2025 was defined by some of the most disruptive and revealing cyber attacks in recent memory. While headline statistics suggested that the average cost of cyber incidents declined year on year, a small number of high-impact attacks involving household names such as Marks & Spencer and Jaguar Land Rover dramatically altered the picture. 

 

The biggest cyber attacks of 2025_Web header

 

From widespread ransomware campaigns to targeted attacks exploiting trusted third-party software, the incidents of 2025 reinforced a sobering reality. Modern organisations remain deeply exposed through cloud platforms, supplier ecosystems, operational technology, and shared digital infrastructure. As businesses and governments look ahead to 2026, these attacks are already shaping cyber security strategy, regulatory focus, and investment priorities.

 

Below are some of the most impactful and widely reported cyber attacks of 2025 and the lessons they carry forward.

 

Copy of Trends image

 

Marks & Spencer and the UK retail ransomware campaign

 

Date: April 2025

 

Attack type: Ransomware and coordinated sector campaign

 

Threat actor: Scattered Spider

 

One of the most widely covered cyber incidents of the year was the coordinated ransomware campaign against major UK retailers, including Marks & Spencer, the Co-op, and Harrods. The attack dominated headlines for weeks and set the tone for a year marked by supply chain exploitation and cross-sector exposure. The attackers, linked to the Scattered Spider group, used sophisticated social engineering techniques to compromise a third-party service provider. From there, they were able to infiltrate multiple retail networks, deploy tailored ransomware payloads, exfiltrate customer data, and issue extortion demands aimed at preventing public disclosure.

The financial impact was severe. Marks & Spencer reported that pre-tax profits fell from £391.9 million to just £3.4 million in the six months to 27 September. Online sales platforms, payment systems, and gift card services were unavailable for weeks, while the Co-op experienced major supply chain disruption and Harrods faced checkout outages and logistics delays.

A cross-sector investigation led by the National Crime Agency resulted in multiple arrests and placed a sharp spotlight on weaknesses in third-party access management across the retail industry.

 

Key takeaway:
This campaign demonstrated how shared vendors and cloud integrations can expose entire sectors to a single point of failure. It accelerated the push toward Zero Trust architectures, stricter vendor onboarding, and stronger ransomware resilience across retail supply chains.

 

 

Jaguar Land Rover supply chain attack

 

Date: August 2025

 

Attack type: Ransomware and supply chain disruption

 

Threat actor: Scattered Lapsus$ Hunters

 

In August 2025, Jaguar Land Rover suffered what is widely regarded as the most economically damaging cyber incident in UK history. According to the Cyber Monitoring Centre, the attack is expected to cost £1.9 billion and brought production to a halt for five weeks. More than 5,000 businesses across JLR’s global supply chain were affected, with full recovery not expected until January 2026.

The attack was attributed to the Scattered Lapsus$ Hunters, a loosely affiliated collective linked to groups such as Lapsus$, Scattered Spider, and ShinyHunters. By exploiting vulnerabilities in third-party supplier software, the attackers were able to move laterally into JLR’s core systems. Ransomware crippled production and logistics networks, forcing temporary shutdowns at manufacturing sites in the UK, Slovakia, and Brazil.

Beyond operational disruption, the attackers threatened to leak sensitive design and supplier data unless multimillion-pound ransom demands were met.

 

Key takeaway:
The JLR incident showed how cyber attacks on the supply chain can have immediate physical and economic consequences. It reinforced the need for stronger operational technology segmentation, secure software dependencies, and rigorous third-party assurance across industrial environments.

 

image (1)

 

Collins Aerospace vMUSE airport systems attack

 

Date: March 2025

 

Attack type: Ransomware and aviation software compromise

 

Threat actor: Unknown financially motivated group

 

A ransomware attack on Collins Aerospace’s vMUSE platform caused widespread disruption across European aviation. vMUSE is used by airports for passenger check-in and boarding, and the attack forced airlines to revert to manual processes for passenger management and baggage handling.

Operations were disrupted at more than 20 airports, including Heathrow, Frankfurt, and Amsterdam Schiphol, leading to thousands of flight delays and cancellations. British police arrested a man in connection with the investigation under the Computer Misuse Act, although the responsible criminal group has not been publicly confirmed.

In response, the European Aviation Safety Agency issued urgent guidance on third-party risk management and resilience planning for airport IT systems.

 

Key takeaway:

 

The vMUSE attack highlighted the fragility of shared critical systems and the cascading impact of vendor failures. It reinforced the importance of redundancy, real-time threat monitoring, and stronger oversight of third-party technology in the aviation sector.

 

St. Paul municipal systems breach

 

Date: July 2025

 

Attack type: Ransomware and civic infrastructure disruption

 

Threat actor: Suspected Eastern European ransomware group

In July 2025, the city of St. Paul, Minnesota, declared a state of emergency following a ransomware attack that disabled key municipal systems. The attack, attributed to the Interlock group, compromised a shared network drive and encrypted systems responsible for billing, emergency coordination, and citizen services.

City hall and public offices were offline for more than two weeks, prompting federal assistance and support from the US National Guard’s cyber unit. The incident reignited debate around chronic underinvestment in local government IT infrastructure and cyber resilience.

 

Key takeaway:
The St. Paul breach exposed how legacy systems and delayed patching leave civic infrastructure highly vulnerable. It underlined the need for modernisation, Zero Trust controls, and regular cyber resilience exercises at local government level.

 

 

IR CTA

 

SalesLoft data breach and third-party compromise

 

Date discovered: July 2025

 

Attack type: Third-party supply chain compromise via Salesforce-linked OAuth integrations

 

Threat actor: ShinyHunters, with overlaps linked to Scattered Spider

One of the most far-reaching supply chain incidents of 2025 centred on SalesLoft, a widely used sales engagement platform integrated with Salesforce. Threat actors exploited OAuth integrations to gain access to customer environments at scale.

Among the affected organisations was TransUnion, which disclosed the exposure of personal data belonging to 4.46 million US consumers. Other impacted organisations included Google, Workday, Farmers Insurance, Chanel, and Qantas. Security analysts linked the campaign to ShinyHunters operating alongside groups such as Scattered Spider, reflecting a growing trend toward extortion models that prioritise high-value integrations over individual targets.

 

Key takeaway:

 

The SalesLoft breach illustrated how trusted SaaS integrations can become powerful attack vectors. It has driven renewed scrutiny of OAuth permissions, identity security, and third-party application governance.

 

Other major cyber incidents in 2025

 

Beyond these headline cases, several other attacks shaped the global threat landscape:

  • Allianz Life cyberattack: Over one million individuals were impacted after attackers accessed a third-party CRM system containing sensitive customer data.
  • Bank Sepah breach: In Iran, 42 million customer records were stolen in a large-scale attack attributed to the Codebreakers collective, with data leaks following rejected ransom demands.
  • UNFI cyberattack: A disruption to United Natural Foods Inc. caused food supply chain delays across North America after electronic ordering systems were disabled.

Looking ahead to 2026

 

The cyber attacks of 2025 made one thing clear. Digital resilience can no longer be addressed in isolation. Third-party risk, cloud integration, operational technology exposure, and identity security are now central to organisational defence. As strategies evolve in 2026, the lessons of this year will continue to influence how businesses, governments, and regulators approach cybersecurity in an increasingly interconnected world.

 

Contact Us