If 2025 has taught us something, it’s that danger is not confined to the perimeters of your community. The standard safety perimeter has dissolved, with danger creeping into the very instruments we use to run our companies.
Organizations confronted off in opposition to catastrophic configuration errors, the weaponization of third-party belief connections, Multi-Issue Authentication (MFA) failures, and attackers who clearly love the vacations.
With that in thoughts, we’re trying again on the ten most impactful safety occasions of 2025 to study from them for an much more safe 2026.
The highest 10 safety occasions of 2025Salesforce ecosystem assault wave (June – October 2025)
Earlier this 12 months, 1 billion information from organizations similar to TransUnion, Qantas, Farmers, and Google had been compromised by way of a breach of a third-party OAuth app.
Attackers exploited the Salesloft Drift integration, stealing OAuth tokens to entry a number of Salesforce cases as a trusted utility. Scattered LAPSUS$ Hunters claimed accountability.
Why it issues
The 2025 Salesforce ecosystem assault wave incident has highlighted how a mass provide chain failure enabled risk actors to bypass MFA controls and compromise SaaS-to-SaaS trusted connections.
Classes learnt
Organizations should prioritize Zero Belief for SaaS integrations, along with auditing and revoking all pointless third-party utility OAuth tokens and permissions. Moreover, Safety and Operations Heart (SOC) groups ought to take away the flexibility for traditional customers to put in new linked apps.
2. Claude code agent occasion
2025 witnessed a brand new kind of safety incident that used AI. A Claude agent (a software-driven program utilizing AI) carried out 80-90% of the assault autonomously, taking on terminals, inspecting techniques, and writing exploit code that focused round 30 international entities.
Why it issues
This was the primary documented large-scale assault executed primarily by an autonomous AI Agent. The flexibility of risk actors to jailbreak the mannequin and trick it into executing malicious duties dictates a brand new, accelerated velocity of protection.
Classes learnt
Safety groups should put together for AI-orchestrated assaults, which function at an unprecedented velocity and scale. The capabilities that enable AI to automate assaults should even be leveraged for cyber protection and detection.
3. Marks & Spencer retail ransomware
Attackers proceed to focus on high-impact intervals, and this a lot was clear with the UK retail ransomware spree. This assault disrupted digital and in-store retail operations over the Easter weekend, leading to vital monetary and reputational harm. The assault, claimed by the Scattered Spider ransomware gang, compelled retailers to close down their automated ordering and inventory techniques and revert to handbook workarounds.
Why it issues
This was a transparent demonstration of vacation or seasonal RaaS focusing on. The purpose was to cripple retail operations throughout peak intervals. Attackers used a third-party provider, usually by way of social engineering, to get helpdesk credentials. They then focused corporations similar to H&M and Harrods.
Classes learnt
Vendor and provider downtime may be devastating: every week of disruption causes hundreds of thousands in losses and provide chain turmoil. Intelligent social engineering drove this pricey exploit, highlighting growing human danger.
4. PowerSchool breach
This large breach compromised 62 million college students and employees throughout the U.S. Ok-12 schooling system, together with delicate PII (Personally Identifiable Data) and tutorial information. Attackers hit a centralized database, getting access to an enormous quantity of knowledge associated to minors.
Why it issues
This occasion highlights the intense vulnerability of centralized schooling knowledge (Ok-12). Attacking a single, extensively used vendor offers a “force multiplier” for hackers, turning one breach right into a crucial danger throughout a whole vertical sector. Colleges usually retain knowledge for many years, which means that the breach impacted not solely present college students but in addition alumni.
Classes learnt
This breach highlights that safety fundamentals proceed to be the first line of defence. The attackers gained entry partly as a result of MFA was not enforced for a contractor account. This breach emphasizes the pressing want for knowledge minimization insurance policies, which implies that organizations shouldn’t retain delicate info for many years whether it is not required for lively operations.
5. Shai-Hulud self-replicating worm
Some of the notable assaults that occurred earlier this 12 months was the compromise of over 180 node package deal managers (npm) packages, which efficiently exfiltrated secrets and techniques (API keys, cloud credentials) from hundreds of developer environments (npm provide chain).
Why it issues
It was the primary main self-propagating worm to efficiently goal the open-source developer provide chain (npm). It used a novel technique of automated inner pivoting utilizing stolen developer credentials.
Classes learnt
The assault was a safety storm focusing on id, hitting human credentials, machine identities, and provide chain belief relationships. The compromise reiterates that SOC groups should implement MFA on all developer accounts and mandate vault credentials for secrets and techniques administration.
Take motion: Discover our strategic information on the Shai-Hulud Lesson for CISOs to discover ways to safeguard your group from comparable provide chain threats.
6. Blue Defend of California migration
The publicity of knowledge for 4.7 million Blue Defend of California clients resulted from an unintentional leak of Protected Well being Data (PHI) by way of a misconfigured Google Analytics account. The breach was brought on by an unintentional configuration error in a generally used net device, demonstrating that human error may be simply as harmful as a complicated hack.
Why it issues
It is a prime instance of API and third-party script leakage. Particularly, the widespread use of monitoring pixels and analytics scripts has turn into a significant authorized legal responsibility below HIPAA (Well being Insurance coverage Portability and Accountability Act), as these scripts can inadvertently transmit delicate affected person info to third-party tech platforms.
Classes learnt
Organizations should audit and safe all third-party scripts and integrations on their public-facing web sites. A easy misconfiguration can lead to the large publicity of Protected Well being Data (PHI).
7. SK Telecom breach
Affected almost half of South Korea’s inhabitants (roughly 27 million customers), compromising USIM knowledge (Common Subscriber Id Module, used for cell community authentication), together with subscriber cellphone numbers and authentication keys.
Why it issues
The breach risked compromising the integrity of the nation’s cellphone authentication techniques, the truth is, a crucial danger as a result of cell numbers in South Korea are sometimes tied to nationwide id techniques used for banking and authorities companies. This highlights a danger that prolonged far past simply PII (Personally Identifiable Data) theft.
Classes learnt
Cybersecurity should be handled as a strategic enterprise danger, not simply an “IT problem”. Fast detection and disclosure are crucial, as delayed reporting contributed to regulatory penalties and reputational hurt on this occasion.
8. Conduent linked breach
A Conduent publicity of as much as 10.5 million affected person information occurred due to an enormous focus of affected person knowledge held by a central healthcare interchange, proving as soon as once more that healthcare stays a first-rate goal for attackers.
Why it issues
The incident highlights the failure of a third-party enterprise affiliate, highlighting the authorized dangers and monetary fallout related to excessive knowledge focus. In contrast to software-based provide chain assaults, this was an assault on a crucial service associate.
Classes learnt
Organizations must implement knowledge minimization insurance policies to cut back danger publicity. SOC groups should additionally conduct common knowledge stock and classification to determine the place extremely delicate PII/PHI resides.
9. Pink Hat Consulting GitLab breach
The exfiltration of 570 GB of Pink Hat knowledge from 28,000 inner GitLab repositories, together with delicate shopper infrastructure and authentication tokens.
Why it issues
It was a direct assault on the DevOps/GitOps provide chain. By stealing shopper code and infrastructure particulars from a significant vendor, risk actors created an enormous secondary provide chain danger. Consulting companies are inclined to act as credential aggregation factors, and the theft of hardcoded credentials (API keys and tokens) offers attackers with a roadmap to the sufferer’s cloud environments.
Classes learnt
Consulting environments should be remoted from crucial manufacturing networks to stop knowledge breaches. Organizations ought to implement steady scanning throughout all code repositories and use short-lived, least-privilege credentials for consulting tasks.
10. Bouygues Telecom ransomware
A compromise affecting 6.4 million clients, exposing knowledge together with names, bodily addresses, cellphone numbers, and IBANs (Worldwide Financial institution Account Numbers used for cross-border funds).
Why it issues
This illustrates the persistent and profitable focusing on of main nationwide telecommunications corporations by RaaS (Ransomware-as-a-Service) teams, the place criminals lease malware to others. The entry vector exploited social engineering to achieve preliminary entry to Id and Entry Administration (IAM).
Classes learnt2026: Flip insights into motion
To fortify safety postures in 2026, organizations should:
Make stock the brand new frontline: Groups must do extra than simply the fundamental upkeep. With fixed knowledge classification, you recognize precisely the place your most delicate PII and PHI reside.Turn out to be operationally resilient: Transition from the belief “It won’t happen to us” to a mannequin of excessive visibility, in order that when an incident happens, the impression is straight away contained and restoration is quick.Scrutinize trusted connections: Assessment third-party authentication apps and SaaS-to-SaaS connections that hyperlink platforms to stop mass provide chain failures.Reinforce the human perimeter: Safe the id layer by implementing MFA on all developer accounts and deploying rigorous social engineering defenses to guard preliminary entry to IAM techniques.
One factor is for sure, organizations should shift from “swivel-chair” safety strategies and reactive patching to proactive danger evaluation and remediation. Cybersecurity offers the real-time visibility and provide chain oversight required to show these insights into motion.
