Digi.no covered a data breach at Sporveien, Oslo’s public transport operator: Sporveien utsatt for datainnbrudd (in Norwegian, subscription).
The most instructive detail was not the intrusion itself but the aftermath: there was not enough logging and information to support a real investigation, so the case could not meaningfully be pursued. That is a pattern I see constantly, and it is worth calling out.
Detection and response live or die on telemetry you decided to collect before anything happened. When an incident hits and the logs are not there, you cannot answer the questions that matter: how did they get in, what did they touch, did data leave, is it over. Logging is not glamorous and it rarely gets budget until it is too late, but it is the difference between an incident you can scope and close and one you can only shrug at. Decide what you need to see, collect it, retain it long enough to be useful, and make sure someone is actually looking.