Top 10 Security Events of 2025

If 2025 has taught us anything, it’s that risk is no longer confined to the edges of your network. The traditional security perimeter has dissolved, with risk creeping into the very tools we use to run our businesses. 

Organizations faced off against catastrophic configuration errors, the weaponization of third-party trust connections, Multi-Factor Authentication (MFA) failures, and attackers who clearly love the holidays.

With that in mind, we’re looking back at the ten most impactful security events of 2025 to learn from them for an even more secure 2026. 

The top 10 security events of 2025

1. Salesforce ecosystem attack wave (June - October 2025)

Earlier this year, 1 billion records from organizations like Transunion, Qantas, Farmers, and Google were compromised via a third-party OAuth app breach.

Attackers exploited the Salesloft Drift integration, stealing OAuth tokens to access multiple Salesforce instances as a trusted application. Scattered LAPSUS$ Hunters claimed responsibility.

Read more:  We explore the full impact and the attacker’s methods in our analysis of the Salesforce leak and extortion here.

Why it matters

The 2025 Salesforce ecosystem attack wave incident has highlighted how a mass supply chain failure enabled threat actors to bypass MFA controls and compromise SaaS-to-SaaS trusted connections.

Lessons learnt

Organizations must prioritize Zero Trust for SaaS integrations, in addition to auditing and revoking all unnecessary third-party application OAuth tokens and permissions. Furthermore, Security and Operations Center (SOC) teams should remove the ability for standard users to install new connected apps.

2. Claude code agent event

2025 witnessed a new type of security incident that used AI. A Claude agent (a software-driven program using AI) performed 80-90% of the attack autonomously, taking over terminals, inspecting systems, and writing exploit code that targeted around 30 global entities.

Why it matters

This was the first documented large-scale attack executed primarily by an autonomous AI Agent. The ability of threat actors to jailbreak the model and trick it into executing malicious tasks dictates a new, accelerated speed of defense.

Lessons learnt

Security teams must prepare for AI-orchestrated attacks, which operate at an unprecedented speed and scale. The capabilities that allow AI to automate attacks must also be leveraged for cyber defense and detection. 

3. Marks & Spencer retail ransomware

Attackers continue to target high-impact periods, and this much was clear with the UK retail ransomware spree. This attack disrupted digital and in-store retail operations over the Easter weekend, resulting in significant financial and reputational damage. The attack, claimed by the Scattered Spider ransomware gang, forced retailers to shut down their automated ordering and stock systems and revert to manual workarounds.

Why it matters 

This was a clear demonstration of holiday or seasonal RaaS targeting. The goal was to cripple retail operations during peak periods. Attackers used a third-party supplier, often through social engineering, to get helpdesk credentials. They then targeted companies such as H&M and Harrods.

Lessons learnt 

Vendor and supplier downtime can be devastating: a week of disruption causes millions in losses and supply chain turmoil. Clever social engineering drove this costly exploit, highlighting increasing human risk.

4. PowerSchool breach

This massive breach compromised 62 million students and staff across the U.S. K-12 education system, including sensitive PII (Personally Identifiable Information) and academic records. Attackers hit a centralized database, gaining access to a huge volume of data related to minors.

Why it matters

This event highlights the extreme vulnerability of centralized education data (K-12). Attacking a single, widely used vendor provides a “force multiplier” for hackers, turning one breach into a critical risk across an entire vertical sector. Schools often retain data for decades, meaning that the breach impacted not only current students but also alumni.

Lessons learnt

This breach highlights that security basics continue to be the primary line of defence. The attackers gained access partly because MFA was not enforced for a contractor account. This breach emphasizes the urgent need for data minimization policies, which means that organizations should not retain sensitive information for decades if it is no longer required for active operations.

5. Shai-Hulud self-replicating worm

One of the most notable attacks that happened earlier this year was the compromise of over 180 node package managers (npm) packages, which successfully exfiltrated secrets (API keys, cloud credentials) from thousands of developer environments (npm supply chain). 

Read more: We covered the worm’s propagation with a full technical breakdown here.

Why it matters 

It was the first major self-propagating worm to successfully target the open-source developer supply chain (npm). It used a novel method of automatic internal pivoting using stolen developer credentials.

Lessons learnt 

The attack was a security storm targeting identity, hitting human credentials, machine identities, and supply chain trust relationships. The compromise reiterates that SOC teams must enforce MFA on all developer accounts and mandate vault credentials for secrets management.

Take action: Explore our strategic guide on the Shai-Hulud Lesson for CISOs to learn how to safeguard your organization from similar supply chain threats.

‍

6. Blue Shield of California migration

The exposure of data for 4.7 million Blue Shield of California customers resulted from an unintentional leak of PHI (Protected Health Information) via a misconfigured Google Analytics account. The breach was caused by an unintentional configuration error in a commonly used web tool, demonstrating that human error can be just as dangerous as a sophisticated hack.

Why it matters

This is a prime example of API and third-party script leakage. Specifically, the widespread use of tracking pixels and analytics scripts has become a major legal liability under HIPAA (Health Insurance Portability and Accountability Act), as these scripts can inadvertently transmit sensitive patient information to third-party tech platforms.

Lessons learnt

Organizations must audit and secure all third-party scripts and integrations on their public-facing websites. A simple misconfiguration can result in the massive exposure of Protected Health Information (PHI).

Read more: Take a look at some of the other biggest healthcare data breaches in recent years here.

‍

7. SK Telecom breach

‍

Affected nearly half of South Korea's population (approximately 27 million users), compromising USIM data (Universal Subscriber Identity Module, used for mobile network authentication), including subscriber phone numbers and authentication keys.

Why it matters

The breach risked compromising the integrity of the country's cell phone authentication systems, in fact, a critical risk because mobile numbers in South Korea are often tied to national identity systems used for banking and government services. This highlights a risk that extended far beyond just PII (Personally Identifiable Information) theft.

Lessons learnt

Cybersecurity must be treated as a strategic business risk, not just a “IT problem”. Quick detection and disclosure are critical, as delayed reporting contributed to regulatory penalties and reputational harm in this instance.

8. Conduent linked breach

A Conduent exposure of up to 10.5 million patient records occurred due to a massive concentration of patient data held by a central healthcare interchange, proving once again that healthcare remains a prime target for attackers.

Why it matters

The incident highlights the failure of a third-party business associate, highlighting the legal risks and financial fallout associated with high data concentration. Unlike software-based supply chain attacks, this was an attack on a critical service partner.

Lessons learnt

Organizations need to implement data minimization policies to reduce risk exposure. SOC teams must also conduct regular data inventory and classification to identify where highly sensitive PII/PHI resides.

‍

9. Red Hat Consulting GitLab breach

The exfiltration of 570 GB of Red Hat data from 28,000 internal GitLab repositories, including sensitive client infrastructure and authentication tokens.

Why it matters

It was a direct attack on the DevOps/GitOps supply chain. By stealing client code and infrastructure details from a major vendor, threat actors created a massive secondary supply chain risk. Consulting firms tend to act as credential aggregation points, and the theft of hardcoded credentials (API keys and tokens) provides attackers with a roadmap to the victim’s cloud environments.

Lessons learnt

Consulting environments must be isolated from critical production networks to prevent data breaches. Organizations should implement continuous scanning across all code repositories and use short-lived, least-privilege credentials for consulting projects.

10. Bouygues Telecom ransomware

A compromise affecting 6.4 million customers, exposing data including names, physical addresses, phone numbers, and IBANs (International Bank Account Numbers used for cross-border payments).

Why it matters

This illustrates the persistent and successful targeting of major national telecommunications companies by RaaS (Ransomware-as-a-Service) groups, where criminals lease malware to others. The entry vector exploited social engineering to gain initial access to Identity and Access Management (IAM).

Lessons learnt

Continuous employee training is non-negotiable, as a single careless click on a phishing email could compromise the entire network.

2026: Turn insights into action

These incidents didn’t just make news cycles, they have reiterated that controls are not enough. The defining failure across these breaches was the lack of environmental awareness. Attackers have been relentless this year, proving that if they can’t break down your front door, they’ll find a third-party gap to worm their way in.

To fortify security postures in 2026, organizations must: 

• Make inventory as the new frontline: Teams need to do more than just the basic maintenance. With constant data classification so you know exactly where your most sensitive PII and PHI reside.
• Become operationally resilient: Transition from the assumption “It won’t happen to us” to a model of high visibility, so that when an incident occurs, the impact is immediately contained and recovery is fast.
• Scrutinize trusted connections: Scrutinize the third-party authentication apps and SaaS-to-SaaS connections that tie platforms together to prevent mass supply chain failures.
• Reinforce the human perimeter: Secure the identity layer by enforcing MFA on all developer accounts and deploying rigorous social engineering defenses to protect initial access to IAM systems.

One thing is for certain, organizations must shift from “swivel-chair” security methods and reactive patching to proactive risk assessment and remediation. UpGuard provides the real-time visibility and supply chain oversight required to turn these insights into action.