We don’t need to wait for December 31 to call the year. 2024 was about the spectacle of the breach, the kind that made headlines before anyone understood the damage. There were several blockbusters. 2025, though, shifted the pattern. This year was defined by the sophistication and subtlety of the breach. Not in every case, but to me this is what stood out. Attackers didn’t need drama. They needed access, and they got it.
AI Got a Job
As much as the cyberpunk nerd in me wishes otherwise, this year, we didn’t see sentient code or bioware hacks.
In 2025, AI stopped being a sci-fi villain and started being a practical utility for grifters. We saw it when North Korean hackers used ChatGPT to forge convincing miliary IDs that were used in a phishing attack. This attack was made possible with automation, not magic. The usual red flags of typos, odd formatting, and broken English, weren’t there. AI scrubbed all that out. The line between real and fake is disappearing fast, especially as legitimate organizations also use AI to generate content.
When they said AI was coming for your jobs, I guess that included the forgers and support teams for social engineers.
“Low Sensitivity” is High Risk
This year killed the comforting lie that some data doesn’t matter. In September, Stellantis, a global automative company, confirmed a third-party data breach that was part of a larger campaign targeting Salesforce environments. While they said only basic contact information was exposed in this data breach, that’s more than enough for attackers to weaponize. That data becomes fuel for phishing, impersonation and scams that prey on friends and families.
When Coupang got hit, it was “only” contact info. Attackers took that “useless” public data, impersonated employees and socially engineered their way into the Nikkei and PowerSchool environments. PII is sensitive, no matter how much a compromised organization wishes it wasn’t.
The Supply Chain House of Cards
UNFI, the U.S. Treasury Department and the endless SaaS compromises weren’t sophisticated hacks. They were the logical conclusion of our architectural and business decisions. Layer after layer of vendors, integrations and outsourced services created long chains of implicit trust. Each link assumed the next one was doing the right thing.
At some point, responsibility dissolved. Your third-party vendor’s security budget effectively became your own. In practice, that budget is often trimmed down to the bare minimum allowed by regulation. When one weak link fails, the whole structure collapses.
The Human is Still the Problem
We keep looking for the “Malicious Insider”, but the threat is almost never a spy.
It’s a tired support rep who has been working for 10 hours and just wants the ticket closed. A single click, a quick upload or an unverified reset is often all it takes.
Attackers understand this. They target workflows and customer service paths as aggressively as they target infrastructure. Help desks are pressured into credential resets and token grants. In an AI-driven environment, those small mistakes scale instantly as leaked data is absorbed and reused in seconds.
Firewalls and identity checks cannot protect data once credentials are misused. The only way to limit insider risk is to make the data itself useless in the wrong hands. Encryption, tokenization and strict access controls contain the damage when access is abused. Insider threats will always exist. Large-scale harm does not have to.
My 2025 Year in Review
It’s the same conclusion I reach every year. Walls don’t work. Perimeters fail. Credentials leak. Access gets abused. Compromise is inevitable, whether through software flaws, supply chain gaps or human error. Theft, on the other hand, is optional.
When attackers get inside and find cleartext data, the damage is immediate and irreversible. You lose. That is how small breaches become lifelong problems for consumers.
If they find tokenized, encrypted, minimized gibberish, you win. The information holds no value, no leverage and no path to exploitation.
That is the difference between security theater and real protection. 2025 made that distinction impossible to ignore. Compromises will keep happening. Theft does not have to.
Join our LinkedIn group Information Security Community!
