Social engineering and SSO abuse opened the highest-profile intrusions

Madison Square Garden was breached by a single vishing call into its identity platform; the operators talked a low-level employee into authorising access. This is the same human-layer entry that has driven the year's most damaging extortion. The defensive lesson is process, not product: callback verification on help-desk identity changes, no MFA reset on an inbound call, and alerting on anomalous SSO grants from new devices.