In 2025, cyber attacks didn’t just steal data or lock networks. They disrupted healthcare, telecommunications, aviation and entire supply chains. Customer experience platforms and cloud ecosystems were hit at unprecedented scale. Every type of business, from Airports to Automakers were brought to their knees at some point at the hands of cyber criminals. With ransomware, SaaS supply-chain compromises and mega credential leaks converging, 2025 has quickly become one of the most consequential years in cyber history.
In this article, we have covered the seven biggest cyber attacks of 2025, chosen for their impact, scale, systemic risk and/or industry-wide ripple effects. The list also features the most talked about attacks for how high-profile the victims were, significantly shaping public perception of cybersecurity risk.
If you think we've missed any significant cybersecurity incident, do feel free to reach out to us at info@cm-alliance.com. This list is based on our understanding and metrics of what accounted for the biggest cyber events.
In mid-2025, researchers at Cybernews uncovered 30 exposed datasets containing more than 16 billion login credentials. These included passwords for Google, Apple, Facebook, Telegram, GitHub and even government services. While there was no single breach of those big tech firms, the dataset was a massive aggregation of credentials stolen by infostealer malware and earlier breaches. Hosted openly online for a period, it effectively turned into a “credential buffet” for attackers.
Analysts and media quickly dubbed it a historic data leak, warning that the compilation itself was as dangerous as any one breach because it enabled industrial-scale credential stuffing and account takeover.
The Salesforce/Salesloft-Drift SaaS compromise was the largest Saas supply chain breach ever. It was linked to groups like ShinyHunters/UNC6395 who apparently compromised the integration between Drift (acquired by salesloft) and Salesforce. The threat actors gained access to oAuth tokens and refresh tokens and managed to unlock sensitive information across hundreds of global organisations.
Large tech firms, industry doyens and even cybersecurity majors were not spared.
This attack is now widely regarded as the “SolarWinds moment for SaaS”. Read our detailed blog on the Salesloft-Drift Attack. You also wouldn’t want to miss our Cyber Insights Summary document that summarises how this one event shook 700+ organisations worldwide.
The Marks & Spencer (M&S) cyber attack became one of the most significant and high-impact breaches of 2025. It was a part of the massive onslaught on UK retail businesses which we've captured in our detailed timeline documents on the UK Retail Cyber Siege. You can also download our Marks and Spencer Cyber Attack timeline to get a complete and detailed picture of what made this attack a watershed moment in cybersecurity history.
The iconic UK retailer’s operations were hit at multiple critical levels — financially, operationally, and reputationally. Beginning over the Easter weekend in April 2025, attackers exploited social engineering and third-party access, tricking service desk personnel into resetting credentials and gaining entry into M&S’s internal systems.
Once inside, they deployed ransomware that crippled core IT infrastructure, forcing M&S to suspend online orders, click-and-collect services, and contactless payments for weeks. Although the breached customer data did not include payment details or passwords, names, birth dates, email addresses, and order histories were taken, prompting widespread customer notifications and heightened concern over future phishing attacks.
The ripple effects of the attack were massive. M&S's market value fell by over £700 million. The company faced estimated losses of £40 million per week due to the attack as per Reuters. For weeks, parts of the business remained offline, with only gradual restoration of digital services.
The attack also sparked broader industry discussion about the vulnerability of large retailers to sophisticated social engineering and third-party supply chain risks. The attack underscored how even organisations with substantial security spending are not immune to threats that target human and procedural weaknesses.
Ultimately, the M&S breach stood out in 2025 because it was not just a technical incident. It was a high-profile, board-level crisis that exposed gaps in identity and access management and vendor risk oversight.
In late August and early September 2025, Jaguar Land Rover (JLR), one of the United Kingdom’s largest automotive manufacturers, suffered a crippling cyber attack that immediately reverberated across the UK economy. The incident began when unusual activity was detected within JLR’s IT environment. The company promptly took the drastic but necessary step of shutting down internal systems to contain potential damage.
Operations were halted at its UK plants in Halewood and Solihull, forcing workers to stay home and bringing vehicle production to an abrupt stop as factories went offline. What began as a security containment action soon turned into an extended operational crisis that highlighted the growing vulnerability of industrial and manufacturing infrastructure to cyber threats.
The scale of disruption was staggering. For roughly five weeks, JLR’s production lines remained suspended. This had a cascading effect across hundreds of suppliers. Estimates suggested the shutdown caused as much as £1.9 billion (US$2.5 billion) in economic losses, making it arguably the most financially damaging cyber attack in UK history.
This impact was not limited to JLR alone; automotive output across the country fell sharply. Thousands of jobs were jeopardised as suppliers and logistics partners struggled to cope with halted operations. Beyond the operational fallout, the attack also resulted in unauthorised access to sensitive payroll and employee data, including bank details and personal information.
The incident drew significant attention because it highlighted how deeply modern manufacturing has become entwined with digital systems. This has turned IT outages into serious business risks like never before. It also underscored that even large, well-resourced organisations are not immune to sophisticated threat actors capable of leveraging structural weaknesses to inflict widespread damage.
For a complete breakdown of the incident, the impact and JLR’s response, don’t forget to download our Jaguar Land Rover Cyber Attack Timeline.
The Change Healthcare cyber attack, tied to UnitedHealth’s technology unit, will likely define healthcare cybersecurity discussions for years. Initially hit by a ransomware attack attributed by US healthcare associations to the ALPHV/BlackCat group, Change Healthcare suffered prolonged outages that disrupted pharmacy claims, clinical workflows and billing across the United States. The company was also slammed globally for apparently making a ransom payment, with the attack becoming a case study on why negotiating with criminals is never a good idea.
In 2025, the full scale came into sharper focus. On 31 July 2025, Change Healthcare notified the US Office for Civil Rights that approximately 192.7 million individuals were impacted. By August, US HHS and UnitedHealth confirmed this number publicly, calling it the largest healthcare data breach to date.
The exposed data included protected health information (PHI), claims data and other sensitive identifiers. The attack had a massive knock-on effect for providers, insurers and patients nationwide.
For a full chronology of the attack, check out our Change Healthcare Cyber Attack Timeline.
On 18 April 2025, South Korea’s largest mobile carrier, SK Telecom (SKT), detected abnormal outbound traffic from systems tied to its Home Subscriber Server (HSS). Subsequent investigations by the Ministry of Science and ICT and a public-private task force revealed that attackers had deployed multiple variants of BPFDoor. BPFDoor is a stealth Linux backdoor that exploits the Berkeley Packet Filter to hide its traffic.
The malware persisted in SKT’s environment for years, leaking USIM data and subscriber identifiers. Around 26.96 million IMSI records and related USIM data (adding up to around 9.82 GB) were exposed – affecting roughly half of South Korea’s population.
The fallout was severe:
In early October 2025, Red Hat confirmed a major breach of a self-managed GitLab instance used by its consulting division. The Crimson Collective threat group claimed to have exfiltrated around 570 GB of compressed data and accessed over 28,000 internal repositories. They claimed to have stolen around 800 Customer Engagement Reports (CERs) containing VPN settings, infrastructure diagrams, API keys, credentials and security configurations of more than 800 enterprise and government clients.
Hundreds of major clients, including financial, telecom, and government bodies were compromised. Amongst the prominent names affected were the U.S. Navy, Bank of America, American Express, AT&T and T-Mobile.
Red Hat, however, did not confirm all of Crimson Collective’s claims.
If you’re interested in a detailed, monthly breakdown of the biggest cyber attacks in 2025, don’t forget to check out our month-wise roundup of the biggest cyber attacks, data breaches and ransomware attacks in the year gone by.