2025 was a year dominated by data breaches, each impacting millions of customers. AI came to the fore, as a force for both good and evil. Businesses fell foul of poor supply chain visibility and control, resulting in the exposure of vast quantities of sensitive information. Meanwhile, governments and authorities worldwide grappled with enacting laws and regulations to protect consumer data without stymieing technological innovation and business growth.
In this article, we take a look at some of the major events that have shaped data security in 2025, and consider the lessons we can take forward as we look ahead to the new year.
Breaches that broke records
This year has brought some of the biggest, costliest cyber-attacks of all time, resulting in the exposure of millions of records each and costing billions in recovery and lost business.
Among the costliest cyber-attack of the year, and the UK’s most costly breach of all time, JLR fell victim in August 2025. The attack caused widespread operational disruption, halting global manufacturing and shutting down production lines. The company canceled orders from suppliers, with no clear timeline on future demand. Conservative estimates put total losses at £1.9bn covering costs to JLR directly, its affected supply chain and the wider economy as a whole.
Meanwhile, ransomware attacks continued to wreak havoc. Organized threat collectives performed coordinated attacks against some of the UK’s biggest retailers, including M&S, Co-op and Harrods. In addition to widespread encryption and ransom demands, these groups exfiltrated sensitive information for later use in extortion attempts against the company and high-profile individuals.
Airlines were another highly targeted sector in 2025, attributed to the Scattered Spider threat group. Over the summer, Australia’s Qantas, Canada’s WestJet Airlines and Hawaiian Airlines were targeted, affecting more than 7 million customers.
Geopolitical tensions have been on the rise globally, reflected in the rate of politically motivated and nation-state sponsored cyber-attacks observed this year. Just this month, action by hacktivist groups was found responsible for a surge in attacks against water treatment, food production and energy services in the US. Additionally, nation-state-backed cybercrime has proven to be an effective funding strategy for regimes under international sanctions.
The double-edged sword of AI
The year has been dominated by AI, and adoption rates have soared, particularly of generative AI (genAI) tools. However, while these tools bring much potential and new opportunity, they also have a dark side. Almost 70% of organizations have experienced data leakage through employee use of AI tools. Meanwhile, 13% of organizations reported breaches of their AI models or applications, 97% of which were down to a lack of effective AI access controls.
An EY survey found that almost all respondents had experienced losses due to AI-related risks, including regulatory non-compliance, inaccurate or poor-quality data and energy use impacting sustainability targets. They claimed average losses of £2.9m related to poor AI governance.
Among the many regulatory concerns surrounding the development and use of AI technology, data sovereignty became a hot topic earlier this year with the release of DeepSeek – a China-developed generative AI chatbot similar to Open AI’s ChatGPT or Google’s Gemini.
DeepSeek raised concerns for jurisdictions with privacy laws placing geographical restrictions on data processing, since all conversations would be processed in the People’s Republic of China. While DeepSeek has ignited the data sovereignty debate, all AI tools introduce sovereignty risks because they process vast user data without stating how or where it is handled. When employees use these tools, they may unknowingly transfer sensitive data to unauthorized geographies and jurisdictions.
The weakest link
At times, it’s felt that not a week has passed without another major company reporting a breach resulting from supply chain failures. In the last half of the year, attackers have targeted a zero-day in Oracle E-Busines Suite (EBS), leading to the successful compromise of healthcare providers, technology companies, education institutions and auto parts suppliers.
Over the last few years, the vulnerability of the software supply chain has come into sharp focus. Throughout 2025, organizations have become victims to attacks leveraging unpatched flaws in third-party services, such as Oracle EBS, GoAnywhere and MOVEit – a managed file transfer solution specifically designed for safe confidential file sharing.
It’s not just weaknesses in software and services that have exposed businesses to cyber-attacks and compromised data. Throughout 2025, cyber-news outlets have reported the rise of malicious packages uploaded to code repositories including npm and PyPi, that form pre-built components for application development. These packages are primarily for data exfiltration, targeting secrets, personal information and access credentials.
The regulatory balancing act
In an attempt to stem the tide of cybercrime and protect the privacy rights of individuals, this year has also seen significant development in data-focused regulation and legislation. According to UNTCAD, 155 out of 195 countries have now enacted data protection and privacy legislation, equivalent to 82% of the world’s population.
In the EU, requirements of the AI Act came into force throughout the year prohibiting high-risk and manipulative uses, and establishing the governance framework for enforcement. Additionally, the Data Act entered into application from September this year, providing fair use of data to businesses and greater control and choice to consumers over their data.
In the later part of the year, the European Commission published its Digital Omnibus Regulation Proposal – a set of changes to the AI Act, Data Act and General Data Protection Regulation – which aims to reduce overlap between regulations, lower the compliance burden on organizations and provide legal clarity for enforcement.
In the United States, eight state laws came into effect through 2025: Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota and Maryland. While a federal privacy law remains elusive, an executive order issued in December 2025 aims to ensure a national policy framework for artificial intelligence to help consolidate and unify state-level AI legislation in support of technology innovation.
Meanwhile, Australia’s first tranche of major privacy reforms came into force at the start of the year. These changes update its 1988 Privacy Act, introducing new offenses, enhancing rights to action for citizens and greater enforcement capabilities, as well as setting the requirement for a Children’s Online Privacy Code by December 2026. Alongside updated privacy legislation, Australia’s Department of Industry, Science and Resources published its Guidance for AI Adoption, replacing its previous voluntary standard. However, proposed mandatory guardrails for high-risk AI uses remain outstanding.
From retrospection to resilience
It’s been an eventful year for cybersecurity. As threats continue to evolve, the race to stay ahead is as crucial as ever. Data is the heart of the modern business – without it, they cannot operate effectively. It’s their most valuable resource, critical for decision-making, customer loyalty, innovation and growth. It is also their biggest risk, since most organizations lack the visibility and control they need to ensure its protection against cyber-attacks and misuse.
New technologies also bring new challenges, and AI is no exception. AI models ingest vast quantities of data, including sensitive information, and currently lack foundational controls to ensure they cannot be manipulated into divulging it to unauthorized or malicious users.
As we look ahead to 2026, it’s clear that there is still some way to go in ensuring that as businesses, we can adequately protect the data entrusted to us. That’s why we continue to develop innovative data security and management solutions, helping organizations address these challenges head-on with real-time visibility, targeted remediation and continuous monitoring across the digital ecosystem.
To find out how Ground Labs can support your business, arrange a complimentary data workshop or book a call with one of our experts today.
