Skip to content Skip to menu Skip to footer
Cart

Top 10 cybersecurity breaches of 2025: Lessons for compliance

Image related to Top 10 cybersecurity breaches of 2025: Lessons for compliance

By the International Compliance Association, 29 December 2025

If its critical importance was not evident to organisations before, then 2025 has made the urgent need to prepare against cyberattacks abundantly clear. 

Major cybersecurity breaches throughout the year have seen operations ground to a halt, colossal data losses, and record-breaking financial repercussions that not only hit the hacked companies themselves, but slowed down the growth of national economies.

The scale of these incidents highlights why these are not matters to be left solely under the remit of cybersecurity teams, and for governance, risk and compliance (GRC) professionals it has heightened the focus on third-party risk management, data protection, and business continuity planning, to name just a few areas of concern.

As we approach the end of 2025, it is a timely opportunity to reflect upon the biggest cybersecurity incidents of the year and to consider the GRC lessons they offer, which we can carry forward into 2026 to help our organisations ready themselves to counter such cyber threats.

1. Bybit crypto exchange hacked (February 2025)

We were only a few months into 2025 when the largest cryptocurrency theft in history took place. Hackers exploited a free third-party storage product used by Dubai-based cryptocurrency exchange Bybit, stealing $1.5 billion in Ethereum during a routine transfer between digital wallets.[1]

The attack, which used malicious JavaScript to manipulate Bybit’s transaction signing process, has been attributed to North Korea's Lazarus Group, with its prolific track record of laundering crypto to circumvent international sanctions.

Key GRC lessons:

  • Third-party risk management: The cyberattack exploited vulnerabilities in third-party software, highlighting the need for rigorous vendor security assessments.
  • Transaction monitoring: For such high-value transfers, it is critical to have multi-layered approval processes in place.

2. Jaguar Land Rover (JLR) shutdown (September 2025)

Perhaps no other incident this year demonstrated the far-reaching impacts of a cyberattack more than when JLR fell victim to the Scattered Spider group in September. The hackers exploited vulnerabilities in third-party software SAP NetWeaver, halting production in JLR’s factories for weeks.

As a major UK manufacturer with more than 33,000 employees and an estimated 200,000 more in the supply chain,[2] the Bank of England confirmed the attack had hit UK GDP growth. Indeed it has been described as ‘the most expensive security breach in British history’, [3], costing an estimated £1.9 billion ($2.5 billion). 

Key GRC lessons:

  • Supply chain resilience: As seen with several of the biggest cybersecurity breaches this year, the situation was compounded by dependence on outsourced IT services. [4]
  • Patch management protocols: Warnings had already been issued about NetWeaver’s vulnerability (see event 9), so this incident demonstrated why timely application of security patches for all enterprise software is so critical. 
  • Business continuity planning: After the shutdown saw JLR lose £50 million per week in suspended revenue, the National Cyber Security Centre advised firms to ‘have a plan for how they would continue to operate without their IT’. [5]

3. Marks & Spencer ransomware attack (April 2025)

British retailer M&S suffered a ransomware attack that suspended online ordering, its mobile apps, and click-and-collect services for six weeks.[6] Scattered Spider, this time working with the DragonForce ransomware-as-a service operator, gained initial access by stealing Active Directory credentials and using social engineering on third-party contractors. The attack cost M&S approximately £300 million in lost profits.[7]

Key GRC lessons:

  • Social engineering defences: The fact that this was not a highly sophisticated hack but reportedly the result of gaining credentials via SIM swapping and helpdesk impersonation, highlights the importance of ensuring mandatory security awareness training for all staff, as well as for any third-party contractors with system access. 
  • Customer data protection: M&S admitted that personal customer data was taken in the attack, underscoring the need for robust data protection protocols.[8]

4. Co-operative Group supply chain attack (April 2025)

Another retail giant that fell victim to the machinations of the Scattered Spider group was the UK Co-op supermarket chain. The hackers again used vulnerabilities in third-party service providers to disrupt the Co-op’s IT systems, resulting in supply chain delays and empty shelves across stores.

Key GRC lessons:

  • Operational resilience testing: Conducting simulations of IT network shutdowns and supply chain disruptions can help firms to prepare and quickly put plans in place in the event of an attack. Co-op reacted fast by shutting down segments of its IT network and working with suppliers to restart deliveries.[9]
  • Stakeholder communication: Another prudent measure is to prepare communication templates ahead of time to enable timely dialogue with customers, suppliers, business partners and regulators during such service disruptions.

5. Collins Aerospace airport disruptions (September 2025)

A ransomware attack on Collins Aerospace's MUSE passenger processing system disrupted operations at several major European airports, including Heathrow, Brussels, and Berlin. The impact of the hack, claimed by the Everest cybercrime group, spread rapidly across borders due to the Collins system’s widespread use across multiple airports.[10]

Key GRC lessons:

  • Critical infrastructure dependencies: The spread of this attack highlights the need to map all third-party systems that could constitute single points of failure for operations.
  • Fallback procedures: Airports resorted to manual passenger check-ins, showing the value of documenting and testing fallback processes.
  • Cross-border coordination: Given the international impact, effective multi-jurisdictional incident management was key for this incident.

6. Salesforce-Gainsight data theft (November 2025)

Hacking group Scattered Lapsus$ Hunters claimed responsibility for stealing the data of more than 200 companies stored in Salesforce, via a vulnerability in a third-party customer support application from Gainsight. In response, Salesforce revoked active access tokens for Gainsight-connected apps.

Key GRC lessons:

  • Third‑party risk oversight: The breach highlighted how integrated third-party applications can be key attack vectors for cybercriminals, and thus why they need to be included in any business wide risk assessments. 
  • Continuous monitoring: Vendor risk audits should not only take place prior to onboarding, but periodically thereafter to maintain effective oversight.

7. Bank Sepah breach (March 2025)

The hacker collective known as Codebreakers breached Iran's Bank Sepah, stealing 42 million customer records, including details of senior bank officials. The hackers demanded a $42 million Bitcoin ransom and released portions of the dataset when their demands were ignored.[11]

Key GRC lessons:

  • Ransom payment policies: Establishing clear organisational policies on ransom payments is a must, and this needs to be aligned with regulatory guidance and sanctions requirements.
  • Data encryption: Check that customer data is being encrypted, to limit exposure if breached.

8. Volvo Group and others’ HR data breach (August-September 2025)

The Volvo Group experienced a third-party data breach when its Swedish HR software provider, Miljödata, was hit by a ransomware attack. The DataCarry ransomware group stole sensitive data which not only impacted Volvo but around 25 other private companies, 200 Swedish councils, and several educational institutions.[12]

Key GRC lessons:

  • Data minimisation: As per the GDPR principle, assess whether your HR systems hold more personal data than necessary for legitimate purposes.
  • Vendor security audits: Implement regular security assessments and right-to-audit clauses for all data processors; this breach illustrated that third-party risk is enterprise risk even when internal defences are strong.

9. SAP NetWeaver zero-day exploitation (April 2025)

SAP disclosed a critical zero-day vulnerability in its NetWeaver Visual Composer in April that enabled unauthenticated remote code execution. As seen in the JLR incident, SAP's NetWeaver is pivotal to many company systems. Researchers have identified over 581 instances of NetWeaver being actively exploited, including by state-linked groups, allowing attackers to upload web shells and compromise systems.[13] 

Key GRC lessons:

  • Threat intelligence: It’s vital that firms keep up to date with any vulnerabilities identified by their IT vendors. Subscribing to vendor security advisories and threat intelligence feeds can provide early warnings.
  • Vulnerability management: Procedures need to be established to ensure emergency patching of zero-day vulnerabilities (previously unknown security flaws) within clearly defined timeframes.

10. United Natural Foods supply chain attack (June 2025)

Major US wholesaler United Natural Foods Inc. (UNFI), the primary distributor for Whole Foods, suffered a cyberattack in mid-June that scuppered electronic ordering systems, forcing temporary shutdown of automated ordering and deliveries. The threat such attacks pose to food supply systems was clear in the resulting grocery shortages seen across North America as result.[14]

Key GRC lessons:

  • Supply chain mapping: It is worthwhile taking time to document critical dependencies and single-source supplier relationships as part of business continuity plans.
  • Vendor diversification: As the incident highlighted dependency on a single distributor, assess opportunities to reduce concentration risk through supplier diversification.
  • Essential services obligations: Ensure key stakeholders understand the regulatory obligations which come with maintaining essential services during cyber incidents.

There is no doubt then, given the magnitude of the breaches this year, that cyber risk should be a board-level priority for firms. The GRC issues each attack raises, highlights compliance professionals’ critical role in helping to coordinate multi-stakeholder measures and responses.

Furthermore, the incidents listed above all triggered reporting obligations across multiple regulatory frameworks. If it isn’t within your plans for 2026 already, reviewing your organisation's readiness against such scenarios is certainly a wise move to make for the year ahead.