What Companies Can Learn From 2025’s Biggest Data Breaches

2025 was a wake-up call for UK cyber security. I watched organisations I genuinely respect - Marks & Spencer, NHS suppliers- all fall victim to attacks that, frankly, should have been preventable.

These weren't sophisticated zero-day exploits. They were attacks that succeeded because of the basics: poor password hygiene, insufficient staff training and inadequate supply chain oversight. The kind of vulnerabilities we warn clients about every day.

What concerns me most isn't just the breaches themselves, but what they reveal about how we're still approaching cyber security in 2025. Too many organisations are still thinking about security as a perimeter problem, when the reality is far more complex.

As we move into 2026, alongside the introduction of the Cyber Security and Resilience Bill, organisations must move beyond reactive security and adopt a resilience-first mindset. Here’s what the biggest breaches of 2025 teach us, and what companies must do next.

Marks & Spencer: Human-centric attacks still win

In early 2025, Marks & Spencer suffered a major ransomware attack that exposed customer information including names, addresses and order histories. According to public reporting, attackers gained a foothold by targeting a third-party supplier and leveraging social engineering to compromise employee access. Such tactics remain a leading cause of breaches in 2025.

Lesson:
People remain the most targeted weak point across organisations — yet many companies still underinvest in ongoing training and phishing resilience.

What to do in 2026:

• Implement continuous cyber awareness and phishing simulation training

• Adopt Zero Trust access models with multifactor authentication

• Enforce least-privilege access and strong identity governance

Prioritising human-centric controls reduces risk across the entire attack surface.

This one hit particularly hard because of the scale of operational impact. JLR suffered a ransomware attack through phishing and stolen credentials - credentials that should have been updated but weren't. Simple password hygiene failures.

The direct cost to JLR was around £500 million. But here's what really matters: the attack crippled hundreds of suppliers in their network, contributing to roughly £1.9 billion in wider economic losses. Production lines stopped. Deliveries halted. Entire supply chains ground to a standstill.

The reality: In manufacturing and industrial sectors, a cyber attack isn't just an IT problem. It's an operational crisis that cascades through entire ecosystems. One compromised supplier can bring down dozens of businesses.

What actually works:

• Mandatory regular password updates and strong authentication policies
• Privileged access management with strict oversight
• Business continuity planning that accounts for supply chain disruption
• Regular testing of incident response procedures with key suppliers

A ransomware attack on an NHS software supplier disrupted critical services and compromised more than 79,000 patient records. Such incidents show how vulnerabilities in the supply chain can cascade into major operational and reputational harm.

Lesson:
Third-party risk is not peripheral — it’s core to organisational security and continuity.

What to do in 2026:

• Conduct cyber security due diligence on all vendors

• Require contractual security standards and audit rights

• Include third parties in incident response planning and exercises

• Maintain continuous supplier risk monitoring

Robust supply-chain governance protects organisations and customers alike.

As the UK tightens its cyber security framework, the Cyber Security and Resilience Bill will expand regulatory expectations for digital and critical services. Organisations should begin aligning now with its key provisions:

• New incident reporting requirements: Initial notification to regulators and the National Cyber Security Centre (NCSC) must be made within 24 hours, followed by a full report within 72 hours — a faster timeline than the current framework.

• Broader scope: More digital service providers, managed service providers, data centres, and supply-chain partners will fall under mandatory cyber security standards.

• Transparency and customer notification: Firms may be required to notify affected customers when a significant cyber incident occurs.

Curious about what the consequences of a data breach might be for your business? We break it down in our blog about the legal consequences of data breaches. 

If you're reading this and recognising your own vulnerabilities, you're not alone. Most organisations we work with come to us after realising their current approach isn't fit for purpose.

We work with industrial and manufacturing organisations to:

• Assess your current security posture against both IT and OT environments
• Implement practical, operational controls that work in complex industrial settings
• Build robust supply chain security programmes
• Develop and test incident response plans that account for operational dependencies
• Meet regulatory requirements including the incoming Cyber Security and Resilience Bill

Our experience with critical national infrastructure means we understand the unique challenges you face. We know that solutions need to work in the real world, not just in theory.

The breaches of 2025 all had one thing in common: they were preventable. The question is whether we'll learn from them before 2026 brings the next wave.

Want to discuss your cyber security posture? Learn more about our Cyber Security Services or get in touch with our team.