Under Attack?
2025 was defined by some of the most disruptive and revealing cyber attacks in recent memory. While headline statistics suggested that the average cost of cyber incidents declined year on year, a small number of high-impact attacks involving household names such as Marks & Spencer and Jaguar Land Rover dramatically altered the picture.
Read The biggest cyber attacks of 2026 so far
What were the biggest cyber attacks of 2025?
Some of the biggest cyber attacks of 2025 included:
-
Marks & Spencer and the UK retail ransomware campaign
-
Jaguar Land Rover supply chain attack
-
Collins Aerospace vMUSE airport systems disruption
-
St. Paul municipal systems breach
-
SalesLoft and Salesforce-linked SaaS data compromise
These incidents were significant because they caused real-world disruption, affected large numbers of customers and suppliers, and exposed weaknesses in identity security, supplier access, SaaS governance and operational resilience. Read on for more detailed breakdowns.
Marks & Spencer and the UK retail ransomware campaign
Date: April 2025
Attack type: Ransomware and coordinated sector campaign
Threat actor: Scattered Spider
One of the most widely covered cyber incidents of the year was the coordinated ransomware campaign against major UK retailers, including Marks & Spencer, the Co-op, and Harrods. The attack dominated headlines for weeks and set the tone for a year marked by supply chain exploitation and cross-sector exposure. The attackers, linked to the Scattered Spider group, used sophisticated social engineering techniques to compromise a third-party service provider. From there, they were able to infiltrate multiple retail networks, deploy tailored ransomware payloads, exfiltrate customer data, and issue extortion demands aimed at preventing public disclosure.
The financial impact was severe. Marks & Spencer reported that pre-tax profits fell from £391.9 million to just £3.4 million in the six months to 27 September. Online sales platforms, payment systems, and gift card services were unavailable for weeks, while the Co-op experienced major supply chain disruption and Harrods faced checkout outages and logistics delays.
A cross-sector investigation led by the National Crime Agency resulted in multiple arrests and placed a sharp spotlight on weaknesses in third-party access management across the retail industry.
Key takeaway:
This campaign demonstrated how shared vendors and cloud integrations can expose entire sectors to a single point of failure. It accelerated the push toward Zero Trust architectures, stricter vendor onboarding, and stronger ransomware resilience across retail supply chains.
Jaguar Land Rover supply chain attack
Date: August 2025
Attack type: Ransomware and supply chain disruption
Threat actor: Scattered Lapsus$ Hunters
In August 2025, Jaguar Land Rover suffered what is widely regarded as the most economically damaging cyber incident in UK history. According to the Cyber Monitoring Centre, the attack is expected to cost £1.9 billion and brought production to a halt for five weeks. More than 5,000 businesses across JLR’s global supply chain were affected, with full recovery not expected until January 2026.
The attack was attributed to the Scattered Lapsus$ Hunters, a loosely affiliated collective linked to groups such as Lapsus$, Scattered Spider, and ShinyHunters. By exploiting vulnerabilities in third-party supplier software, the attackers were able to move laterally into JLR’s core systems. Ransomware crippled production and logistics networks, forcing temporary shutdowns at manufacturing sites in the UK, Slovakia, and Brazil.
Beyond operational disruption, the attackers threatened to leak sensitive design and supplier data unless multimillion-pound ransom demands were met.
Key takeaway:
The JLR incident showed how cyber attacks on the supply chain can have immediate physical and economic consequences. It reinforced the need for stronger operational technology segmentation, secure software dependencies, and rigorous third-party assurance across industrial environments.
Collins Aerospace vMUSE airport systems attack
Date: March 2025
Attack type: Ransomware and aviation software compromise
Threat actor: Unknown financially motivated group
A ransomware attack on Collins Aerospace’s vMUSE platform caused widespread disruption across European aviation. vMUSE is used by airports for passenger check-in and boarding, and the attack forced airlines to revert to manual processes for passenger management and baggage handling.
Operations were disrupted at more than 20 airports, including Heathrow, Frankfurt, and Amsterdam Schiphol, leading to thousands of flight delays and cancellations. British police arrested a man in connection with the investigation under the Computer Misuse Act, although the responsible criminal group has not been publicly confirmed.
In response, the European Aviation Safety Agency issued urgent guidance on third-party risk management and resilience planning for airport IT systems.
Key takeaway:
The vMUSE attack highlighted the fragility of shared critical systems and the cascading impact of vendor failures. It reinforced the importance of redundancy, real-time threat monitoring, and stronger oversight of third-party technology in the aviation sector.
St. Paul municipal systems breach
Date: July 2025
Attack type: Ransomware and civic infrastructure disruption
Threat actor: Suspected Eastern European ransomware group
In July 2025, the city of St. Paul, Minnesota, declared a state of emergency following a ransomware attack that disabled key municipal systems. The attack, attributed to the Interlock group, compromised a shared network drive and encrypted systems responsible for billing, emergency coordination, and citizen services.
City hall and public offices were offline for more than two weeks, prompting federal assistance and support from the US National Guard’s cyber unit. The incident reignited debate around chronic underinvestment in local government IT infrastructure and cyber resilience.
Key takeaway:
The St. Paul breach exposed how legacy systems and delayed patching leave civic infrastructure highly vulnerable. It underlined the need for modernisation, Zero Trust controls, and regular cyber resilience exercises at local government level.
SalesLoft data breach and third-party compromise
Date discovered: July 2025
Attack type: Third-party supply chain compromise via Salesforce-linked OAuth integrations
Threat actor: ShinyHunters, with overlaps linked to Scattered Spider
One of the most far-reaching supply chain incidents of 2025 centred on SalesLoft, a widely used sales engagement platform integrated with Salesforce. Threat actors exploited OAuth integrations to gain access to customer environments at scale.
Among the affected organisations was TransUnion, which disclosed the exposure of personal data belonging to 4.46 million US consumers. Other impacted organisations included Google, Workday, Farmers Insurance, Chanel, and Qantas. Security analysts linked the campaign to ShinyHunters operating alongside groups such as Scattered Spider, reflecting a growing trend toward extortion models that prioritise high-value integrations over individual targets.
Key takeaway:
The SalesLoft breach illustrated how trusted SaaS integrations can become powerful attack vectors. It has driven renewed scrutiny of OAuth permissions, identity security, and third-party application governance.
Other major cyber incidents in 2025
Several other cyber incidents also shaped the 2025 threat landscape.
The Allianz Life cyber attack exposed the risk of third-party CRM compromise and the sensitivity of customer data stored in connected systems.
The Bank Sepah breach in Iran showed the scale of data theft that can occur when attackers gain access to high-value financial records.
The UNFI cyber attack disrupted food supply chain operations in North America after electronic ordering systems were affected, showing again how cyber disruption can quickly affect physical availability and logistics.
These incidents point to the same wider trend. Cyber attacks are increasingly designed to create pressure. That pressure may come through downtime, data theft, extortion, operational disruption, regulatory exposure or reputational damage. Attackers understand that organisations rely on digital systems to function, and they exploit that dependency.
What do the biggest cyber attacks of 2025 mean for 2026?
The biggest cyber attacks of 2025 show that organisations need to move from prevention-only thinking to resilience-led cybersecurity. Preventing attacks remains important, but no organisation can assume every threat will be stopped. The real question is how quickly an organisation can detect, contain, recover and continue operating.
In 2026, cybersecurity strategies should focus on five priority areas.
First, identity security must be strengthened. Many major incidents now begin with stolen credentials, social engineering, MFA fatigue, helpdesk manipulation or abuse of privileged access. Organisations should enforce strong MFA, monitor identity behaviour, limit standing privileges and improve controls around service accounts and third-party access.
Second, third-party risk needs to become continuous. Suppliers, SaaS providers and technology partners can introduce significant exposure. Annual reviews are not enough. Organisations need ongoing visibility of critical dependencies, integration permissions, supplier access and concentration risk.
Third, ransomware resilience must include recovery. Backups, segmentation, incident response plans and crisis communications should be tested regularly. A plan that has never been exercised is not enough when production lines, public services or customer platforms are offline.
Fourth, organisations need better visibility across cloud, SaaS, endpoint, network and OT environments. Attackers do not respect internal silos. Security teams need the ability to detect suspicious activity across multiple layers before it becomes a major incident.
Fifth, leadership teams must treat cybersecurity as a business resilience issue. The events of 2025 showed that cyber attacks can affect revenue, supply chains, customers, regulators, employees and the wider economy. Cybersecurity is no longer only a technical function. It is part of operational continuity.
How Integrity360 can help organisations prepare for 2026
Integrity360 helps organisations strengthen cyber resilience across the areas exposed by the biggest cyber attacks of 2025.
Our Managed Detection and Response services provide continuous monitoring, threat detection and response support to help organisations identify and contain attacks before they escalate. Our Incident Response services support organisations before, during and after a cyber incident, helping them prepare, investigate, contain and recover.
Our Threat Exposure Management and CTEM services help organisations identify exposures across their environments, prioritise risk and take practical action before attackers can exploit weaknesses. For organisations concerned about suppliers, SaaS platforms and connected systems, our services can also support stronger visibility, governance and assurance across complex digital ecosystems.
For organisations operating industrial, manufacturing or critical environments, our OT Security services help assess risk, improve segmentation, strengthen visibility and reduce disruption across operational systems.
FAQ: What was the biggest cyber attack of 2025?
One of the most economically damaging cyber attacks of 2025 was the Jaguar Land Rover incident, which the Cyber Monitoring Centre estimated could cost £1.9 billion across the wider UK economy.
FAQ: What did the 2025 cyber attacks have in common?
Many of the biggest attacks involved third-party access, ransomware, identity compromise, SaaS integrations or operational disruption. The common theme was that cyber incidents increasingly affected business continuity, not just IT systems.
FAQ: What should organisations prioritise in 2026?
Organisations should prioritise identity security, third-party risk management, ransomware resilience, continuous monitoring, incident response planning and visibility across cloud, SaaS, endpoint, network and OT environments.
updated: 19.6.26
