Key Highlights
- Threat actors increasingly are using compromised log-in credentials rather than brute-force hacking.
- Manufacturing is the most targeted sector in 2025, followed by finance, healthcare, and professional services.
- Threat actors are using artificial intelligence (AI) to create more sophisticated attacks, including building web sites and incorporating deepfakes in phishing attacks.
- The number of infostealers delivered via phishing emails per week increased by 84% in 2025, and 30% of attacks exploit public-facing applications.
This year has been a harsh reminder that cyber attacks aren’t slowing down. If anything, they’re getting smarter, faster, and more targeted, especially with the addition of artificial intelligence (AI) to the criminals’ toolboxes. And they’re increasingly using compromised log-in credentials rather than brute-force hacking.
Let’s look at the top six cyberattacks of 2025, plus some other significant breaches.
Top Six Breaches This Year
1. Volt Typhoon. Volt Typhoon is a sophisticated, state-sponsored cyber actor affiliated with the People's Republic of China (PRC). Its objective is to gain covert and persistent access to U.S. critical infrastructure networks, enabling future sabotage whenever the PRC chooses. An overall strategic goal is to slow U.S. military mobilization during a major crisis or conflict.
This breach focuses on pre-positioning within operational technology (OT) and IT networks of essential U.S. sectors. Gary Southwell, GM and Vice President at ARIA Cybersecurity Solutions, says although activity started in mid-2021, “Volt Typhoon continues to remain a threat. It’s just never-ending.”
He notes that its primary targets include financial systems; communications; energy; marine, aviation and rail transportation; and water wastewater systems.
2. Ascension Health. Even though the Ascension breach hit in May 2024, its significant consequences reach well into 2025. As one of the nation’s largest nonprofit health systems, Ascension’s ransomware attack exposed personal data from about 5.6 million patients. The breach traced back to an employee downloading a malicious file.
Ascension had to take critical technology systems offline, including its electronic health records and patient portals. Ambulances had to be diverted, elective procedures were delayed, and hospital staff were left scrambling to maintain continuity of care.
Financially, the organization reported a staggering $1.1 billion net loss for the fiscal year, citing the attack as a major contributing factor.
3. DaVita. In March through April, the Interlock ransomware group attacked Davita, a major kidney dialysis provider. The server infiltration lasted several weeks and exposed sensitive data—including laboratory databases, tax records, and medical results—of more than 2.7 million patients. DaVita reported about $13.5 million in recovery costs, excluding business interruption losses. The exposure created lasting privacy and risks of fraud.
4. Amazon Web Services (AWS). The "Codefinger" ransomware, which emerged in January 2025, targeted AWS S3 buckets by exploiting customers’ compromised credentials vulnerable due individual customers’ security practices. The attackers used AWS’ Server-Side Encryption with Customer-Provided Keys (SSE-C) to re-encrypt victims’ data using a new AES-256 key, locking them out. AWS didn’t pay the ransom because the attack targeted data of individual AWS customers, not AWS’ core systems, so the burden to make ransom decisions rested entirely on compromised customers.
5. Maryland Transit Administration (MTA). In August, a massive cyberattack hit the MTA, part of the Maryland Department of Transportation. The Rhysida ransomware group made the hit, exposing sensitive personal data, including names, Social Security numbers, driver’s licenses, and passports. The hackers demanded a ransom of 30 Bitcoin (about $3.4 million) to stop the stolen information from being released publicly.
6. United Natural Foods Inc. (UNFI). In June, this major U.S. grocery wholesaler and primary distributor for Whole Foods was hit with a cyberattack that crippled UNFI's electronic ordering and delivery systems, forcing a temporary shutdown of automated services and disrupting the U.S. food supply chain so much that it caused grocery shortages across North America. This highlighted the fragility of digital food supply systems and dependency on a single distributor.
Other Notable Breaches in the U.S. and Abroad
A serious cyberattack on Jaguar Land Rover’s United Kingdom IT systems that hit on August 31 forced a five-week production shutdown, crippling its supply chain, creating a national economic emergency, and causing £1.9 billion ($2.47 billion) in losses.
The breach halted manufacturing across JLR’s three major UK plants, pushing the company from consecutive profitable quarters to a Q3 2025 loss of nearly £500 million ($650 million).
The disruption also caused a national drop in automotive output, with UK exports falling 24.5% in September. Full recovery isn’t expected until January 2026.
The Chinese Surveillance Network breach in June exposed 4 billion records in China containing sensitive personally identifiable information (PII), including WeChat data, financial details, Alipay profile information, phone numbers, home addresses, and behavioral profiles. Considered one of the largest data leaks in China’s history, it was caused by a misconfigured, publicly accessible database that had no password protection.
In May, cybercriminals infiltrated TeleMessage, a compliance messaging app used by U.S. government officials. The breach exposed metadata from more than 60 accounts. Its compromise poses serious counterintelligence risks, and it triggered widespread suspension and Cybersecurity and Infrastructure Security Agency (CISA) advisories.
Helpful Resources
Download these reports and studies to get details on cybersecurity activity and trends.
- 2025 State of Operational Technology and Cybersecurity, from Fortinet
- Cost of a Data Breach Report 2025, from IBM and Ponemon Institut
- Crowdstrike State of Ransomware Survey, from Crowdstrike
- How-To Guide: Successful Data Privacy Compliance eBook, from ARIA Cybersecurity Solutions
- Identifying and Mitigating Living Off the Land Techniques, from the National Security Agency (NSA), Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency (CISA), and the United Kingdom National Cyber Security Center (NSC-UK)
- The State of Cyber Security 2025 report, from Check Point Software
- Year in Review: 2025 OT Cybersecurity Report, from Dragos
Discovered in January, the PowerSchool Data Breach exposed sensitive educational and personal information, leading to a lawsuit filed by the Texas Attorney General. PowerSchool is a student information system that schools use to track enrollment, grades, bus routes, and family contacts. Attackers claimed to copy data for more than 62 million students and almost 10 million teachers nationwide, and they got in using a contractor’s stolen login.
Constant Vigilance at Attacks Continue
Threat actors continue to inflict damage as the global average cost of a data breach hit a record $4.88 million in 2024. It’s important to understand their scope and magnitude. Here are just a few key takeaways:
- Manufacturing is the most targeted industry, four years in a row. Manufacturing firms continued to experience significant effects from attacks—many of which compromise legacy equipment—including extortion (29%) and data theft (24%), targeting financial assets and intellectual property.
- Threat actors add AI to their toolboxes. Cyber criminals now are using AI to build web sites and incorporate deepfakes in phishing attacks.
- Number of infostealers delivered via phishing emails per week increased by 84%. The IBM X-Force 2025 Threat Intelligence Index indicates that a Y-o-Y increase exists in infostealers delivered by phishing emails and credential phishing.
- 30% of attacks exploit public-facing applications. Threat actors use scanning techniques after the breach to identify new vulnerabilities and get additional access. Long dwell times allow adversaries to mask their activity by “living off the land”—stealing data weeks or even months after an initial breach.
ARIA Cybersecurity Solutions’ Southwell says it’s important to use a Defense-in-Depth (DiD) strategy and to lock down devices and applications to help mitigate cybersecurity breaches.
“You shouldn't just leave these things open to the internet,” he explains. “It goes against prevailing wisdom in our era of digital transformation, which is to let everything connect and constantly update, but it just leaves you wide open for attack.”
About the Author
Theresa Houck
Contributor
Theresa Houck is an award-winning B2B journalist with more than 35 years of experience covering industrial markets, strategy, policy, and economic trends. As Senior Editor at EndeavorB2B, she writes about IT, OT, AI, manufacturing, industrial automation, cybersecurity, energy, data centers, healthcare, and more. In her previous role, she served for 20 years as Executive Editor of The Journal From Rockwell Automation magazine, leading editorial strategy, content development, and multimedia production including videos, webinars, eBooks, newsletters, and the award-winning podcast “Automation Chat.” She also collaborated with teams on social media strategy, sales initiatives, and new product development.
Before joining EndeavorB2B, she was an Industry Analyst at Wolters Kluwer in its human resources book publishing operation. Before that, she spent 14 years with the Fabricators & Manufacturers Association, Intl., serving as Executive Editor of four magazines in the sheet metal forming and fabricating sector, where she managed and executed editorial strategy, budgets, marketing, book publishing, and circulation operations, and negotiated vendor contracts.
Houck holds a Master of Arts in Communications from the University of Illinois Springfield and a Bachelor of Arts in English from Western Illinois University.
Resources
Quiz
Your Competitive Edge, DeliveredStay ahead of the curve with weekly insights into emerging technologies, cybersecurity, and digital transformation. TechEDGE brings you expert perspectives, real-world applications, and the innovations driving tomorrow’s breakthroughs, so you’re always equipped to lead the next wave of change.
