Cyber Incidents 2025: 10 Costly Shocks That Redefined Cyber Liability Insurance

by

Estimated reading time: 5 minutes

In 2025, a series of cyber incidents hit businesses hard. Marks & Spencer stopped online orders and faced weeks of disruption. Jaguar Land Rover paused production and took major losses. npm supply-chain attacks put developer secrets at risk. Cloud outages at AWS, Azure, and Cloudflare caused widespread service failures. Tokio Marine HCC International documented these events in its annual “Top 10 Cyber Incidents 2025” report.

The report explains that its Top 10 list is not a ranking, but highlights incidents with major disruption or financial impact. It warns that single points of failure can affect whole industries. Underwriters are using these lessons to set stricter controls, ask more questions, and make renewals for cyber liability insurance tougher.

Logo for cyber liability insurance provider Tokio Marine HCC. Used in article about their top 10 cyber incidents of 2025
Marks & Spencer Ransomware Incident

Marks & Spencer reported an attack on 22 April 2025 and confirmed it was ransomware. The company stopped online orders and had in-store system outages. The report estimates a £300 million loss in operating profit. Attackers got customer data such as names and order histories, according to the report.

This disruption affected the wider UK retail sector too. For example, Co-op said member contact details were copied during this time, and Harrods reported a third-party breach that exposed data for around 430,000 customers.

ONE MINUTE WATCH – Marks and Spencer Cyberattack – Here’s What Went Wrong

Jaguar Land Rover Ransomware Attack

Jaguar Land Rover also found an intrusion on 31 August 2025, which led to an operational shutdown to stop the threat. The outage stopped assembly and engine production in several countries and disrupted dealers and the supply chain, according to the report.

The Cyber Monitoring Center described the loss as staggering. It wrote, “at £1.9 billion of financial loss,” this appeared to be the UK’s most damaging cyber event. The loss was due to lost manufacturing output at JLR and its suppliers.

See also  AI Cybersecurity Threats: A Dominating Force in Arelion's Latest Report
AWS, Azure, And Cloudflare Outages

A series of outages showed the risk of relying on a few cloud providers, according to the report. On 20 October, AWS had a DNS resolution failure that affected a DynamoDB endpoint. “More than 80 AWS services were impacted,” and the disruption lasted about two hours.

Azure then had global connectivity and DNS problems on 29 October, the report says. Cloudflare had a major disruption on 18 November after an internal change. The incidents were not related, but their timing made the business impact worse.

Salesforce / Drift OAuth Large-Scale Data Breach

Salesforce sent a security notice about the Drift app on 21 August. After that, customers reported suspicious activity tied to Drift integrations, the report says. Attackers used stolen OAuth tokens to get into customer environments.

Salesforce revoked tokens and disabled Drift integrations at scale, the report says. Google’s Threat Intelligence team linked the campaign to UNC6395. The report says attackers targeted OAuth authorization flows, not Salesforce’s core platform.

npm Ecosystem Supply-Chain Attack

Attackers phished maintainers and published malicious versions of widely used JavaScript libraries, compromising hundreds of packages with billions of weekly downloads, according to the report. Additionally, a worm, publicly dubbed “Shai Hulud,” hunted credentials in build environments.

The worm harvested GitHub tokens and cloud credentials, according to the report. Registry owners removed compromised packages starting 14 September. Teams then rotated credentials and purged infected lockfiles.

WATCH OUR PODCAST ON AI RISK AND CYBER LIABILITY INSURANCE

Oracle Cloud Platform Alleged Supply-Chain Breach

A threat actor tried to sell about 6 million records, claiming to have stolen Oracle Cloud data, the report says. Threat-intelligence firm CloudSEK described the dataset and how it was taken. The actor said they got in through a login endpoint and old middleware.

See also  AI Cybersecurity Risks: Most Organizations Unprepared | Accenture Report

Oracle publicly denied a breach, noting, “Published credentials are not for the Oracle Cloud, and no Oracle Cloud customers experienced a breach or lost any data.”

APT Group AI-Orchestrated Campaign Using Claude

Anthropic researchers detected a state-linked espionage campaign in mid-September, according to the report. The group used Claude “in an ‘agentic’ fashion,” with heavy automation. The report says AI agents executed many attack phases across targets worldwide.

Tokio Marine HCC framed the moment as a market turning point. Xavier Marguinaud said, “AI evolved from a theoretical risk to an active threat.” He tied that shift to cyber underwriting decisions.

SK Telecom Breach And USIM Exposure

Other regions faced enduring threats as well. SK Telecom detected abnormal outbound traffic on 18 April and reported the breach two days later. The report says attackers maintained access since June 2022. Forensics found multiple malware families across dozens of servers.

The breach exposed USIM-linked data for about 27 million subscribers, according to the report. The exposure increased the risk of SIM cloning and identity theft. Regulators imposed remediation and required a nationwide USIM replacement program.

Get The Cyber Insurance News Upload Delivered
Subscribe to our newsletter!

Kering Group Luxury Brand Customer Data Exposure

Kering confirmed unauthorized access to internal systems at some brands in June, according to the report. Among those affected were Gucci, Balenciaga, and Alexander McQueen, with data exposed including names, emails, and addresses.

Hackers claiming to be ShinyHunters posted samples and said they had over 7 million records, the report says. Kering said the breach did not involve payment or identity data and that it notified regulators and customers.

See also  Cybersecurity Crisis: WTW 2025 Report Reveals Alarming Supply Chain Threats
Asahi Group Holdings Ransomware Disruption

Business disruptions were not limited to Europe. Asahi detected an attack on 29 October and suspended key systems across Japan, the report says. The shutdown halted order processing and delayed shipments. Call-center support also went offline during the response.

The ransomware group Qilin claimed responsibility, the report notes. Asahi did not confirm the extent of data compromise. The company warned of ongoing distribution delays and pledged stronger controls.

Summary And Conclusion

The report says 2025 exposed “the growing fragility of global digital ecosystems.” It points to ransomware, supply-chain compromise, and cloud concentration as systemic drivers, reinforcing rising insurance claims and the need for evolving policy terms. It calls for “proactive, coordinated and adaptive cybersecurity practices.” Those needs now shape both coverage demands and claims expectations in cyber liability insurance.

Martin Hinton

Martin Hinton is the Executive Editor and Publisher of Cyber Insurance News and Information. With over three decades of journalism experience across six continents, his work encompasses investigative reporting, documentaries, and coverage of cultural, political, and business news. To learn more about his career, click on his name to visit his LinkedIn page.


Leave a Comment

×