Top 10 Data Breaches of 2025
The year 2025 marked one of the most volatile periods in cybersecurity history, with data breaches reaching unprecedented scale and sophistication across industries. From retail giants and financial platforms to media organizations and critical healthcare networks, attackers exploited vulnerabilities in cloud systems, third-party vendors and aging digital infrastructure to access millions of personal records worldwide. These incidents not only exposed sensitive information but also triggered executive upheavals, regulatory scrutiny, and a renewed urgency for stronger digital resilience. Together, 2025’s largest breaches paint a stark picture of an evolving threat landscape and the growing challenges of safeguarding data in an increasingly interconnected world.
16 Million Passwords Leaked
Date: June 2025
Impact: 16 billion credentials
One of the largest credential-stuffing datasets ever assembled emerged in June, aggregating stolen credentials from infostealer malware, historical breaches, and massive password reuse across platforms such as Google, Apple, and Facebook. While this wasn’t a singular attack but rather cumulative records discovered since the beginning of the year, it still highlights the importance of good security practices.
Key takeaway: Passwords alone are obsolete. MFA and credential hygiene are mandatory, not optional.
SK Telecom Malware Intrusion
Date: April 2025
Impact: 27 million users
Attackers deployed a stealthy Linux-based RAT (BPFDoor) across 28 servers, exploiting the Berkeley Packet Filter (BPF) mechanism in the Linux kernel to monitor and manipulate network traffic. SIM data, IMSI numbers, and authentication keys were exposed. The breach was believed to be the work of an advanced persistent threat (APT) group, potentially linked to Chinese or North Korean actors, although definitive attribution has not been established.
SK Telecom was fined $96.9M, and the attack was attributed to state-sponsored APT actors.
Key takeaway: Advanced threats exploit low-level visibility gaps – Linux servers and telecom stacks are not exempt.
Red Hat GitLab Repository Breach
Date: October 2025
Impact: 570 GB, 28,000 repositories
Threat group Crimson Collective exfiltrated sensitive data across thousands of internal repositories, leaking credentials, API keys, VPN configs, and customer infrastructure details tied to major enterprises and government agencies. The attackers claimed to have exfiltrated 570GB of compressed data from over 28,000 repositories, including sensitive Customer Engagement Reports (CERs) affecting approximately 800 organizations worldwide.
Key takeaway: Source control platforms are high-value targets when access isn’t continuously audited.
Qantas Data Breach
Date: June 2025
Impact: 5.7 million records
A third-party Salesforce integration was exploited to access customer personally identifiable information (PII) and frequent flyer data. The attack was confirmed after ransom demands went unpaid and was claimed by Scattered Lapsus$ Hunters. The airline was one of more than 40 firms globally caught up in the hack, reported to contain up to 1bn customer records.
Key takeaway: Your third-party stack defines your real attack surface.
Allianz Life Breach
Date: July 2025
Impact: 2.8 million records
Attackers used social engineering to access Salesforce, a cloud-based CRM, then leveraged legitimate Salesforce admin features to export sensitive customer data. Contained within 24 hours, but damage was already done. The ShinyHunters threat group is notorious for advanced vishing attacks that exploit human error to gain Salesforce CRM access, bypassing technical defences.
Key takeaway: “Legitimate access” is the most dangerous access when abused.
TransUnion Breach
Date: July 2025
Impact: 4.4 million records
Sensitive personal information belonging to 4.4 million customers, including their names and Social Security numbers, was exposed in a data breach on credit bureau TransUnion which was yet another cyber attack targeting companies’ Salesforce databases. Sensitive personal information belonging to 4.4 million customers, including their names and Social Security numbers, was exposed in a data breach on credit bureau TransUnion, in what is believed to be the latest in a string of attacks targeting companies’ Salesforce databases.
Key takeaway: APIs are silent data exfiltration channels when misconfigured.
Farmers Insurance Breach
Date: August 2025
Impact: 1.1 million records
A third-party vendor’s overprivileged Salesforce integration enabled data extraction at scale. Public disclosure was delayed for nearly three months. The third-party vendor had monitoring tools in place, which allowed the vendor to quickly detect the activity and take appropriate containment measures, including blocking the unauthorized actor.
Key takeaway: Vendor access must be treated as internal risk and governed accordingly.
Yale New Haven Health System Breach
Date: March 2025
Impact: 5.5 million patients
Yale New Haven Health System (YNHHS) experienced a massive data breach in March 2025, affecting over 5.5 million individuals, exposing sensitive data like names, Social Security numbers, and health info, stemming from a misconfigured storage server, leading to significant investigations, class-action lawsuits, and an $18 million settlement for victims, as reported in late 2025.
Key takeaway: Healthcare data is only as secure as the weakest external service.
Blue Shield of California Exposure
Date: April 2025
Impact: 4.7 million records
Blue Shield of California experienced a major data breach (not a traditional hack) where misconfigured Google Analytics tools shared private health info (PHI) of 4.7M members with Google Ads from April 2021 to January 2024, including names, plan details, claim dates, and “Find a Doctor” searches, but not SSNs or financial data, leading to potential ad targeting and class action lawsuits, prompting Blue Shield to halt the sharing and notify members.
Key takeaway: Client-side tracking and analytics tools can be breach vectors.
Marks & Spencer Ransomware Attack
Date: April 2025
Impact: £300 million in losses
Marks & Spencer (M&S) suffered a major ransomware attack, attributed to the Scattered Spider/DragonForce group, starting in April 2025, which crippled its online sales for months, emptied some store shelves, cost millions in lost revenue (estimated £300m hit), and involved data theft, prompting warnings about phishing for customers. Attackers used social engineering via a third-party IT supplier (Tata Consultancy Services) to breach the network, deploying DragonForce ransomware for double extortion (encryption + data theft).
Key takeaway: Identity compromise is the gateway to ransomware.
Monitoring Remote Sessions
Security monitoring is crucial for preventing ransomware attacks as it enables early detection, identification of vulnerabilities, monitoring for anomalies, data protection, and compliance with regulatory requirements.
RecordTS will record Windows remote sessions reliably and securely for RDS, Citrix and VMware systems. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.