The Biggest Cyber Attacks of 2025

Background

In April 2025, UK high-street retailer Marks & Spencer (M&S) suffered a sophisticated cyber incident. 

Attack Method

The breach was attributed to the hacking group Scattered Spider (also linked to Lapsus$-style activity). Evidence points to social-engineering (SIM-swap / phishing) targeting a third-party service provider, enabling ransomware-style disruption of online services.

Impact

• Online orders were suspended for ~6 weeks; the “click-and-collect” and contactless systems were disrupted. 
• The prospective cost to M&S was estimated at ~£300 million+ in lost profit or revenue. 

Customer-data exposure: names, email addresses, order histories and dates of birth were taken but no usable payment-card details or passwords.

Response

M&S immediately engaged cyber security experts, notified the NCSC and began forced password resets for users. 

Lessons Learned

• Online processes are critical: when they go down, revenue stops and customer trust erodes.
• Even if payment data is safe, the brand damage and operational loss are extreme.

Background

Shortly after the M&S incident, the Co-op was hit by a cyber attack in April 2025 that disrupted operations at its ~2,300 stores. 

Attack Method

Attackers used social-engineering to gain insider access. The group confirmed that hackers accessed internal systems and member data.

Impact

• Stock-ordering systems failed; stores reverted to manual processes, resulting in empty shelves in rural locations.
• The breach exposed personal details for all 6.5 million Co-op members (names, contact info; no financial data). 

The first‐half profit was hit by ~£80 million; lost revenue of £206 million. Full-year impact projected at ~£120 million.

Response

Co-op shut systems proactively, prioritised “lifeline” stores in rural areas and communicated openly with members and regulators. 

Lessons Learned

• Operational-resilience matters: food retail is mission-critical, especially in remote communities.
• Member-data trusts are fragile: even without payment card loss, personal details theft matters.
• Transparent communication helps mitigate reputational fallout.

Background

In August/September 2025, UK car-maker Jaguar Land Rover (JLR) suffered a ransomware attack that halted production at its “smart factories” and impacted its extensive supply-chain. 

Attack Method

The hacker group claimed responsibility, pausing production lines globally and impacting suppliers and employees in the UK.

Impact

It is regarded as possibly the costliest cyber incident in UK history, with estimated damage to the UK economy of ~£1.9 billion.

Thousands of jobs in the supply-chain were at risk; production lines shut for weeks.

Response

A forensic investigation is ongoing; production restart is phased; government statements note the broader impact on GDP.

Lessons Learned

• Cyber risk for manufacturing is not abstract — production lines, physical goods and jobs are at stake.
• Extending architectural thinking from IT systems to OT/industrial control systems is critical.
• Supply-chain resilience must include cyber-risk as a core component.

Background

In early 2025, Asahi Group Holdings — one of the world’s largest beverage producers — experienced a cyber attack that forced several production facilities across Europe and Asia to halt operations for multiple days. 

Attack Method

The incident was linked to a highly coordinated ransomware campaign targeting industrial systems. Attackers infiltrated Asahi’s network through a compromised supplier account, enabling lateral movement into operational technology environments.

Impact

• Production stoppages across multiple bottling plants resulted in significant supply shortages in key markets.
• Logistics and distribution systems were disrupted, delaying shipments to retailers and wholesalers.
• Asahi reported material financial impact due to lost production, emergency remediation costs and supply-chain delays.

Response

The company isolated affected OT systems, rerouted production to unaffected sites where possible and brought in global cyber security specialists to contain the breach. Public communication emphasised transparency around supply chain delays.

Lessons Learned

• Supply-chain compromise remains one of the most effective routes for penetrating large global organisations.
• OT/ICS environments are increasingly prime targets for ransomware groups seeking maximum operational leverage.
• Business continuity plans must account for global, multi-site operational disruptions triggered by cyber incidents.

Background

In June–July 2025, Qantas disclosed a major cyber incident affecting its customer-service systems, traced to a third-party call-centre platform.

Attack Method

Attackers gained access via a third-party vendor compromise, likely using social-engineering tactics. Qantas’ core flight-operation systems were not breached.

Impact

• 5.7 million customer records exposed (names, contact details, dates of birth, frequent-flyer numbers).
• No evidence of stolen passport details, login credentials or payment data.
• Data later appeared on criminal forums, increasing phishing-risk for customers.
• No disruption to flight operations, but significant reputational and regulatory impact.

Response

Qantas engaged external cyber-forensics teams, notified Australian authorities, and contacted affected customers. Support channels and guidance on protective steps were issued.

Lessons Learned

• Third-party weak points can compromise millions, even when core systems remain secure.
• “Non-financial” personal data still carries high fraud and phishing risk.
• Clear, early communication is essential for customer reassurance and trust recovery.