When Cyber Meets Concrete: What a Data Center Outage Reveals about Cybersecurity and Business Insurance

A breach of a building management system triggered a cascading data center outage. What does this incident reveal about cyber-physical risk, operational resilience, and cyber insurance coverage?

Key Takeaways

• Data centers sit at the intersection of cybersecurity, physical security, and human trust. Cyberattacks that blend these domains are low effort, high impact, and increasingly common.
• A scenario detailing a chain of operational weaknesses reveals the inner workings of a data center outage and its impacts and lessons learned (including those related to cyber insurance coverage).
• Operators must assume vendors will be targeted and correlate physical, environmental, and cyber telemetry in the future.

An hours-long Amazon Web Services (AWS) outage that took down thousands of sites and applications last year was not the result of a cyber attacker’s malware or zero-day exploit. The root cause? An empty domain name system record that failed to automatically repair—in other words, a software bug that required a manual intervention to correct.

Modern data centers are engineered for resilience, but outages increasingly arise from the intersection of cybersecurity and physical infrastructure—operational complexities rather than malicious actors. According to a 2025 report, nearly 40 percent of organizations suffered a major outage caused by human error over the past three years. The consequences were grave: more than half of respondents said their most recent significant outage cost more than $100,000, with 20 percent reporting costs over $1 million.

Beyond the statistics, what does an outage like this look like? How is it remediated? Where can insurance policies help cover losses?

To answer these critical questions facing data center operators, customers, policymakers, and vendors, we delve into a case study-style scenario depicting a coordinated compromise of physical access controls and environmental management systems that took a midsized enterprise data center offline for several hours. The root cause was not a single advanced attack but a chain of common operational weaknesses: insecure building management systems (BMS), over-trusted vendors, weak monitoring of “non-IT” networks, and human error during routine operations.

Background: The Infrastructure That Keeps Data Centers Running

Before the compromise, the data center followed industry norms including:

• segregated critical rooms: server halls, uninterruptible power supply (UPS) rooms, battery bank rooms, cooling plant
• electronic access control using badge readers and biometric authentication
• environmental controls managed by a BMS connected to heating, ventilation, and air conditioning (HVAC), fire suppression, and power distribution monitoring
• centralized monitoring via a network operations center (NOC)

While information technology (IT) systems were heavily hardened, physical and environmental systems were treated as facilities infrastructure, not cybersecurity assets.

The Overlooked Entry Point: BMS and Vendor Access Vulnerabilities

The incident began with the compromise of a third-party facilities maintenance vendor responsible for HVAC servicing. A phishing email targeting one of the vendor’s technicians resulted in credential theft. From there, the attacker gained authenticated access to the BMS environment without triggering any IT security alerts.

Contributing factors included:

• vendor remote access to the BMS via virtual private network (VPN)
• shared credentials used by multiple technicians
• no multifactor authentication (MFA) for BMS access
• limited logging, monitoring, and alerting BMS administrative actions

How Attacker Moved from Building Systems to Critical Infrastructure

Once inside the BMS, the attacker explored systems rarely scrutinized by cybersecurity teams:

• HVAC temperature and humidity controls
• differential pressure sensors in server rooms
• alarm thresholds for overheating and thermal readings
• integration between BMS and physical access systems

The attacker lowered alarm thresholds and suppressed alerts, then issued commands that gradually reduced cooling output in one server hall while masking sensor readings presented to operators. Access logs simultaneously showed unauthorized badge cloning activity enabled by:

• outdated firmware on access control panels
• lack of tamper alerts on door controllers
• no correlation between physical access logs and IT monitoring

Trigger Event: Environmental Failure and Emergency Shutdown

Within forty minutes of the breach:

• Rack inlet temperatures exceeded safe operating limits.
• Servers began throttling and shutting down automatically.
• Storage arrays entered protective shutdown mode.
• Network devices activated critical high temperature shutdown mode.
• UPS systems detected abnormal thermal conditions.

While backup HVAC/cooling systems did not activate, safety interlocks forced an emergency power-down of the affected room. But because workloads were not evenly distributed, failover capacity was insufficient. Customer-facing systems experienced a full outage for approximately three hours, with intermittent service degradation for several more.

Why Traditional Cyber Defenses Failed

This case did not involve a failure of firewalls or endpoint protection. The breach succeeded due to a dangerous amalgamation of technical vulnerabilities and human failures.

Technical Vulnerabilities

• BMS network was not segmented from vendor access paths.
• Legacy protocols (e.g., BACnet/IP) were exposed without encryption.
• Environmental sensor data did not have integrity monitoring.
• Physical security systems ran unpatched firmware.

Human and Process Failures

• Cybersecurity risk assessments excluded facilities systems.
• The data center over-relied on vendors without continuous access validation.
• The IT and Facilities teams did not have a joint incident response plan.
• Alert fatigue caused early warning signs to be ignored.

The attacker only needed knowledge of how data centers operate—not sophistication—to carry out the hack.

Incident Response: Containment and Stabilization

Once overheating was detected:

1. Facilities staff manually inspected the server hall.
2. Cooling systems were forced into manual override.
3. Vendor VPN access was immediately revoked.
4. Data center was partially evacuated per safety protocols.

The IT and Facilities teams initially worked in parallel, not together—costing valuable time. The attack scenario was identified only after cross-team escalation.

Remediation Actions Taken

To address the breach and resume operations, team members took the following actions:

Immediate Technical Remediation

• Full rebuilding of BMS authentication systems.
• Enforced MFA for all vendors and internal access.
• Network segmentation between BMS, access control, and IT networks.
• Firmware updates across all physical security devices.
• Deployment of independent temperature sensors not controlled by BMS.

Process and Governance Changes

• Facilities systems formally classified as cyber assets.
• Joint IT–Facilities risk assessments mandated.
• Vendor access moved to just-in-time, time‑boxed approvals.
• Physical access and BMS logs integrated into security information and event management. monitoring
• Tabletop exercises added for physical–cyber incident scenarios.

Insurance Implications for Data Center Outages

Data centers are expensive to build and operate, and sustained outages will give rise to significant financial losses for the operator. Businesses that rely on data centers to host essential infrastructure and store critical data could be exposed to business interruption in the event of an outage. Insurance programs can transfer that risk, subject to the risk appetite of the policyholder.

A relatively short interruption of three hours like the scenario posed in this article likely would not trigger coverage because it would sit within the waiting period. However, had the impact been more severe and the outage prolonged, insurance could engage. In these circumstances the extent to which financial losses would be recoverable would turn critically on policy wording.

For the Data Center Operator

One might expect a traditional property damage/business interruption (PD/BI) insurance policy to respond; the business was, after all, interrupted. Such policies require physical damage to have occurred. Here there was no damage, and the PD/BI policy is unlikely to respond. If damage had occurred, PD/BI policies tend to provide limited coverage for physical damage and loss caused by cyber events, leaving the operator with uninsured costs and losses.

The operator could turn to specific cyber insurance and look for coverage for system restoration costs and loss of income from the ensuing interruption to operations because of the system failure. However, given the interruption was caused by an event at a third-party supplier, coverage may be restricted.

The operator also may suffer third-party liability claims from impacted customers, subject to any contractual limitations with its customers. Cyber liability policies may respond, subject to any restrictions given the genesis of the event.

In this scenario, the coverage position is complex and the operator may face a coverage gap, resulting in an uninsured exposure. Data center operators need to be aware of all potential exposures and develop an appropriate insurance program to transfer that risk. Data center–specific policies may provide better outcomes.

For Customers

For customers, coverage again would depend on the specific policy terms. Some customers may benefit from extensions covering BI losses arising from outages at third‑party IT or cloud service providers, subject to sub‑limits, waiting periods, and other policy conditions.

Further consideration could arise if the outage impacts multiple entities within the same corporate group. Depending on the insurance structure and drawing lessons from the UK Financial Conduct Authority’s COVID‑19 test case, the customer may be able to access multiple limits under composite policies.

Data center users should assess the business criticality of the services provided and whether their business continuity plans allow for a transition to other providers in the event of an outage. To the extent this is not a feasible option, appropriately tailored insurance can mitigate the risk.

Lessons for Data Center Operators: Managing Cyber-Physical Risk

Though this operator’s systems were fully restored the same day, reputational impact lingered. The post‑incident review highlighted a hard truth: Data centers sit at the intersection of cyber, physical security, and human trust; attacks that blend these domains are low effort, high impact, increasingly common—and not theoretical.