10 Major Cyberattacks And Data Breaches In 2025 (So Far)

Ransomware and data theft attacks have caused massive disruption to businesses across numerous industries during 2025.

Biggest Cyberattacks And Breaches

In 2025, companies and government agencies have been targeted by a seemingly nonstop series of cyberattacks — including both disruptive ransomware attacks and incidents focused on data theft and extortion. As of this writing, one major attack is still ongoing, with threat actors exploiting vulnerabilities in on-premises Microsoft SharePoint servers in widespread cyberattacks.

Microsoft has released all patches for on-premises SharePoint Servers to protect against the wave of “ToolShell” compromises, some of which have been linked to China-based threat actors. But a variety of attackers will be looking to exploit the vulnerabilities for months to come, researchers have told CRN. “We really need to think about this just being the beginning of actors operationalizing this vulnerability,” said Cynthia Kaiser, formerly a longtime FBI cybersecurity leader who is now senior vice president at anti-ransomware startup Halcyon.

Overall, cyberattacks in 2025 have continued to pose steep and complex challenges for cybersecurity teams and security service providers. Earlier this year, for instance, the notorious hacker group Scattered Spider struck numerous high-profile companies in key sectors such as retail, insurance and aviation, leading to widely felt disruption.

Meanwhile, a sophisticated ransomware group that emerged late last year, SafePay, has rapidly accelerated its attacks in recent months — reportedly including a disruptive attack against IT distribution giant Ingram Micro over the July 4 holiday.

SafePay is far from alone in being new to the cybercrime scene, however, with far more threat groups currently active than during previous years, according to research from GuidePoint Security, No. 37 on CRN’s Solution Provider 500 for 2025.

Other notable cyberattacks and data breaches during 2025 so far included exploitation by threat actors of Ivanti VPN devices and a cyberattack that struck food distributor United Natural Foods, leading to shortages at retailers including Whole Foods.

What follows are the key details on 10 major cyberattacks and data breaches in 2025 so far (in chronological order).

Treasury Department Hack

A China-linked breach disclosed by the U.S. Treasury Department constituted a “major” cybersecurity incident, the agency said in January. The Washington Post reported that the hack led to the compromise of multiple offices within the Treasury Department. The breach is tied to the compromise of BeyondTrust’s remote support tool, which the company had disclosed in December. In a letter to lawmakers, the Treasury Department said that “based on available indicators, the incident has been attributed to a China state-sponsored Advanced Persistent Threat (APT) actor.” Based on Treasury Department policy, “intrusions attributable to an APT are considered a major cybersecurity incident,” the agency said.

Ivanti VPN Attacks

Ivanti disclosed in January that a critical-severity, zero-day vulnerability impacting its widely used Connect Secure VPN has seen exploitation in attacks. The vulnerability, which can be exploited in order to remotely execute code without authentication, impacted customers including Nominet, a U.K.-based domain registry provider. “The entry point was through third-party VPN software supplied by Ivanti that enables our people to access systems remotely,” Nominet said in the email to customers. Exploitation of the critical vulnerability in Ivanti Connect Secure began at least as far back as December 2024, researchers at Mandiant wrote in a post Jan. 9. Malware used during the attacks shows possible links to a China-based threat actor, the Mandiant researchers disclosed.

SonicWall SMA Attacks

SonicWall said in January that exploitation of a “critical” zero-day vulnerability in the Secure Mobile Access (SMA) 1000 Appliance Management Console and Central Management Console had been reported by Microsoft threat researchers. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) later confirmed exploitation of the SMA 1000 vulnerability. The vulnerability can be exploited by a malicious actor to remotely execute code without authentication, according to SonicWall. Then in mid-July, the Google Threat Intelligence Group disclosed that a cybercriminal group tracked as UNC6148 had been observed exploiting SonicWall SMA 100 appliances, likely using known vulnerabilities.

Juniper Router Attacks

In March, Mandiant researchers disclosed details about an espionage campaign by a “China-nexus” threat group targeting Juniper routers. The campaign included attacks exploiting a newly discovered Junos OS vulnerability, according to the researchers at Google Cloud-owned Mandiant. The researchers said in the post that they had initially discovered the threat actor exploiting Junos OS routers starting in mid-2024. The attackers were found to have “deployed custom backdoors on Juniper Networks’ Junos OS routers,” the researchers wrote. “Mandiant attributed these backdoors to the China-nexus espionage group, UNC3886.”

PHP Attacks

In March, a researcher at threat intelligence firm GreyNoise said that exploitation of a critical-severity vulnerability affecting Windows-based PHP installations had impacted organizations in the U.S. The remote code execution flaw has seen “mass exploitation,” with attack activity “far more widespread” than initially believed, wrote Bob Rudis, vice president of data science at GreyNoise, in a post. The vulnerability was initially disclosed in June 2024, and was found to have been exploited at the time.

Conduent Attack

In January, solution provider giant Conduent—whose systems are used to enable government services such as child support payments and food assistance—confirmed that a major service outage was caused by a cyberattack. According to a TechCrunch report, the outage at Conduent impacted some support payments and benefits in the U.S. In April, Conduent disclosed that the attack had also led to the theft of personal data belonging to a “significant number of individuals” connected to Conduent clients. In a statement provided to CRN, Conduent said that the January cybersecurity incident is “reasonably likely to be material based on information it recently learned from its eDiscovery vendor.”

United Natural Foods Attack

In June, a cyberattack that struck food distributor United Natural Foods led to shortages at retailers including Whole Foods. In a regulatory filing, United Natural Foods said that it “became aware of unauthorized activity on certain” IT systems on June 5. The company’s containment measures, including taking systems offline, “temporarily impacted the company’s ability to fulfill and distribute customer orders,” United Natural Foods said in the filing. “The incident has caused, and is expected to continue to cause, temporary disruptions to the company’s business operations.” United Natural Foods has been described as the primary distributor for Whole Foods.

Scattered Spider Attacks

The notorious hacker group Scattered Spider is believed to have struck numerous high-profile companies in 2025 in key sectors such as retail, insurance and aviation. Researchers connected Scattered Spider to a series of attacks against three British retailers — Marks & Spencer, the Co-op and Harrods — as well as insurers such as Aflac. Scattered Spider then reportedly moved on to targeting airlines, with the group blamed for incidents including attacks against Hawaiian Airlines and WestJet. Australian airline Qantas later confirmed that “a cyber incident has occurred in one of its contact centres impacting customer data” — affecting a platform containing the records of 6 million customers — in an attack that researchers said was likely linked to Scattered Spider.

Ingram Micro Ransomware Attack

Following media reports on July 4 indicating that IT distribution giant Ingram Micro was experiencing an outage, the company confirmed that it had been impacted by a ransomware attack and was working on restoring its systems. The attack led Ingram Micro to take key systems offline, all of which impacted the company’s online ordering systems for nearly a week. On July 10, the company said it had restored all business operations around the globe. The SafePay ransomware organization was responsible for the attack, according to a BleepingComputer report. SafePay’s unusual approach to cyberattacks — shunning the prevalent ransomware-as-a-service model — makes the hacker group more formidable to defend against, security experts have told CRN.

Microsoft SharePoint Attacks

In July, a wave of widespread cyberattacks struck customers that use on-premises Microsoft SharePoint servers through exploitation of zero-day vulnerabilities in the systems. As of July 23, more than 400 systems had been compromised in the “ToolShell” attacks, according to researchers at Eye Security. Reports indicated that the victims included U.S. agencies and the Department of Energy confirmed it was “minimally impacted” in the attacks. Researchers at Google Cloud-owned Mandiant and Microsoft have pointed to at least some of the attacks originating from China-based threat actors. Microsoft researchers said in a July 22 post that they have observed exploitation activity from a pair of Chinese nation-state threat groups, tracked as Linen Typhoon and Violet Typhoon, as well as from a China-linked threat actor that is tracked as Storm-2603. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” Microsoft researchers wrote in the post.