What Are The Latest Major Data Breaches And What Was Leaked?

Major Data breaches continue to get bigger, more disruptive and more harmful. Over the last 12 months, incidents have hit companies all over the world and several key themes are clear.

Firstly, it doesn’t matter how big your company is or how advanced the defenses are, as businesses of all sizes are targets. Secondly, it often doesn’t take hugely sophisticated threat actors to find a way into a network. User error, unpatched vulnerabilities and failures to implement basic safeguards like multifactor authentication all lead to large-scale breaches. Thirdly, cybercriminals aren’t looking to shut down servers to take websites offline – they’re after your data.

10 Of The Biggest Data Breaches Of 2025

The incidents below cover some of the biggest data breaches of 2025, highlighting what data was stolen and for what purposes. Understanding what has happened to other enterprises is essential in making sure firms are aware of the consequences of these threats and do not fall victim to the same mistakes.

1. Yale New Haven Health: Attackers accessed the US hospital network on March 8th, stealing names, Social Security numbers, dates of birth and medical record numbers from 5.5 million patients. A consolidated class action resulted in an $18 million settlement.

2. Marks & Spencer: Scattered Spider deployed DragonForce ransomware via social engineering, stealing customer data and halting online orders and click-and-collect for weeks. Lost profits reached approximately £300 million.

3. DaVita: Interlock ransomware hit the US dialysis provider on March 24th, encrypting systems and exfiltrating patient and lab records from 2.7 million people. Reported costs reached $13.5 million with class action litigation ongoing.

4. NTT Communications: Attackers breached the Japanese telecoms giant on February 5th, stealing contract records and network configuration data from 17,891 corporate clients. The data exposed detailed infrastructure blueprints across NTT’s global enterprise client base.

5. SK Telecom: BPFDoor malware, present since 2021, was detected on April 18th, exposing USIM authentication data for 23 million subscribers. The breach enabled SIM cloning risk nationwide and triggered a $97.2 million regulatory fine.

6. Aflac: Scattered Spider used social engineering to steal personal and health data from 22.65 million individuals on June 12th including Social Security numbers, medical records and insurance claims. Over 20 class action lawsuits followed.

7. Qantas: Attackers stole names, contact details and frequent flyer data from 5.7 million customers via a third-party platform on June 30th. Qantas refused a ransom demand and the data was published on the dark web in October.

8. Prosper Marketplace: Attackers accessed the US lending platform undetected from June to August, stealing names, Social Security numbers, bank account numbers, passport numbers and tax data from 13.1 million individuals.

9. Jaguar Land Rover: A Scattered Spider linked attack halted production from September 1st for over five weeks. The Cyber Monitoring Centre issued a Category 3 classification and estimated economic damage at £1.9 billion.

10. TransUnion: Attackers accessed the US credit reporting agency through a compromised third-party application on July 28th, stealing names, Social Security numbers and dates of birth from 4.4 million individuals.