In June 2025, security researchers discovered what is likely the largest data exposure in history: roughly 16 billion login credentials compiled from infostealer malware logs, phishing kits, and years of accumulated prior breaches. The database included credentials tied to major platforms including Google, Apple, and Meta, exposing billions of users to credential stuffing attacks — automated attempts to use known usernames and passwords to log in to dozens of other services. The same year, the US recorded 3,322 data breach incidents — a new all-time record, surpassing 2023’s previous high by 4 percent, with cyberattacks responsible for 80 percent of them. The global average cost of a single data breach reached $4.4 million in IBM’s 2025 report, with US organisations averaging $10.22 million.
The pattern in the biggest breaches of 2025 and early 2026 is not a story of sophisticated nation-state attackers deploying novel zero-day exploits against security teams who had no chance of stopping them. It is almost the opposite: the most damaging incidents of the period were enabled by password reuse, unpatched systems, third-party vendor access left unsecured, and stolen credentials that had been circulating in criminal markets for months or years before being weaponised. The attacks were sophisticated in their execution; their entry points were elementary in their prevention. Third-party involvement in breaches rose from 15 percent to 30 percent in Verizon’s 2025 Data Breach Investigations Report — one of the single largest year-over-year changes in any major breach cause category. The lesson that 2025 and 2026 keep writing in billion-dollar losses is consistent: the fundamentals of cybersecurity — credential hygiene, vendor risk management, patch discipline, and tested incident response — are not solved problems for most organisations.
This guide covers the most significant data breaches of 2025 and early 2026, what happened in each case, who was affected, how much it cost, and what each incident reveals about the vulnerabilities that matter most heading into the second half of 2026.
The Numbers: 2025’s Breach Landscape in Context
Before the specific incidents, the aggregate picture provides essential context for understanding the scale and character of the current threat environment.
The Identity Theft Resource Center’s 2025 Annual Data Breach Report, released in January 2026, tracked 3,322 data compromises in the United States in 2025 — a new all-time record. The five-year increase in US breach incidents stands at 79 percent. Cyberattacks accounted for 2,656 of those incidents (80 percent), primarily targeting personally identifiable information — Social Security numbers, bank account details, driver’s licence numbers — rather than easily-replaceable financial account credentials. Two-thirds of the 2025 breaches involved Social Security numbers, a category of data that cannot be changed and whose compromise creates long-term identity fraud risk.
The average breach cost globally reached $4.4 million in IBM’s 2025 Cost of a Data Breach Report — a figure that has increased steadily for over a decade. US organisations averaged $10.22 million per breach, reflecting both higher remediation costs in the US market and the liability costs associated with US regulatory and legal frameworks. Healthcare remained the most expensive sector, with breaches averaging $7.42 million and a mean time to detect and contain of 279 days — over nine months of potential attacker access before containment.
Verizon’s 2025 Data Breach Investigations Report, which reviewed 22,052 security incidents and 12,195 confirmed data breaches, found ransomware present in 44 percent of breaches (up from 32 percent), the human element implicated in approximately 60 percent of breaches, and third-party involvement in 30 percent — nearly double the 15 percent recorded in the prior year. The ransomware evolution in 2025 also shifted in character: modern ransomware attacks increasingly involve data exfiltration before system encryption, creating “double extortion” leverage. Even organisations that restore operations from backup face the additional threat of stolen data being published unless a separate extortion payment is made.
The mean time to identify and contain a breach improved slightly in 2025 to 241 days — down from prior years — but 241 days is still eight months of an attacker inside a network before detection and containment. The gap between breach detection and containment remains one of the most consequential metrics in cybersecurity, because dwell time directly correlates with breach cost: breaches resolved in under 200 days averaged $3.87 million in cost, compared to $5.01 million when containment extended past 200 days.
The 16 Billion Credential Mega-Leak: June 2025
The largest single data event of 2025 was not a targeted attack on a specific organisation but a compilaton breach of staggering scale. In June 2025, security researchers discovered a publicly accessible database containing approximately 16 billion login credentials — usernames and passwords — compiled from infostealer malware logs, phishing kit harvests, and accumulated outputs from hundreds of prior breaches spanning multiple years. The credentials were tied to accounts at services including Google, Apple, Meta, and thousands of other platforms.
The scale is difficult to contextualise: 16 billion credential pairs in a world of approximately 8 billion people implies, on average, two compromised credential sets per person on the planet. In practice, the database reflected years of accumulated credential theft, heavy duplication across platforms from password reuse, and the aggregation effect of infostealer malware — a category of malicious software designed specifically to harvest stored passwords from browsers and applications.
The primary threat the leak created was not direct account compromise from the database itself — it was the acceleration of credential stuffing attacks. Automated tools that test known username/password combinations across hundreds of services simultaneously became significantly more dangerous as the database gave attackers an enormous inventory of real credentials to test. Security firms issued urgent guidance to businesses to check employee credentials against breach databases, enforce password reset cycles, and monitor login activity for anomalous patterns.
What it revealed: Password reuse across services remains catastrophically common despite years of security awareness efforts. A credential compromised in one breach enables access to dozens of other services where the same password is reused. The countermeasure — using a password manager to generate and store unique passwords for every service — is technically simple and inexpensive, yet adoption remains insufficient to address the scale of the problem. MFA provides the most direct mitigation against credential stuffing: even with a valid username and password, an attacker who cannot pass the MFA step cannot access the account.
PowerSchool: 62.4 Million Students and Teachers Exposed
The PowerSchool breach — which affected one of the most widely used educational technology platforms in North America — unfolded between December 2024 and January 2025, with the full scope becoming clear in early 2025. Approximately 62.4 million students and 9.5 million teachers had their data exposed in the incident, making it one of the largest education sector breaches ever recorded.
PowerSchool provides student information systems — the platforms schools use to manage grades, attendance, student records, and communications with families — to school districts across the US, Canada, and internationally. The breach exposed names, addresses, phone numbers, Social Security numbers, medical records, and academic history for tens of millions of individuals, many of them minors whose data was held in trust by their schools.
The breach occurred through compromised maintenance tool credentials — a support portal used by contractors and PowerSchool staff for system management was accessed with stolen credentials. The attacker exported student and teacher data tables from the production database before the access was detected. The scale of the exposure was amplified by the centralised nature of PowerSchool’s platform: a single credential compromise at the platform level enabled access to data from thousands of individual school districts.
What it revealed: Support and maintenance portals are high-value targets because they often have broad access to production data but receive less security scrutiny than customer-facing systems. Centralised SaaS platforms create systemic risk: a single breach of the platform provider exposes all customers simultaneously, regardless of each individual customer’s own security posture. Multi-factor authentication on all administrative access — including vendor and contractor portals — and continuous monitoring of administrative account activity are the most direct preventive measures.
US Treasury Department Breach: State-Sponsored Third-Party Attack
In late December 2024, the US Treasury Department learned that its systems had been compromised through a contractor’s remote support tool — a vendor product used for remote IT maintenance that had been compromised by an external attacker. The incident became public in early January 2025 and was attributed to a Chinese state-sponsored threat group. Treasury classified it as a “major cybersecurity incident.”
The attack method — compromising a contractor’s remote access tool rather than directly attacking the target organisation — reflects a broader strategic shift in sophisticated threat actor tactics. Remote support and maintenance tools present an ideal entry point: they are designed to have broad system access, they are often less strictly monitored than regular network connections, and compromising them provides access not just to one customer but potentially to every organisation the vendor serves. A single weak credential or unpatched vulnerability in a contractor’s tool can become an entry point into dozens of high-value targets.
The Treasury breach accessed unclassified systems and documents — not the most sensitive classified infrastructure — but the political and reputational significance of a successful penetration of a core US government financial institution was substantial. The incident triggered Congressional oversight hearings and renewed pressure on federal agencies to accelerate zero-trust security architecture adoption.
What it revealed: Vendor and contractor access represents one of the most underestimated attack surfaces in both government and enterprise environments. Remote support tools that “have access to everything” are high-priority targets for nation-state and sophisticated criminal actors. Organisations need to understand exactly what access their vendors have, enforce MFA and conditional access on all vendor-managed tools, continuously monitor vendor-originated connection activity, and have the ability to immediately revoke vendor access if an incident is suspected.
DaVita Healthcare: Double Extortion Ransomware Against Patient Records
In mid-April 2025, DaVita — a major US dialysis provider serving hundreds of thousands of patients — reported a significant ransomware incident affecting its systems. Federal notifications later confirmed approximately 2.7 million individuals were affected. The attackers employed the now-standard double extortion approach: data was exfiltrated from laboratory databases and patient record systems before systems were encrypted, creating simultaneous operational paralysis and a separate data disclosure threat.
The DaVita breach illustrates the specific danger of ransomware in healthcare. Unlike in most industries where an operational outage means revenue loss and customer disruption, in healthcare it means disruption to patient care — dialysis patients who require regular treatment, diagnostic delays, medication administration errors from inaccessible records. The human cost of healthcare ransomware extends well beyond the financial and data privacy dimensions. DaVita’s clinics continued operating during the incident, but the exposure of 2.7 million patients’ medical details and personal identifiers created lasting fraud and privacy risks for individuals who could not be protected from the consequences of a breach they had no agency in preventing.
Healthcare remains the most expensive sector for data breaches for a compounding set of reasons: the sensitivity of the data (medical records are more permanently valuable to identity thieves than financial credentials that can be changed), the regulatory environment (HIPAA notification requirements, potential HHS enforcement actions), the operational disruption costs (clinical downtime in patient care settings), and the legal liability (class action suits from affected patients). Healthcare breaches average $7.42 million per incident — nearly 70 percent above the global average of $4.4 million.
What it revealed: Modern ransomware should be assumed to include data exfiltration, not just encryption. Backup restoration restores operations but does not address the stolen data. Healthcare organisations need both operational recovery capabilities (tested backups, incident response plans) and data theft response capabilities (breach notification processes, patient communication protocols, credit and identity monitoring provision). The operational resilience planning that enables care continuity during a ransomware incident is as important as the cybersecurity measures that prevent one.
Marks & Spencer: Social Engineering into Ransomware
In April 2025, British retail giant Marks & Spencer experienced a major operational disruption when threat actors used social engineering to gain access to the company’s systems and launch ransomware. The attackers specifically targeted M&S’s IT help desk — impersonating employees to convince help desk staff to reset credentials and MFA devices, providing access to systems that were then used to deploy ransomware across M&S’s infrastructure.
The incident disrupted M&S’s online ordering system, causing extended outages that resulted in reported losses estimated in the hundreds of millions of pounds. The attack was attributed to Scattered Spider, a threat group with a documented history of social engineering-based attacks against major enterprises including MGM Resorts and Caesars Entertainment. Scattered Spider’s methodology — using social engineering rather than technical exploitation as the primary entry vector — represents a category of attack that technical security controls alone cannot prevent.
The M&S breach is a particularly clear illustration of a pattern that Verizon’s 2025 DBIR documented in the data: the human element is present in approximately 60 percent of breaches. Scattered Spider specifically targets IT help desks because their function — resetting credentials for employees who are locked out — is exactly what an attacker needs, and because help desk staff are trained to be helpful to people who claim to be employees in need of assistance. The countermeasure requires establishing verification protocols that help desk staff cannot bypass regardless of social pressure: identity verification through multiple pre-established methods, approval escalation requirements for certain actions, and specific training on the social engineering techniques attackers use against help desk personnel.
What it revealed: Help desk social engineering is one of the highest-ROI attack techniques available to threat actors — it requires no technical sophistication, can be executed by phone, and bypasses significant layers of technical security by obtaining legitimate credentials rather than exploiting software vulnerabilities. Identity verification procedures for help desk requests — particularly for credential resets and MFA device changes — need to be both rigorous and resistant to social pressure that would cause staff to bypass them.
Conduent: Eight Terabytes Stolen from Business Services Giant
Conduent — a major business process outsourcing company serving government agencies, healthcare organisations, and major enterprises — confirmed in an SEC filing in April 2025 that attackers had accessed its systems between October 21, 2024 and January 13, 2025 (83 days of dwell time) and stolen more than 8 terabytes of data. The breach affected multiple downstream clients including Volvo Group North America, whose employee and customer data was exposed through Conduent’s systems without any direct compromise of Volvo’s own infrastructure.
The Conduent breach exemplifies the third-party supply chain risk dynamic that rose so sharply in Verizon’s 2025 DBIR data. Conduent processed sensitive data — Social Security numbers, dates of birth, health insurance details, financial information — on behalf of clients who had no direct visibility into or control over Conduent’s security posture. When Conduent was breached, Volvo and other clients became breach victims without their own systems ever being attacked. The 83-day dwell time meant attackers had nearly three months to identify and exfiltrate high-value data across multiple client datasets before detection.
The SEC filing requirement — introduced through new SEC cybersecurity disclosure rules that took effect in 2024, requiring public companies to report material cybersecurity incidents within four business days — created regulatory visibility into the breach that might previously have been disclosed much more quietly or not at all. The transparency requirement, while creating compliance obligations, also provides market participants with information about cyber risk that was previously opaque.
What it revealed: Third-party risk management cannot be a checkbox compliance exercise. The due diligence, contractual security requirements, and ongoing monitoring that organisations apply to vendors who handle their sensitive data must be proportionate to the data access those vendors have. For vendors with access to sensitive customer or employee PII, security requirements in contracts, regular audit rights, and continuous monitoring of vendor-originated data flows are essential — not optional.
Early 2026: The Pattern Continues
The breach incidents documented in early 2026 continue the patterns established in 2025. In February 2026, Odido — a Dutch telecommunications provider — disclosed a cyberattack affecting up to 6.2 million customers, with attackers accessing a customer contact system and downloading names, addresses, email addresses, mobile numbers, IBAN banking details, and passport or driver’s licence information. PayPal disclosed a breach of its Working Capital product in February 2026, triggering breach notification letters and reports of unauthorised transactions from affected users. In January 2026, Eurail — the European rail pass provider — disclosed that data on an undetermined number of travellers, including passport information, had been stolen and was being offered for sale on Telegram. Healthcare breaches continue at pace in early 2026, with an API-based breach at a health insurance provider between December 2025 and January 2026 exposing Social Security numbers, health plan data, and personal identifiers for large numbers of policyholders.
The 2026 early-year breach data reinforces the same themes: APIs with insufficient access controls, credential-based access from prior breaches, third-party and supply chain exposure, and healthcare data remaining the primary target for its long-term identity fraud value.
The Seven Lessons That 2025–2026 Breaches Keep Proving
Reading across the incidents above — and the thousands of smaller breaches that do not receive headline coverage — several patterns emerge with such consistency that they amount to settled lessons rather than emerging hypotheses.
Lesson One: Credential theft and reuse are the primary initial access vectors. The 16 billion credential leak, the PowerSchool breach via contractor credentials, and the Treasury Department breach via vendor tool compromise all represent the same root cause: credential-based access that was available to attackers because credentials had been compromised previously and were not rotated or protected with MFA. Password managers and organisation-wide MFA enforcement directly address the most common initial access method in modern breaches.
Lesson Two: Third-party and supply chain exposure has doubled and is now the primary scaling mechanism for breach impact. Third-party involvement in breaches rose from 15 percent to 30 percent in Verizon’s 2025 DBIR. The Conduent, Treasury, PowerSchool, and M&S breaches all involved third-party vectors at critical points. Organisations that invest heavily in their own security while leaving vendor access unmonitored and under-governed are protecting the front door while leaving the service entrance open.
Lesson Three: Modern ransomware means data theft regardless of backup recovery. Forty-four percent of 2025 breaches involved ransomware. In the majority of significant ransomware attacks, data was exfiltrated before systems were encrypted. Backup recovery restores operational capability but does not address the data theft. Organisations that respond to a ransomware detection by restoring from backup and declaring the incident over — without investigating what data was accessed and potentially exfiltrated during the dwell period — are addressing only half the problem.
Lesson Four: Detection and containment speed directly determines financial outcome. Breaches resolved under 200 days cost an average of $3.87 million. Breaches that took longer cost $5.01 million. The $1.14 million difference justifies significant investment in detection capabilities — SIEM systems, endpoint detection and response, network anomaly detection — that reduce dwell time. AI and automation in security operations reduced breach costs by an average of $1.9 million in IBM’s 2025 analysis and shortened breach lifecycles by 68 days. These are among the most financially compelling ROI calculations in enterprise technology.
Lesson Five: Social engineering bypasses technical controls. The M&S breach and multiple other 2025 incidents were initiated through social engineering of IT help desks rather than technical exploitation. No firewall, no endpoint protection, and no network monitoring detects a threat actor who has convinced a help desk employee to provide legitimate credentials. Help desk identity verification protocols, security awareness training focused on social engineering resistance, and verification escalation requirements for sensitive account actions are the countermeasures.
Lesson Six: Tested incident response reduces cost by 61 percent. IBM’s 2025 data found that organisations with regularly tested incident response plans reduced breach costs by an average of 61 percent, saving approximately $2.66 million per incident. Yet in 2025, only 35 percent of organisations said they had fully rehearsed and tested their incident response plans. The gap between those who test and those who do not is one of the largest and most actionable factors in breach cost variation.
Lesson Seven: Breach notifications are becoming less informative. Seventy percent of breach notices sent in 2025 provided consumers with no meaningful information about how the breach occurred — up from 65 percent in 2024. This trend serves breached organisations’ legal and reputational interests at the expense of consumers’ ability to take targeted protective action. Regulatory frameworks that require meaningful disclosure — not just legal-minimum boilerplate — are increasingly necessary to ensure that breach notification serves its stated purpose of enabling consumers to protect themselves.
What to Do If Your Data Has Been Breached
Given that 80 percent of US consumers received at least one breach notification in the past 12 months, and 40 percent received three to five, the practical question for most people is not how to avoid being notified of a breach — it is what to do when one arrives.
The first and most important action is to change the password for the account or service that was breached, and to change the same password everywhere else it is used (this is the moment that most clearly illustrates why password reuse across services is so consequential). Enable or verify MFA on the breached account and on any other account where it is not yet active. Monitor the breached account and any financial accounts associated with the same email address for unusual activity. Place a fraud alert or credit freeze with the major credit bureaus if the breached data included Social Security numbers, financial account details, or other identity-enabling information — a credit freeze prevents new credit lines being opened in your name without your explicit consent, and it is free to place and lift in the US.
Be specifically alert to targeted phishing attempts in the weeks and months following a breach notification: attackers who have acquired your email address and name from a breach frequently use that information to craft more convincing phishing messages that reference the breached service, creating the impression that the email is a follow-up communication from the company about the breach. Fifty-four percent of breach notification recipients reported an increase in targeted phishing attempts following the notification.
The broader context for individual action is important to hold alongside practical advice: the most impactful decisions about data security are made by the organisations that collect and store personal data, not by the individuals whose data is collected. The consistent message from 2025 and 2026’s biggest breaches is that avoidable failures — unrotated credentials, unmonitored vendor access, untested incident response plans — are enabling the majority of the most damaging incidents. The individuals affected by those failures have limited agency over the organisational decisions that created the vulnerability. What they can control is the extent to which their own credential hygiene (strong unique passwords, MFA everywhere) limits the damage when the next breach occurs.
0 Comments
No comments yet. Be the first to share your thoughts!