Week in Breach Special Edition: What major 2025 cyber incidents taught us

North America

Salesforce ecosystem

In one of the most significant cyberthreats of 2025, the Salesforce ecosystem was targeted in a sweeping third-party data breach, sending shockwaves across industries worldwide. The breach exposed more than 1 billion records across dozens of global enterprises. The campaign unfolded in multiple stages, deliberately targeting the weakest links in the ecosystem: human users and third-party integrations.

Crucially, this was not a direct breach of Salesforce’s core infrastructure. Instead, cybercriminals exploited human error and trusted third-party access to compromise individual customer Salesforce instances. The attack followed a clear, repeatable pattern:

• First, attackers used social engineering and voice phishing (vishing) to impersonate IT staff and trick employees into granting access.
• Next, victims were misled into authorizing malicious Connected Apps — such as fake versions of Salesforce Data Loader — or exposing OAuth tokens tied to legitimate tools like Salesloft, Drift and Gainsight. These tokens gave attackers persistent application programming interface (API) access and often bypassed multifactor authentication (MFA).
• Finally, attackers used Salesforce APIs to export large volumes of data, hunting for credentials, account records and sensitive personal information.

The attack’s impact was extensive. Affected organizations included aviation companies such as Air France–KLM, Qantas and Vietnam Airlines, retail brands like IKEA, Adidas and Chanel, and other major corporations, including Google, TransUnion, Toyota and Disney.

The breach was claimed by a hacker group known as Scattered LAPSUS$ Hunters, which launched a dark website to publish samples of stolen data. The group threatened Salesforce and its customers with further data releases unless ransom payments were made. Salesforce publicly refused to comply with any ransom demands, drawing a clear line against extortion.

United Kingdom

Jaguar Land Rover (JLR)

In late August 2025, U.K.-based automaker Jaguar Land Rover (JLR) was hit by a cyberattack that became the most economically damaging cyber incident in U.K. history. The attack forced the company to shut down systems across its global manufacturing operations and led to estimated losses of £1.9 billion.

The incident began on August 31 as a digital breach and quickly escalated into a major operational crisis. Although JLR moved quickly to contain the threat by pausing systems, production across its plants came to a halt for nearly five weeks. The disruption spread far beyond JLR itself. More than 5,000 supply chain partners were affected, many facing delayed payments and serious operational setbacks. Some suppliers are now facing up to six months of credit strain, illustrating how a single cyberattack can ripple through an entire industrial ecosystem.

The attack was linked to Scattered LAPSUS$ Hunters, the same group connected to the Salesforce ecosystem breach and several other high-profile cyber incidents in 2025.

United States

U.S. universities

Cyberattacks on U.S. educational institutions accelerated in 2025, with several major universities affected, including Ivy League institutions such as the University of Pennsylvania and Princeton University. These incidents exposed millions of records containing personal information tied to students, alumni, staff and community affiliates.

At Penn, the attack surfaced on October 31, when members of the university community received emails that appeared to come from the Graduate School of Education. The university later confirmed that systems linked to development and alumni activities had been compromised. Weeks later, Princeton University disclosed a separate breach affecting its advancement office database. While the Penn incident involved personally identifiable information (PII) and some banking details, Princeton stated that its breach was limited to names, contact information, addresses and donation histories.

Cyberattacks against educational institutions are rising fast, largely because universities store vast amounts of sensitive personal and financial data. Beyond broad network intrusions, attackers are also running targeted campaigns aimed at university staff. In one such case, Microsoft uncovered a “payroll pirate” campaign in which threat actors broke into HR platforms, such as Workday, to hijack employee salaries.

Australia

Western Sydney University

U.S. universities aren’t the only ones under attack, with educational institutions worldwide becoming attractive targets for cybercriminals. In 2025, Western Sydney University experienced a series of cyber incidents, making it one of the most serious breaches in the education sector reported in the past year.

The university identified two instances of unusual activity on August 6 and August 11, both involving a student management system hosted by a third-party cloud provider. While access to the platform was shut down after the suspicious activity was detected, further investigation revealed that the attacker had exploited a chain of connected suppliers. Unauthorized access through these third- and fourth-party systems allowed the attacker to gain access to the university’s student management system and exfiltrate data.

The hacker stole highly sensitive student information, including tax file numbers, passport details and private health and disability information. In December, authorities confirmed that a former Western Sydney University student was charged in connection with the attacks.

North America

Red Hat

On October 2, leading enterprise open-source software vendor Red Hat confirmed a cyberattack involving its consulting GitLab instance. With a customer base that includes government agencies, critical infrastructure operators and major corporations, the incident allegedly affected data tied to more than 800 organizations.

A day earlier, a cybercrime group calling itself Crimson Collective publicly disclosed the breach. The group claimed it exfiltrated 570 GB of compressed data from more than 28,000 repositories, including sensitive customer engagement reports (CERs). Red Hat later confirmed that it detected unauthorized access to a self-hosted GitLab instance used for internal Red Hat Consulting collaboration in select customer engagements.

According to Red Hat, the compromised environment contained project specifications, example code snippets, internal consulting communications and limited business contact information. The company stressed that the incident was limited to this consulting GitLab environment and did not impact Red Hat’s core products or production systems.

However, multiple reports suggest the stolen data included nearly 3.5 million files, along with sensitive reports related to the computer networks of organizations spanning the banking, telecom and government sectors.