Security this year was a mess of hacks, thefts and disruption. From government systems to cloud CRMs and high street store chains, attackers seamlessly pivoted between stealthy data exfiltration and highly visible outages — sometimes in the same campaign. The result was a bruising 2025 that laid bare how fragile digital dependencies have grown.
Huge Intrusions at Agencies and Companies Have Been Revealed
Nation-state activity was still in the headlines. Early in the year, state-linked Chinese hackers were said to have probed and penetrated U.S. federal networks — including through a widely exploited SharePoint vulnerability, officials say. Other such compromises of court systems released sealed filings, serving as a potent reminder that sensitive judicial data is only as secure as the software protecting it.
The controversy intensified when reports suggested an extraordinary overreach inside the federal bureaucracy, with politically connected appointees accused of gaining access to and copying data well outside of what their authorized mandates were. Legal experts cautioned that any such unauthorized access could expose the publishers to liability under U.S. computer crime laws, highlighting how insider risk and governance lapses can be just as perilous as threats from outside.
There’s a dark lesson here: overgrown legacies, too many privileges, not enough logging — it also happens to be far too simple for sophisticated actors — who could be foreign or domestic — to make lateral moves and silently bleed sensitive records.
Supply Chain Breaches Strike at the Heart of Big Business
Ransomware crews have polished a playbook that dispenses with encryption and concentrates on extortion. A prolific gang used a previously unknown flaw in Oracle’s E-Business Suite to quietly vacuum up human resources, financial and customer data from dozens of companies before they struck, followed by high-dollar demands delivered via email directly to top executives. Oracle rushed out a patch after the theft was already done — an inversion of “detect and respond” that is now standard fare for mass exploitation.
The tactics mirrored previous campaigns aimed at file-transfer tools such as MOVEit and GoAnywhere, when a single vulnerability led to thousands of victims. Incident response teams at firms including Mandiant and Palo Alto Networks’ Unit 42 have repeatedly warned that automation-first exploitation windows now open and close in hours, not days — rendering unpatched systems all but defenseless.
Exposed Cloud CRM Ecosystem via Downstream Channels
The breach staggered Salesforce customers after cybercriminals hacked into third-party platforms used to analyze and manage CRM data. The breach at Salesloft and Gainsight made off with access to connected customer stores, which opened the door to a trove estimated to contain nearly a billion records from multiple brands. A group that calls itself Scattered LAPSUS$ Hunters promoted the haul and sought ransoms, underscoring the ways in which data brokers as well as extortionists and hacktivists are mixing tactics and identities more than ever.
The lesson is painful: Your vendor’s vendor is your attack surface. For years, Verizon’s Data Breach Investigations Report has been charting the role of partners in compromises, and 2025 highlighted that access integrations — OAuth tokens, API keys, SSO bridges — are as valuable to criminals as passwords used to be.
Retail and Manufacturing Disruption in the UK
British retail was similarly assaulted at household names in back-to-back compromises that involved the theft of data from our biggest chains and service outages that emanated into logistics.
Co-op said millions of customer records were compromised and other brands faced payment outages and blind spots in inventory. Luxury retailers were not spared.
Far more devastating was a cyberattack that crippled Jaguar Land Rover for weeks, then months, as the automaker reconstituted systems and supplier relationships. And the shutdown cut off smaller sellers of daily goods from cash flow, at the same time leading to a government guarantee for those covering payrolls and avoiding closings that will ultimately top £1.5 billion. Britain’s National Cyber Security Centre has cautioned that disruption is itself a moneymaking method these days — a paralyzed operation can fetch more than stolen data.
South Korea’s Year of Nonstop Compromise
South Korea withstood a relentless drumbeat of incursions. SK Telecom reported on a breach that compromised tens of millions of customer records, as part of an overall increase in suspected North Korea–linked activity. A loss of information stored in one data center, which did not have backups off-site because the government believed the computers were secure and that backup systems would be unnecessary. It represents physical failure combined with digitally instilled fragility. The highest-profile breach was at the top e-commerce company Coupang, which discovered months-long theft of personal data that affected more than 30 million customers and led to changes in its leadership as a result.
Regulators in Seoul, along with counterparts across Europe and North America, are becoming increasingly punitive toward bad data stewardship — and making clear that systemic failures — backup shortcomings, excessive data retention periods or lax encryption requirements — will attract special attention.
What 2025 Showed Us About Modern Breach Risk
Three realities stand out.
- Disruption is the new leverage: attackers bundle data theft with outages to maximize leverage.
- Third-party and identity pathways outstrip perimeter defenses: API tokens, service accounts, federated access are the gold.
- Speed kills: zero-day attacks and mass scanning collapse remediation windows to almost zero.
That means practically to invest in identity-first controls (phishing-resistant MFA, just-in-time privileged access, hardware-backed keys), continuous attack surface management and strict egress monitoring. Segment sensitive systems, rotate and scope API credentials, and keep immutable offline backups that are regularly tested. As you bring in vendors, ask for least-privilege implementations, incident response playbooks and quick routes to revoke tokens and SSO.
CISA’s Secure by Design initiative and ENISA’s Threat Landscape can serve as the foundation for these changes while learning from U.K. NCSC investment guidance regarding ransomware mitigation and NIST Zero Trust Architecture can help anchor them. As part of IBM’s annual cost-of-breach research, detection and remediation costs continue to increase, particularly when caused by third parties. For boards and security leaders, what 2025 has in store is clear: Your resilience today will depend as much on the contracts and connections surrounding your data as the controls protecting it.
