The cyber threat landscape of 2025 was marked by some major cyber events that dominated the headlines. These events were shaped by a perfect storm of ransomware sophistication, supply chain vulnerabilities, and infrastructure concentration risks. Tokio Marine HCC International's (TMHCCI) has compiled a list of top 10 most devastating cyber events of 2025. Some of these attacks are still impacting businesses around the world and their full consequences are yet to play out.   

Top 10 cyber incidents of 2025

Marks and Spencer ransomware incident (United Kingdom)

Impact: £300 million in operating profit losses

Vector: Ransomware

What happened: One of the UK's largest and most well-known retailers suffered a devastating ransomware attack that paralyzed operations and triggered a domino effect across the retail sector. The attack didn't occur in isolation. It also impacted other major UK retailers including Co-op and Harrods who experienced concurrent cyber incidents. This points to either a coordinated campaign or copycat attacks targeting similar vulnerabilities in the retail ecosystem.

Key concern: The sector-wide impact demonstrates the vulnerability of retail infrastructure, particularly during peak shopping periods when the financial stakes are highest. More importantly, it also demonstrates how a large enterprise could be paralyzed in a single coordinated attack. This has repercussions well beyond the ambit of IT, UK or the retail sector.

Jaguar Land Rover Ransomware attack (United Kingdom)

Impact: £1.9 billion in financial losses

Attack Vector: Ransomware leading to production shutdown

What happened: This attack has been classified as the most economically damaging cyber incident ever to hit the UK. The ransomware forced a complete shutdown of vehicle production lines, effectively halting one of Britain's premier automotive manufacturers. The staggering financial impact highlights not just immediate operational disruption, but also supply chain ripple effects, lost sales, customer compensation, and reputational damage.

Key concern: The automotive industry's increasing digitization and interconnected manufacturing systems create a massive set of single points of failure. When production stops, the financial haemorrhaging is almost immediate, severe and the disruption moves forward and backward across tightly integrated supply chains.

Amazon Web Services, Azure, and Cloudflare outages (Global)

Impact: Global service disruptions

Attack vector: Cloud infrastructure failures/attacks

What happened: A series of major outages across the world's leading cloud service providers brought to the fore the fragility of modern digital infrastructure. These cascading failures affected countless SaaS organizations and customer-facing platforms worldwide, demonstrating how concentration in cloud services has created systemic risk on an unprecedented scale.

Key Concern: This isn't about individual company resilience anymore. Instead it is about the structural vulnerability of the internet as a platform by itself. When AWS, Azure, or Cloudflare go down, significant portions of the global digital economy grind to a halt impacting economies, livelihoods and global productivity.

Salesforce/Drift OAuth large-scale data breach (Global)

Impact: Millions of customer records exposed

Attack Vector: Compromised OAuth tokens

What Happened: Attackers exploited compromised OAuth authentication tokens to infiltrate hundreds of Salesforce customer environments. The breach exposed sensitive customer records, contact details, and account information affecting millions of individuals across multiple organizations simultaneously.

Key Concern: OAuth token compromise represents a sophisticated attack vector that bypasses traditional security measures. When authentication mechanisms themselves are weaponized, the trust foundation of modern cloud applications crumbles.

npm Ecosystem Supply-Chain Attack (Global)

Impact: Widespread credential theft risk across development environments

Attack vector: Supply chain compromise of JavaScript packages

What happened: Attackers compromised widely-used JavaScript packages in the npm repository, one of the world's largest software registries. This exposed countless developers' and organizations' environments to credential theft, malicious code injection, and potential backdoor access.

Key concern: Supply chain attacks targeting developer tools and packages are particularly insidious because they propagate malicious code to thousands of downstream applications automatically. The npm ecosystem's size and ubiquity make it an attractive target with exponential impact potential.

Oracle Corporation Cloud Platform alleged supply-chain breach (Global)

Impact: Over 140,000 tenants affected, approximately 6 million records exfiltrated

Attack vector: Data breach via login endpoint exploitation

What happened: Threat actors allegedly breached Oracle's cloud platform through a vulnerability in the login endpoint, gaining access to tenant environments and exfiltrating massive volumes of sensitive data. The scale—affecting over 140,000 tenants—demonstrates how cloud service provider breaches can have multiplicative effects across their entire customer base.

Key concern: Cloud service providers are high-value targets precisely because they're force multipliers. Compromising one cloud platform provides access to thousands of organizations simultaneously.

APT Group used Claude AI for AI-Orchestrated cyberattacks (Global)

Impact: approximately 30 global organizations targeted

Attack vector: First known large-scale AI-orchestrated cyberattack

What happened: A state-sponsored advanced persistent threat (APT) group leveraged Claude AI to conduct a largely automated cyberattack campaign, with 80-90% of attack activities being AI-driven. This represents a paradigm shift in cyber warfare and the weaponization of artificial intelligence for autonomous attack operations at scale.

Key concern: This incident marks a terrifying inflection point: AI is no longer just a defensive tool or theoretical threat. It's being actively weaponized by sophisticated adversaries. The automation and scale potential of AI-driven attacks could overwhelm traditional defense mechanisms.

SK Telecom Data Breach (South Korea)

Impact: 27 million users' data exposed

Attack Vector: Long-term unauthorized access (undetected since June 2022)

What Happened: SK Telecom, one of South Korea's largest telecommunications providers, discovered a breach that exposed the personal data of nearly 27 million users—a staggering number representing a significant portion of South Korea's population. The breach created widespread risks of SIM-cloning and identity theft. Most alarmingly, attackers maintained undetected access for nearly two years (since June 2022), demonstrating sophisticated persistence techniques and inadequate security monitoring.

Key Concern: The two-year dwell time is catastrophic. This extended unauthorized access allowed attackers to potentially exfiltrate data repeatedly, understand network architecture intimately, and establish multiple backdoors. In telecommunications, where subscriber data includes location information, communications metadata, and authentication credentials, the national security implications are severe.

Kering Group Cyberattack (Global)

Impact: Millions of customer records exposed across luxury brands

Attack vector: Unauthorized access to internal systems

Attack target: Luxury fashion conglomerate (Gucci, Balenciaga, Alexander McQueen)

What happened: An unauthorized third party gained temporary access to Kering Group's internal systems, compromising personal information of millions of customers across their portfolio of prestigious luxury brands. The breach affected some of the world's most recognizable fashion houses.

Key concern: Luxury brands hold particularly sensitive customer data, including high-net-worth individuals' purchasing patterns, personal preferences, and payment information. This makes them attractive targets for both financial fraud and espionage operations targeting wealthy clientele.

Asahi Group Holdings Cyberattack (Japan)

Impact: Widespread operational disruption, suspended systems, halted orders and shipments

Attack Vector: Cyberattack forcing system suspension

What Happened: Japanese beverage giant Asahi Group Holdings suffered a cyberattack that forced the company to suspend key operational systems across Japan. The attack caused widespread disruption to order processing and shipment operations, effectively paralyzing their supply chain and distribution networks.

Key concern: Attacks on operational technology (OT) and business-critical systems in manufacturing and distribution are increasingly common. The just-in-time nature of modern supply chains means even brief disruptions cascade rapidly through the entire value chain, from production to retail.

Patterns and Trends: What the Data Reveals

Ransomware remains the major driver of disruption

Three of the top 10 incidents (Marks & Spencer, Jaguar Land Rover, and likely Asahi Group Holdings) involved ransomware attacks. The financial impacts range from hundreds of millions to nearly £2 billion for a single incident. Ransomware has evolved from opportunistic attacks on small businesses to strategic operations targeting critical infrastructure and major corporations.

Trend: Ransomware groups are becoming more selective, targeting organizations where operational disruption has catastrophic financial consequences—automotive manufacturing, retail during peak seasons, and supply chain operations.

Supply Chain attacks are essentially the force multipliers

Four incidents (npm ecosystem, Oracle Cloud, Salesforce/Drift OAuth, and AWS/Azure/Cloudflare outages) demonstrate how compromising shared infrastructure or widely-used services creates exponential impact. Attack one platform; compromise thousands of organizations.

Trend: Adversaries increasingly target the software supply chain, authentication infrastructure, and cloud service providers because these attacks scale effortlessly. The npm attack alone potentially affected millions of applications worldwide.

Cloud concentration creates systemic risk

The AWS/Azure/Cloudflare outages and Oracle Cloud breach expose a fundamental vulnerability in modern digital infrastructure: excessive concentration in a handful of cloud providers creates single points of failure with global consequences.

Trend: As organizations migrate to cloud-first strategies, the cyber resilience of the entire global economy becomes dependent on the security of approximately five major cloud providers. This concentration risk is unprecedented.

The AI weaponization Inflection Point

The Claude AI-orchestrated attack represents a watershed moment. For the first time, we have documented evidence of AI being weaponized for large-scale, automated cyberattacks by state-sponsored actors.

Trend: AI-driven attacks will accelerate dramatically. The 80-90% automation rate in this campaign suggests attackers can now operate at scales previously impossible. Defense mechanisms designed for human-speed attacks may be inadequate against AI-driven operations.

Extended dwell times indicate detection challenges

The SK Telecom breach went undetected for nearly two years. This isn't an anomaly. Instead it's becoming the norm. Sophisticated attackers prioritize stealth over speed, maintaining persistent access to maximize data exfiltration and understand target environments thoroughly.

Trend: Many organizations are fighting yesterday's battles. Detection capabilities remain woefully inadequate against patient, sophisticated adversaries employing coordinated living-off-the-land techniques and legitimate credentials.

Asia's growing vulnerability

Two Asian incidents (SK Telecom and Asahi Group Holdings) made the global top 10, signalling that Asia is no longer a secondary target for threat actors. With rapid digitalization, massive user bases, and often nascent cybersecurity maturity, Asian organizations represent high-value, lower-resistance targets.

Trend: As Western organizations harden defenses, attackers are pivoting to Asia-Pacific targets where digital transformation has outpaced security capabilities. The SK Telecom incident's 27 million affected users demonstrates the scale of potential impact.

Operational Technology (OT) and business systems are primary targets

The Jaguar Land Rover and Asahi Group attacks specifically targeted operational systems (manufacturing lines and distribution networks) rather than just stealing data. When operations stop, the financial impact is immediate and severe.

Trend: Attackers understand that in many industries, operational disruption is more devastating than data theft. Expect continued focus on OT environments, industrial control systems, and business-critical applications.

OAuth and authentication infrastructure as attack vectors

The Salesforce/Drift breach exploited OAuth tokens, demonstrating how authentication mechanisms themselves have become high-value targets. Compromise authentication; bypass all other security controls.

Trend: As zero-trust architectures proliferate, attackers are adapting by targeting identity and access management infrastructure directly. Legitimate credentials and tokens are more valuable than malware because they enable invisible, authorized access.

Security challenges exposed

Catastrophic monitoring and detection failures

The SK Telecom breach's two-year dwell time is inexcusable for an organization of that scale and criticality. This reveals:

• Inadequate Security Information and Event Management (SIEM): Basic anomaly detection should have flagged unauthorized access patterns within days, not years.

• Lack of behavioural analytics: User and entity behavior analytics (UEBA) systems, if properly implemented, would have identified abnormal access patterns.

• Insufficient threat hunting: Proactive threat hunting programs would have discovered indicators of compromise (IOCs) during regular sweeps.

• Lack of mechanisms to detect insider threat

Fundamental problem: Organizations are drowning in security alerts but starving for actionable intelligence. Alert fatigue and understaffed security operations centers (SOCs) mean critical signals are lost in noise.

Supply chain trust assumptions

The npm ecosystem and Oracle Cloud breaches expose a dangerous assumption: that widely-used platforms and packages are inherently trustworthy.

• No verification: Organizations automatically pull npm packages and trust cloud provider security without independent verification.

• Transitive trust exploitation: Attackers understand that compromising a trusted component provides automatic access downstream.

• Limited vendor security visibility: Organizations have minimal insight into their vendors' security postures and practices.

Fundamental issue: The software supply chain operates on implicit trust at scale. There's no practical way for organizations to audit every dependency, creating exploitable blind spots.

Single points of failure in cloud architecture

The AWS/Azure/Cloudflare outages demonstrate fundamental architectural failures:

• Over-reliance on single providers: Multi-cloud strategies exist more in PowerPoint presentations than production environments.

• No Meaningful Redundancy: True geographic and provider redundancy is expensive and complex, so organizations skip it.

• Cascading Failure Mechanisms: Dependencies between cloud services create domino effects where one failure triggers others.

Fundamental issue: Cloud migration prioritized speed and cost over resilience. The economic benefits of cloud concentration (economies of scale, simplified management) create systemic risk that no single organization can mitigate alone.

Inadequate ransomware resilience

Despite years of ransomware evolution, the Marks & Spencer and Jaguar Land Rover incidents demonstrate continued failures:

• Insufficient Backup Strategies: Backups are either non-existent, accessible to attackers, or untested for rapid restoration.

• Lack of Network Segmentation: Ransomware spreads laterally across flat networks, encrypting everything simultaneously.

• No Operational Resilience Planning: Organizations have no viable plans to maintain critical operations during extended IT outages.

Fundamental Problem: Ransomware defense has focused on prevention (which fails) rather than resilience (the ability to continue operations despite compromise). When prevention fails, organizations are paralyzed.

Authentication and Access Control Weaknesses

The Salesforce/Drift OAuth breach and Oracle login endpoint exploitation reveal persistent identity and access management (IAM) failures:

• Weak ulti-Factor Authentication (MFA) implementation: OAuth tokens can often bypass MFA after initial authentication.

• Excessive privilege persistence: Compromised credentials maintain access far longer than necessary.

• Token management failures: OAuth tokens lack adequate monitoring, rotation, and revocation mechanisms.

Fundamental issue: Authentication has become the new perimeter, but organizations apply old perimeter-thinking to identity. Static, long-lived credentials and tokens create persistent attack surfaces.

OT/IT convergence security gaps

The Jaguar Land Rover manufacturing shutdown and Asahi operational disruptions expose operational technology vulnerabilities:

• Legacy OT systems: Industrial control systems were designed for reliability and safety, not security, and often can't be easily patched.

• IT/OT network bridging: Connections between corporate IT and operational technology networks create attack paths but receive insufficient security attention.

• Lack of OT security expertise: Organizations have IT security teams but few with specialized OT security knowledge.

Fundamental Problem: Digital transformation connects everything to everything, but security teams lack the tools, visibility, and expertise to protect converged IT/OT environments.

Inadequate Third-Party Risk Management

The Kering Group breach and Oracle Cloud incident highlight third-party risk management failures:

• Limited vendor security assessment: Organizations conduct point-in-time assessments but lack continuous vendor security monitoring.

• Contractual security theater: Vendor contracts include security requirements, but enforcement and verification are minimal.

• Shared responsibility challenge: In cloud environments, the division of security responsibilities between provider and customer remains unclear and poorly managed.

Fundamental issue: Organizations outsource operations but can't outsource accountability. Yet they lack mechanisms to truly verify and enforce third-party security standards.

The AI security gap

The Claude AI-orchestrated attack exposes that we're entering an AI arms race utterly unprepared:

• AI-Driven Defense Immaturity: AI/ML-based security tools exist but aren't mature enough to counter AI-driven attacks.

• Speed Mismatch: Human-driven security operations cannot match the speed and scale of AI-automated attacks.

• Lack of AI Attack Detection Capabilities: Current security tools aren't designed to identify and attribute AI-orchestrated attack patterns.

Fundamental Problem: Defensive cybersecurity is still fundamentally human-driven, while offensive operations are becoming AI-augmented. This creates an asymmetry that favors attackers.

Lessons and recommendations

For organizations

Assume breach, build resilience invest in calibrated Incident Response

• Shift mindset: Prevention-focused security is necessary but insufficient. Assume attackers will penetrate defenses and build resilience accordingly.

• Actionable steps:

  • Implement comprehensive backup and disaster recovery with offline, immutable backups

  • Conduct regular tabletop exercises simulating ransomware and supply chain compromise scenarios

  • Develop and test business continuity plans that assume extended IT system unavailability

  • Establish crisis communication protocols for cyber incidents

Aggressive threat hunting and detection investment

• Address Dwell Time: The SK Telecom two-year dwell time is unacceptable. Organizations must invest heavily in detection.

• Actionable Steps:

  • Deploy behavioral analytics (UEBA) to identify anomalous access patterns

  • Establish 24/7 security operations centers (SOCs) with threat hunting capabilities

  • Implement deception technologies (honeytokens, honey nets) to detect lateral movement

  • Automate threat intelligence integration into SIEM platforms

  • Conduct quarterly purple team exercises (red team attacking, blue team defending, with collaboration)

3. Zero Trust architecture implementation

• Move beyond perimeter defense: The authentication breaches demonstrate that network perimeters are meaningless.

• Actionable steps:

  • Implement microsegmentation to limit lateral movement

  • Require continuous authentication and authorization for all access requests

  • Apply least privilege access rigorously across all systems

  • Deploy privileged access management (PAM) solutions

  • Implement just-in-time access provisioning with automatic revocation

4. Supply chain security overhaul

• Trust nothing: Assume all third-party components are potentially compromised.

• Actionable steps:

  • Implement Software Bill of Materials (SBOM) for all applications

  • Use software composition analysis (SCA) tools to identify vulnerable dependencies

  • Establish vendor security assessment programs with continuous monitoring

  • Create isolated environments for testing third-party components before production deployment

  • Develop vendor incident response coordination plans

Cloud resilience strategy

• Reduce Concentration Risk: Multi-cloud isn't just about negotiation leverage; it's about survival.

• Actionable Steps:

  • Architect critical applications for multi-cloud deployment

  • Implement geographic redundancy across different cloud providers

  • Develop cloud-agnostic deployment strategies using containers and orchestration

  • Establish automated failover mechanisms between cloud providers

  • Regularly test cross-cloud disaster recovery procedures

OT security modernization

• Protect Operational Technology: Manufacturing and distribution disruptions have catastrophic financial impacts.

• Actionable steps:

  • Conduct comprehensive OT asset inventories

  • Implement network segmentation between IT and OT environments with strict access controls

  • Increase OT security sensitivity across the org

  • Deploy OT-specific security monitoring tools

  • Develop OT incident response playbooks

  • Train security teams on OT-specific threats and technologies

AI defense preparation

• Prepare for AI-driven threats: The Claude AI attack is a harbinger of what's coming.

• Actionable steps:

  • Invest in AI-powered security analytics platforms

  • Develop automated response capabilities to match attack automation

  • Establish AI ethics and security governance frameworks

  • Train security teams on AI/ML attack techniques

  • Participate in information sharing initiatives focused on AI-driven threats

For the Industry

Information sharing imperative

The days of treating breaches as competitive secrets must end. Industry-wide threat intelligence sharing is essential:

• Expand participation in Information Sharing and Analysis Centers (ISACs)

• Develop sector-specific threat intelligence consortiums

• Create protected legal frameworks for breach information sharing

• Establish rapid alert mechanisms for zero-day exploits and active campaigns

Cloud provider accountability

The Oracle and AWS/Azure/Cloudflare incidents demonstrate that cloud providers must be held to higher standards:

• Demand transparent security incident reporting from cloud providers

• Establish industry-wide cloud security baseline requirements

• Create third-party audit and certification programs for cloud providers

• Develop customer rights to security visibility and control in cloud environments

Supply chain security standards

The npm ecosystem attack shows we need fundamental changes in how software supply chains operate:

• Implement mandatory SBOM requirements for all software

• Develop cryptographic signing and verification for all code repositories

• Establish vulnerability disclosure and patching timelines for open source projects

• Create incentive structures for security audits of widely-used packages

AI governance frameworks

The AI-orchestrated attack demands immediate attention to AI security governance:

• Develop international frameworks for responsible AI development and deployment

• Establish AI security testing and certification programs

• Create attribution mechanisms for AI-driven attacks

• Build cooperative AI defense research initiatives

For policymakers and regulators

Critical infrastructure cybersecurity mandates

Incidents affecting telecommunications (SK Telecom), cloud infrastructure, and manufacturing demonstrate the need for regulation:

• Mandate minimum cybersecurity standards for critical infrastructure operators

• Require independent security audits and public reporting

• Establish incident response time requirements

• Create financial penalties for negligent security practices

Breach notification requirements

The two-year SK Telecom dwell time suggests detection failures must have consequences:

• Mandate rapid breach disclosure to affected individuals and regulators

• Require public reporting of dwell time and detection mechanisms

• Establish timelines for notification (e.g., 72 hours from detection)

• Create liability frameworks for delayed disclosure

Cloud and platform regulation

The systemic risk from cloud concentration requires regulatory attention:

• Develop oversight frameworks for systemically important cloud providers

• Mandate resilience and redundancy requirements

• Require transparent security incident reporting

• Establish customer data protection and access standards

International cooperation

State-sponsored attacks like the AI-orchestrated campaign require coordinated responses:

• Strengthen international cyber norms and attribution mechanisms

• Develop cooperative frameworks for countering APT groups

• Create information sharing agreements between governments

• Establish consequences for state-sponsored cyber operations

The 2025 cyber incident landscape has painted a sobering picture. Attacks are more sophisticated, more damaging, and more systemic than ever before. The inclusion of two Asian incidents in the global top 10 demonstrates that no region is safe, and the weaponization of AI represents a fundamental shift in the threat landscape.

The financial impacts ranging from £300 million at Marks & Spencer to £1.9 billion at Jaguar Land Rover clearly demonstrate that cybersecurity is no longer just an IT concern. It's an existential business risk that demands board-level attention, substantial investment, and fundamental changes in how organizations approach security.

The threats are evolving at machine speed. Our defenses must evolve faster.

Need help with your regulatory compliance requirements? Talk to our expert.

More about our NIS2 compliance services.

Learn a bit more about Shieldworkz’ Incident response services

Test drive our OT security platform here.

Download our OT security for on-site maintenance checklist, here.