Health System. Hartsfield-Jackson Atlanta International Airport, the busiest airport in the world by passenger volume for over two decades, adds critical infrastructure exposure that few other states can match. This combination of logistics, finance, and healthcare data makes Georgia a persistent target for cybercriminals and nation-state actors alike.

The incidents documented below are not abstract cautionary tales. They represent real failures in security posture that cost Georgia organizations hundreds of millions of dollars, exposed the personal data of hundreds of millions of individuals, and in the case of the City of Atlanta, disrupted basic municipal services for weeks. Understanding the Georgia cyber threat landscape starts with examining what has already gone wrong and why.

Major Cyber Incidents in Georgia: A Timeline

2015 — Georgia Secretary of State Data Exposure

In 2015, the Georgia Secretary of State's office inadvertently exposed the personal information of approximately 6.2 million Georgia voters. The exposure occurred when the office distributed CDs and a downloadable file containing voter registration records that included Social Security numbers, dates of birth, and driver's license numbers — far beyond the publicly available voter roll data that election officials are permitted to share. The incident was discovered by an independent researcher who notified the media. While this was a data exposure rather than an external hack, it demonstrated critical failures in data handling procedures within a major state agency and prompted calls for stronger data governance across Georgia government offices.

2017 — Equifax Data Breach

The Equifax breach is the single most consequential cybersecurity incident associated with Georgia. Equifax, headquartered in Atlanta, disclosed in September 2017 that attackers had exploited a known vulnerability in Apache Struts (CVE-2017-5638) on a consumer dispute portal. The vulnerability had been publicly disclosed and patched in March 2017, but Equifax failed to apply the patch to the affected system. Attackers maintained access from mid-May through late July 2017, exfiltrating names, Social Security numbers, birth dates, addresses, and in some cases driver's license numbers for approximately 147 million Americans — nearly half the U.S. population.

The fallout was enormous. Equifax's CEO, CIO, and CSO all resigned. The company ultimately paid a $575 million settlement with the Federal Trade Commission, the Consumer Financial Protection Bureau, and all 50 state attorneys general, with a potential to increase to $700 million. The breach exposed fundamental failures in patch management, network segmentation, and certificate management — the company's internal SSL certificate used to inspect encrypted traffic had been expired for 19 months, allowing exfiltrated data to leave the network undetected. For Georgia, the breach was a stark reminder that even the state's largest and most established companies can suffer catastrophic failures when basic security hygiene is neglected.

2018 — City of Atlanta SamSam Ransomware Attack

On March 22, 2018, the City of Atlanta was hit by the SamSam ransomware, making it one of the most high-profile municipal cyberattacks in American history. The attackers, later identified as Iranian nationals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, demanded approximately $51,000 in Bitcoin to decrypt the city's systems. Atlanta chose not to pay the ransom.

The impact was sweeping. Residents could not pay water bills or parking tickets online. The Atlanta Police Department lost access to its dashcam video archive. Municipal courts could not process cases. City employees were unable to access email, internal applications, or WiFi networks for days, and some systems took months to fully restore. The estimated total cost of recovery exceeded $17 million, covering incident response, new hardware and software, security consulting, and long-term infrastructure upgrades.

Investigations revealed that the city's IT infrastructure had been in poor condition prior to the attack. A January 2018 audit had identified approximately 1,500 to 2,000 vulnerabilities in city systems, and the city's IT department was understaffed relative to the complexity of its environment. The SamSam group exploited weak or reused credentials to gain initial access through remote desktop protocol (RDP) and then moved laterally through the network. The FBI, Department of Homeland Security, and Secret Service all assisted in the investigation. The two Iranian nationals were indicted by a federal grand jury in November 2018, though they remain at large. The Atlanta attack became a watershed moment for municipal cybersecurity nationwide, demonstrating that local governments are not too small or too insignificant for sophisticated ransomware operators to target.

2019 — Grady Health System Phishing Attack

Grady Health System, Atlanta's largest public hospital and one of the busiest Level I trauma centers in the Southeast, disclosed in 2019 that a phishing attack had compromised employee email accounts. The breach exposed protected health information for an undisclosed number of patients, including names, dates of birth, medical record numbers, and clinical information. Grady notified affected patients and engaged a cybersecurity firm to conduct a forensic investigation. The incident highlighted the vulnerability of large healthcare organizations to email-based attacks, particularly in high-volume clinical environments where staff process hundreds of messages daily.

2020 — Marriott International (Atlanta Operations)

Marriott International, which maintains significant operations in Atlanta including its loyalty program headquarters, disclosed its second major breach in March 2020. Attackers used stolen credentials from two Marriott employees to access guest information for approximately 5.2 million guests. Exposed data included names, addresses, phone numbers, loyalty account numbers, and travel preferences. While the breach affected Marriott's global operations, the company's Atlanta-based staff were directly involved in the incident response and remediation, and the breach underscored the risks that Georgia-based hospitality and travel companies face from credential-based attacks.

2021 — Colonial Pipeline Ransomware Attack

In May 2021, the DarkSide ransomware group attacked Colonial Pipeline, which is headquartered in Alpharetta, Georgia, a suburb of Atlanta. Colonial Pipeline operates the largest refined products pipeline in the United States, transporting approximately 2.5 million barrels per day of gasoline, diesel, and jet fuel along 5,500 miles from the Gulf Coast to the Eastern Seaboard. The company proactively shut down pipeline operations to prevent the malware from spreading to operational technology systems, triggering fuel shortages, panic buying, and gas station closures across the southeastern United States.

Colonial Pipeline paid a ransom of approximately $4.4 million in Bitcoin to the DarkSide group, though the FBI later recovered approximately $2.3 million of that payment. The attack originated from a compromised VPN credential that did not have multi-factor authentication enabled. The incident prompted a federal executive order on improving national cybersecurity and led to new TSA security directives for pipeline operators. For Georgia, the Colonial Pipeline attack was a vivid demonstration that the state's role as a logistics and energy transit hub creates critical infrastructure exposure with national consequences.

2022 — Morehouse School of Medicine Data Breach

Morehouse School of Medicine in Atlanta reported a data breach in 2022 after unauthorized access to its network was discovered. The breach compromised personal and financial information of students, faculty, and staff. The school engaged external cybersecurity experts and notified affected individuals in compliance with state and federal requirements. The incident was part of a broader trend of cyberattacks targeting educational and medical institutions in Georgia.

Georgia's Data Breach Notification Law

Georgia's breach notification requirements are codified in O.C.G.A. § 10-1-912, part of the Georgia Personal Identity Protection Act. The law requires any information broker or data collector that maintains computerized data including personal information to notify affected Georgia residents in the most expedient time possible and without unreasonable delay following the discovery of a breach. Unlike many other states, Georgia does not specify a hard deadline in days for notification, instead using the 'most expedient time possible' standard, which gives businesses some flexibility but also creates ambiguity about exactly how quickly notice must be provided.

The law defines personal information as an individual's first name or initial and last name combined with a Social Security number, driver's license or state ID number, financial account number with access credentials, or medical information. If the breach affects more than 10,000 Georgia residents at one time, the organization must also notify all consumer reporting agencies. There is no requirement to notify the Georgia Attorney General directly, although the AG's Consumer Protection Division can investigate and enforce violations. For a detailed analysis of all applicable Georgia privacy statutes, see our Georgia cybersecurity compliance guide.

Which Georgia Industries Are Most Targeted?

Logistics and Transportation

Atlanta is the headquarters of UPS and a primary hub for Delta Air Lines. Hartsfield-Jackson Atlanta International Airport processes over 90 million passengers annually. The Colonial Pipeline attack demonstrated that Georgia's logistics infrastructure is not just locally important — disruptions here cascade nationally. Supply chain data, shipment tracking systems, and airport operational technology all present attack surfaces that threat actors actively probe.

Fintech and Financial Services

Atlanta is sometimes called the 'transaction capital of the world.' Approximately 70% of all U.S. financial transactions are processed through Georgia-based companies, including NCR (now NCR Voyix), Fiserv operations, Global Payments, and dozens of payment processing startups. This concentration of financial data makes Atlanta fintech companies high-value targets for financially motivated threat actors and state-sponsored espionage groups alike.

Healthcare

Georgia's healthcare sector includes major systems like Emory Healthcare, Piedmont Healthcare, Wellstar Health System, and Grady Health System. Medical records contain the combination of personal, financial, and clinical data that commands the highest prices on dark web markets. The Grady Health phishing attack and the broader trend of healthcare cybersecurity incidents demonstrate that this sector remains persistently vulnerable.

State and Local Government

The City of Atlanta SamSam attack proved that Georgia municipal governments can suffer attacks with eight-figure recovery costs. Smaller Georgia municipalities and county governments often operate with even fewer IT resources than Atlanta had in 2018, making them attractive targets for ransomware operators who calculate that limited budgets correlate with weak defenses.

What Georgia Businesses Must Do After a Breach

If your Georgia organization experiences a data breach, the following steps are required or strongly recommended under state law and security best practices:

• Contain the breach immediately — isolate affected systems, revoke compromised credentials, and preserve forensic evidence before beginning remediation

• Conduct a forensic investigation — determine the scope of the breach, what data was accessed or exfiltrated, the attack vector, and whether the attacker retains access

• Notify affected Georgia residents in the most expedient time possible and without unreasonable delay, as required by O.C.G.A. § 10-1-912

• Notify consumer reporting agencies if more than 10,000 Georgia residents are affected in a single breach

• Notify law enforcement if the breach involves criminal activity — the FBI's Atlanta field office and the Georgia Bureau of Investigation both handle cyber cases

• Document your response timeline — maintain detailed records of when the breach was discovered, containment steps taken, and notifications issued for potential regulatory or legal review

• Engage legal counsel experienced in Georgia data breach law to assess notification obligations and potential liability exposure

How to Protect Your Georgia Business

The incidents above share common themes: unpatched vulnerabilities, weak or reused credentials, lack of multi-factor authentication, poor network segmentation, and understaffed IT teams. Georgia businesses can address these patterns directly:

• Patch management — the Equifax breach exploited a vulnerability that had a patch available for two months before the attack. Establish a process to apply critical patches within 48 hours of release

• Multi-factor authentication on all remote access — the Colonial Pipeline attack originated from a VPN account without MFA. This single control would have prevented the most consequential Georgia cyber incident of the past decade

• Network segmentation — the City of Atlanta's SamSam attack spread laterally because systems were not properly segmented. Isolate critical systems, particularly those handling financial transactions or personal data

• Employee phishing training — the Grady Health and Marriott breaches both originated from compromised credentials obtained through social engineering

• Incident response planning — conduct annual tabletop exercises that simulate ransomware and data exfiltration scenarios specific to your industry

• Offline backups — maintain and regularly test backup restoration procedures so that a ransomware attack does not create a binary choice between paying and losing data

Many Georgia businesses, particularly small and midsize firms, partner with managed IT services providers or managed security services firms to maintain the continuous monitoring and rapid response capabilities that modern threats demand without building a full in-house security operations center.

Frequently Asked Questions

How quickly must a Georgia business report a data breach?

Georgia law (O.C.G.A. § 10-1-912) requires notification 'in the most expedient time possible and without unreasonable delay' after discovering a breach. Unlike states such as Texas (60 days) or Colorado (30 days), Georgia does not specify a fixed number of days. This standard gives businesses some flexibility but also means that courts and regulators will evaluate the reasonableness of any delay on a case-by-case basis. In practice, most Georgia breach notification attorneys advise issuing notice within 30 to 45 days to demonstrate good faith compliance.

What was the City of Atlanta ransomware attack?

On March 22, 2018, the SamSam ransomware group attacked the City of Atlanta, encrypting municipal systems and demanding approximately $51,000 in Bitcoin. The city did not pay. The attack disrupted water bill payments, court proceedings, police records systems, and internal city operations for weeks. Total recovery costs exceeded $17 million. Two Iranian nationals were later indicted for the attack. The incident is widely regarded as one of the most significant municipal cyberattacks in U.S. history and led to major cybersecurity investments across Georgia local governments.

How did the Equifax breach affect Georgia specifically?

Equifax is headquartered in Atlanta, so the 2017 breach was fundamentally a Georgia incident. The breach exposed personal data for 147 million Americans and resulted in a $575 million settlement. It led to the resignation of Equifax's top executives, prompted congressional hearings, and intensified national debate about credit bureau data security. For the Georgia business community, it demonstrated that even the state's largest and most established companies are vulnerable when basic security practices like patch management and certificate monitoring are neglected.

Does Georgia have a comprehensive data privacy law like California or Texas?

As of 2025, Georgia does not have a comprehensive consumer data privacy law comparable to the California Consumer Privacy Act (CCPA) or the Texas Data Privacy and Security Act (TDPSA). Georgia's primary data protection statute is the Personal Identity Protection Act (O.C.G.A. § 10-1-910 through 10-1-912), which focuses on breach notification rather than broad consumer privacy rights. The Georgia Computer Security Act addresses unauthorized computer access. For a complete analysis of all applicable Georgia laws, see our Georgia cybersecurity compliance guide.

What role does the FBI Atlanta field office play in Georgia cyber incidents?

The FBI's Atlanta field office is one of the most active in the country for cybercrime investigations, reflecting Georgia's position as a major target. The office played a central role in the Colonial Pipeline investigation and assisted in the City of Atlanta SamSam response. The FBI Atlanta Cyber Task Force works with state and local law enforcement, including the Georgia Bureau of Investigation, to investigate cyber intrusions, ransomware attacks, and business email compromise schemes affecting Georgia organizations.

Is Hartsfield-Jackson Airport a cybersecurity target?

Yes. As the world's busiest airport by passenger throughput, Hartsfield-Jackson Atlanta International Airport operates complex interconnected systems including flight operations, baggage handling, passenger WiFi, retail point-of-sale terminals, and federal security infrastructure. While specific cyber incidents at the airport are not typically disclosed publicly due to national security considerations, airports of this scale are known targets for both nation-state actors conducting espionage and cybercriminals seeking passenger data or operational disruption.