The security gaps that caused 2025’s biggest breaches

As cybercrime becomes increasingly complex, the line between resilience and catastrophe becomes increasingly thin. In 2025, healthcare, automotive, financial, defense, and technology companies suffered massive breaches that cost billions in losses, exposed millions of compromised records, and caused months of operational paralysis.

A closer examination reveals a sobering pattern: These weren't exotic attacks beyond all defense but exploited preventable weaknesses, with the most common being unpatched vulnerabilities, misconfigurations, stolen credentials, weak identity controls, and insufficient monitoring. These gaps continue because security was siloed—with patching in one tool, endpoint protection in another, and identity management in yet another—leaving behind blind spots for attackers to prey on with alarming consistency.

Here are 15 real-world breaches from 2024–2025 categorized into five major attack vectors, highlighting how unified endpoint management and security could've disrupted the attack chain at multiple points. Each tells the same story of a fundamental security lapse that allowed attackers to dwell undetected, exfiltrate data, and cripple their victims.

Decoding the breach: Why these attacks keep happening 

1. Identity and access management failures

The pattern: Attackers aren't breaking in; they're logging in using stolen or poorly managed credentials.

Jaguar Land Rover learned this when a vishing attack on an LG contractor turned outdated 2021 Jira credentials into a £1.9 billion catastrophe. A month-long production shutdown followed as hackers exploited accounts that should've been deactivated years ago.

Marks & Spencer fell victim when attackers, believed as the group Scattered Spider, infiltrated a third-party help desk over the Easter holiday weekend, exploiting weak identity verification to grab administrative control. The group then unleashed DragonForce ransomware, bringing e-commerce and logistics to a halt across the retailer's organization. By bypassing identity verification through social engineering, the attackers paralyzed operations completely.

Qantas suffered a lightning-fast vishing attack where impersonators posed as authorities to trick call center staff into handing over credentials. In under 24 hours, nearly six million customer records were leaked.

Coinbase faced perhaps the most insidious variant: the insider threat. Bribed offshore contractors and support staff systematically exported 69,461 customer records, including social security numbers and government IDs, over the course of nearly five months. They didn't hack anything, but rather made use of their legitimate access.

Red Hat GitLab suffered a devastating data loss prevention failure when stolen credentials enabled access to 28,000 repositories, allowing 570GB of data to walk out the door.

2. Infrastructure and cloud misconfigurations

The pattern: These aren't complex exploits, but preventable mistakes where systems go live without basic security walls.

MongoDB records exposed 16 terabytes of data in the form of 4.3 billion records including online profiles, employment history, and contact information—all from a simple deployment without authentication.

Blue Shield of California misconfigured advertising tracking pixels on their website, silently sharing 4.7 million members' personal health information with third parties for three years through Google Analytics.

3. Vulnerability and patch management

The pattern: Known flaws that simply weren't fixed in time or at all.

SAP NetWeaver became a playground for threat actors who exploited a critical zero-day across 450+ instances, installing web shells for corporate espionage and ransomware. Organizations had mere hours between vulnerability disclosure and active exploitation. Most didn't make it.

Microsoft SharePoint fell victim to nation-state actors who exploited zero-day vulnerabilities in 85+ instances for over two months, deploying web shells to exfiltrate proprietary source code. Though a patch was made, it wasn't deployed fast enough.

Barts Health NHS Trust learned about the Oracle E-Business Suite zero-day when Cl0p ransomware waltzed through the unpatched vulnerability, exfiltrating financial and personal data of employees, patients, and suppliers before publicly leaking it.

DaVita received $13.5 million in charges due to unpatched file transfer systems and remote access tools that were breached by Interlock ransomware.

4. API and application logic flaws

The pattern: As businesses moved to the cloud, how applications communicate with each other became a primary attack vector.

Salesforce OAuth supply chain attack demonstrated this perfectly. Stolen OAuth tokens from Salesloft and Drift digital passkeys between applications gave attackers legitimate-looking access to 700+ organizations using Salesforce instances. For 10 days, they exfiltrated CRM data and embedded cloud credentials before anyone noticed.

Allianz Life Insurance suffered an Insecure Direct Object Reference (IDOR) flaw where attackers simply manipulated account ID parameters in API requests. Over 16 days, they systematically scraped nearly 1.5 million policyholder records including social security numbers and beneficiary designations.

5. Ransomware and malware attacks

The pattern: Once inside via any of the above vectors, ransomware turns access into destruction.

National Defense Corporation fell to InterLock ransomware that exploited PowerShell and valid accounts, remaining undetected for 4–6 weeks before exfiltrating 4.2 terabytes of defense contractor data, including procurement records referencing leading space stakeholders and contractors.

Ingram Micro watched as hackers exploited VPN vulnerabilities—with insufficient network segmentation—to deploy SafePay ransomware after weeks of persistence. Global distribution came to a halt, causing up to $136 million in lost revenue per day.

The unified defense advantage 

These 15 attacks cost billions in direct losses, compromised millions of records, and destroyed organizational trust.

What do all these breaches share? They exploited gaps between security tools. When patching happens in one system, identity management in another, and threat detection in a third, attackers slip through the cracks.

Unified endpoint management and security changes this equation. By consolidating patch deployment, configuration enforcement, threat detection, behavioral analytics, and access controls into a single platform, solutions like Endpoint Central close those gaps before exploitation.

The question isn't if threat actors will target your systems—it's whether they'll face scattered security guards or a coordinated defense.

With Endpoint Central, the defense is always ready.