The most relevant third-party cybersecurity incidents of 2025

With 2025 in the rear-view mirror, and our focus here being third-party and supply chain cybersecurity, it's time to revisit the most noteworthy third-party data breaches and related incidents of the year.

As a reminder, we made a list for 2024, too. Comparing the two, it’s easy to see why so many security professionals are worried.

So, without further ado, here is our list for 2025:

ByBit: the $1.5 billion crypto heist

In February, North Korean hackers from the Lazarus Group managed to steal approximately $1.5 billion worth of Ethereum from ByBit, a cryptocurrency exchange.

But the hackers weren't inside ByBit's systems. Instead, they had infiltrated Safe{Wallet}, a third-party platform that ByBit relied on to manage its assets. Earlier that month, a developer at Safe{Wallet} had fallen for a social engineering attack, allowing the hackers to gain access to the company's AWS environment.

Once inside the AWS environment, the hackers made code changes that redirected funds to their wallets. Despite specifically targeting ByBit and potentially reducing the reach of their efforts, the perpetrators still managed to carry out the largest digital heist in history.

In part due to the difficulty of recovering funds in an ecosystem where transactions cannot be reversed, cryptocurrency and its supporting infrastructure are frequently targeted by cyberattacks. In April, the official npm package for XRP (Ripple) was infected with a backdoor to steal private keys and cryptocurrency wallets in just one of several similar incidents in the software supply chain. In May, the Coinbase exchange announced it was refusing to pay criminals who had stolen customer data.

Salesforce integrations

Hundreds of organizations had their data stolen after hackers hit Salesloft in August and Gainsight in November. Both companies develop applications designed to be integrated into Salesforce instances and were allegedly breached by ShinyHunters, which used the access granted to the apps to extend the breach to their customers' Salesforce data.

Salesforce instances were also directly targeted by phishing attacks in which employees who have access to their company's Salesforce instance were tricked into authorizing a third-party application that the attackers could use to exfiltrate data. While this isn't a breach of Salesforce's infrastructure, businesses should be aware of ongoing campaigns against the SaaS platforms they rely on and the concentration risk that facilitates them. 

Major cloud incidents: Oracle, AWS, Azure, and Cloudflare

Hyperscalers and key infrastructure providers were at the center of several major incidents in 2025.

The first was Oracle. Oracle Health notified its customers that it became aware of a data breach in February, although later reports suggest the incident started in 2024. Some of the patients whose data was stolen are still being notified by the healthcare providers that rely on Oracle Health.

Oracle's legacy infrastructure was also compromised, and the company created some confusion by denying that Oracle Cloud had been breached. The lack of clarity made it more difficult to discuss what was happening, and even the CISA advisory resorted to unclear language, referencing "public reporting regarding potential unauthorized access to a legacy Oracle cloud environment."

Later in the year, other providers suffered significant outages. Part of Amazon Web Services went offline in October, creating issues for software and devices that rely on it for at least 15 hours. Microsoft Azure went through a similar issue soon after.

Cloudflare also went down twice. The first and more serious outage in November was the result of a database bug. The second one, in December, was related to Cloudflare's mitigation of the "React2Shell" vulnerability.

Banking hacks in Brazil

In three separate incidents in July and September, criminals in Brazil managed to siphon out a total of over R$1 billion (around $225 million) from "reserve accounts" used by the banks to fulfill transactions in the Pix system within the Central Bank of Brazil. To accomplish this, the hackers infiltrated third-party providers by bribing employees and stealing vendor credentials.

These incidents are quite complex, but we already have a dedicated blog post if you want a more detailed explanation about how the attacks were carried out. More recently, in November, the Dragonforce group leaked 392 GB of corporate data linked to one of the companies involved, which claimed the dataset is the same one that had been exfiltrated during the initial incident.

PowerSchool: millions of students exposed

In January, software provider PowerSchool disclosed that an attacker had used stolen credentials to access data stored in its PowerSource customer portal. Since PowerSchool supports thousands of schools in the US and Canada, it was a major incident for the K-12 education sector.

The hacker said he had exfiltrated data on over 60 million students and 9 million teachers. Not all of them had sensitive information exposed, but Social Security Numbers, grades, and medical information were allegedly present in the dataset.

In May, college student Matthew Lane agreed to plead guilty to hacking and attempting to extort two companies, one of them being PowerSchool. It was also revealed that the credentials used in the attack belonged to a contractor, which means that PowerSchool itself had been breached due to a third-party error. 

Tata Consultancy Services and Jaguar Land Rover

Tata Consultancy Services (TCS) first made headlines after UK retailers Marks & Spencer (M&S) and Co-op were hacked in April. The company's involvement in both incidents is still unclear, as the retailers did not blame any specific vendor.

After media reports that M&S had terminated its service desk contract with TCS following the incident, TCS clarified that the process for switching providers had already started in January and was unrelated to the breach. Furthermore, TCS stated it did not provide cybersecurity services for M&S and its systems were not compromised.

Unfortunately, this isn't enough, as the hacks were carried out through social engineering. When a staff member at a service desk provider – be it TCS or any other – is tricked into disabling MFA or resetting a password, that represents a major failure on the provider’s part, even if their systems were not directly breached.

Four people were arrested in connection with these incidents.

TCS made headlines again after Jaguar Land Rover was compromised in August. JLR belongs to the same parent company as TCS, the Indian conglomerate Tata Group, so its IT systems are handled by TCS. With that, the company was once again potentially involved in a major incident.

There has been speculation that TCS could be involved in other hacks. Even if that’s not true, the key takeaway from these incidents is that third parties can be involved in cyberattacks even when their IT infrastructure is not directly compromised. In addition, businesses may face challenges when it comes to investigating and even explaining third-party incidents to investors, customers, and the general public.

The Collins Aerospace hack

In September, a cyberattack disrupted the boarding software provided by Collins Aerospace, leading to delays and cancellations in European airports.

The incident is reminiscent of the CrowdStrike outage in 2024. Although the root cause and the impact were vastly different, both events resulted in real-world consequences for airlines and travelers.

Shai-Hulud, tj-actions: the software supply chain hacks

The software supply chain is facing increased pressure from cyberattacks. There were several instances of malicious or compromised software packages (especially in repositories like npm and PyPI). Hackers have been successful in stealing developer credentials through phishing and typosquatting attacks, allowing them to gain access to trusted packages.

The two most notable incidents of the year are likely the Shai-Hulud worm and the tj-actions compromise.

Shai-Hulud brought back the concept of computer worms – which haven't made much noise since the days of Conficker and WannaCry – by exploiting the software supply chain. Aside from injecting itself into other packages to spread, the worm is capable of stealing credentials and tokens used for developer access, which can be used in other third-party hacks. So far, two versions of the worm have been discovered.

In the tj-actions incident, the hackers compromised the tj-actions GitHub Action, which gave them some access to over 200 repositories that relied on tj-actions for their automated workflows. Much like Shai-Hulud, the changes made to tj-actions were designed to steal secrets from the repositories it could access.

SitusAMC: banking data without hacking a bank

Several banks and their customers are dealing with a breach disclosed by SitusAMC, a real estate finance and tech firm that reportedly provides services to hundreds of financial institutions.

By attacking a vendor, hackers managed to steal banking-related data without having to deal with the generally high cybersecurity standards followed by banks. While they did not gain access to banking accounts, banks may still have to notify their customers, answer questions regarding the incident, and potentially suffer reputational damage.

What have we learned?

Third-party cyber risk management (TPCRM) is more important than ever. Verizon's Data Breach Investigations Report (DBIR) sounded the alarm when it found that the percentage of breaches (incidents with data loss) involving a third party doubled to 30%.

Now, with several of the major IT providers suffering incidents in the same year, it's very unlikely that smaller software vendors will remain unscathed as hackers keep trying to find more indirect ways to breach their targets.

Businesses should remain engaged with their third parties for the efficiency, expertise, and the ability to move fast and adapt to changing market conditions that they bring. However, it must be understood that the associated risk remains with the business just the same.

By going hands-on with third-party cyber risk management, such as by adopting continuous monitoring, businesses have a much better chance at remaining secure in this threat landscape.

Keeping yourself informed about third-party risk and related incidents can also provide insight into how to build or improve your TPCRM program. Our monthly newsletter and our podcast can be useful resources.