An unprecedented surge in breaches, capped by the first major AI-led attack, marked 2025 as a turning point in cybersecurity.
2025 has been one of the busiest years for cybersecurity reporters, with massive thefts, large-scale leaks, supply-chain compromises, and ransomware attacks targeting everything from cryptocurrency exchanges to luxury fashion, telecommunications, and hospitals.
It was also the year the industry crossed a new threshold with the first documented case of a large-scale cyberattack carried out largely by an autonomous AI agent.
Traditional threats like ransomware and credential theft continued to dominate, but the emergence of AI-driven intrusions perhaps signals a shift in the speed, scale, and sophistication of the attacks in the coming years.
Here’s a sector-wise recap of the year’s most consequential incidents that caught our eye.
Crypto and Banking
The year opened with one of the largest crypto thefts on record. In February, Bybit confirmed that attackers had siphoned off roughly $1.5 billion in ethereum from a compromised wallet. The breach was striking not only for its scale but also because it hit a regulated, centralized exchange, reigniting debates about key management and custody controls.
Then, in November, a $37 million theft at South Korea’s Upbit served as a fresh reminder that major exchanges still have significant security gaps to close.
Soon after, Iranian state-owned Bank Sepah became the focus of a dramatic breach. Attackers claimed they had stolen 42 million customer records, and posted samples of banking data belonging to high-profile civilian and military customers after the bank denied the incident. The situation worsened in June, when another hacking group caused widespread service outages affecting Sepah’s ATMs, online banking, and even fuel stations tied to its payment network, demonstrating how financial attacks can cascade into national-level disruptions.
Then, in November, a ransomware attack occurred at Habib Bank AG Zurich in Switzerland, resulting in the loss of over 2.5TB of data. The haul allegedly included passport details, account balances, detailed transactions, and source code for several of its internal banking tools.
Airlines and Aviation
Aviation remained a high-value target, with the FBI warning mid-year that cybercriminal groups, particularly the Scattered Spider collective, had increased their focus on airlines and transportation vendors.
It wasn’t too long after the warning that the largest confirmed breach hit Australia’s Qantas Airlines. Attackers later published what they claimed were 5-6 million customer records, including names, email addresses, phone numbers, dates of birth, and frequent flyer information. The breach reportedly stemmed from a compromised third-party customer service platform. Qantas even cut its CEO’s bonus over these cybersecurity failures.
The theme of third-party compromises continued in November when Iberia Airlines reported a data breach via a compromised supplier. Attackers claimed to have stolen 596GB of passenger data, including passenger PII and loyalty information, prompting concerns about targeted phishing and travel fraud. More concerningly, the attackers claimed that thanks to the stolen data, they had “long-term, unfettered access” to all bookings, with the ability to view and edit them.
The same group also breached Collins Aerospace, disrupting its vMUSE passenger-processing system used across major airports. The attack caused check-in outages at multiple major European hubs, including London’s Heathrow, as well as airports in Brussels, Berlin, Dublin Airport, and Ireland's second-largest airport, Cork. The incident showed how a single compromised aviation vendor can trigger continent-wide operational consequences.
Retail
Luxury and mainstream retail were hit hard throughout the year. In April, hackers breached the Kering Group, accessing 7.4 million customer files from high-end brands like Gucci, Balenciaga, and Alexander McQueen. The exposed data included contact details and total customer spending, making it highly valuable for social-engineering campaigns.
That same month, Marks & Spencer suffered a ransomware attack that disrupted operations and reportedly cost around £300 million. Attackers gained access through stolen vendor credentials, knocking out contactless payments and in-store pickup systems, which served as a stark reminder of how dependent retailers are on third-party security.
In July, Louis Vuitton disclosed a breach after attackers accessed the systems of its UK unit. They stole names, passport numbers, dates of birth, addresses, phone numbers, and detailed shopping histories. Later, Hong Kong’s privacy regulator confirmed that it was investigating the incident after being informed that over 400,000 customers in the region were affected.
As the year drew to a close, South Korean online retailer Coupang was hit late in November and lost personal data belonging to nearly 34 million customers, which is more than half of the country's population. The compromised data includes customer names, email addresses, phone numbers, shipping addresses, and more.
Healthcare
Healthcare, as usual, remained one of the most targeted sectors due to the sensitivity and longevity of medical data. Early in the year, researchers found over 1.2 million internet-exposed medical devices and systems, including MRI and CT systems, blood-test devices, DICOM viewers, and hospital management tools, that were misconfigured and exposing patient images and test results.
The largest healthcare breach in US history was confirmed by UnitedHealth Group’s Change Healthcare in August. The attack exposed data for 192.7 million people, including diagnoses, treatment histories, insurance IDs, and billing information. It also disrupted claims processing nationwide for hospitals, clinics, and pharmacies.
In April, dialysis giant DaVita, which operates 3,166 outpatient dialysis centers worldwide, reported that ransomware actors accessed data affecting 2.7 million patients, including Social Security numbers, health-insurance information, and dialysis-related clinical records.
Another large incident became public in October, when SimonMed Imaging, one of the largest medical imaging providers in the US, revealed that a cyberattack in January had compromised 1.27 million patients and exfiltrated 212GB of data.
While both DaVita and SimonMed offered complimentary credit monitoring and identity theft protection services, the delay between the initial attack and the full disclosure, especially in SimonMed’s case, raises concerns about patient exposure during the notification gap.
Government and Public Sector
One of the more unusual breaches of the year involved TeleMessage, an archiving platform used by US government officials. Attackers accessed names, phone numbers, email addresses, and communication metadata across multiple agencies. Even without message content, communication patterns and contact graphs can be highly valuable for foreign intelligence services.
In July, the city of St. Paul, Minnesota, suffered a ransomware attack, which gained access to 43GB of data and forced major city systems offline. Government buildings lost internet access, and residents were unable to make online payments for essential services. The recovery stretched over several weeks.
France also experienced a surge in politically motivated attacks linked to global conflicts. At least 11 French government agencies and critical infrastructure organizations were hit by distributed denial-of-service (DDoS) attacks against Industrial Control Systems (ICS) between January and March. Hacktivist groups targeted government departments, utilities, and public services, aiming to disrupt operations and influence public opinion.
Other notable hacks
The industrial sector experienced one of the year's most disruptive incidents when Jaguar Land Rover (JLR) suffered a major cyberattack that began on August 31st. The breach shut down production across UK plants for weeks, causing supply-chain breakdowns and disrupting thousands of suppliers. The total impact, estimated at £1.9 billion, made it one of the costliest operational cyber incidents of 2025.
In November, a large-scale supply chain attack targeted companies that used third-party apps integrated with Salesforce. Attackers compromised external applications built by Gainsight and accessed Salesforce-hosted data linked to over 200 companies, including major tech and cybersecurity vendors.
Telecom firms also faced heavy targeting throughout the year. South Korea’s SK Telecom suffered two major breaches: a ransomware attack in April that reportedly stole 1TB of data, and another in September involving the theft of source code. Meanwhile, France’s Bouygues Telecom said attackers had accessed personal information tied to 6.4 million customer accounts, including contact details, contract data, civil-status information, and IBANs.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked