2025 in Review: Simple Errors, Not 0-Days, Caused Biggest Breaches
Year in Review: Cloud Misconfigurations and Supply Chain Failures Drove 2025's Biggest Data Breaches
Impact Scope
People Affected
Over 90 million records exposed across mentioned incidents
Affected Companies
Industries Affected
Related Entities(initial)
Full Report(when first published)
Executive Summary
A retrospective analysis of 2025's most significant data breaches, published on December 26, 2025, concludes that a failure to master security fundamentals was far more damaging than the impact of sophisticated zero-day exploits. The two most prevalent root causes for major breaches during the year were cloud security misconfigurations and supply chain attacks originating from compromised third-party vendors. Incidents at major corporations like McDonald's, TalentHook, Harrods, and TransUnion exposed the data of tens of millions of individuals, not because of advanced hacking, but due to preventable errors such as using default passwords and leaving cloud storage publicly accessible.
Analysis of Key Failure Points
Cloud Security Misconfigurations
The report highlights that as organizations migrate to the cloud, they often fail to adapt their security practices, leading to easily avoidable errors. This is a failure of Cloud Security Posture Management (CSPM).
- Default Credentials: The breach of a recruitment chatbot used by McDonald's exposed nearly 64 million applicant records. The root cause was the use of the default password
123456on a production system. - Publicly Accessible Storage: The company TalentHook exposed 26 million resumes because its Azure Blob storage container was configured for public access, requiring no authentication to read the data. This aligns with research from Tenable in 2025, which found that around 9% of public cloud storage containers still exposed sensitive data.
These incidents underscore a critical misunderstanding of the shared responsibility model in the cloud, where the customer is responsible for securing their own data and configurations.
Third-Party Supply Chain Attacks
Attackers are increasingly targeting smaller, less secure third-party vendors to gain access to their larger, more valuable customers.
- Harrods: The luxury retailer suffered a breach exposing 430,000 records. The attack did not target Harrods directly but instead compromised a third-party e-commerce service provider that Harrods used.
- TransUnion: The credit reporting agency's U.S. consumer support operations were breached after attackers targeted its third-party implementation of Salesforce. This demonstrates that even secure platforms can become a risk if their implementation by a third party is not properly managed.
This trend highlights that an organization's security is only as strong as its weakest link, which is often a vendor in its software supply chain.
Impact Assessment
The collective impact of these fundamental failures is massive. Millions of individuals had their personal and sensitive information exposed, leading to risks of identity theft, fraud, and phishing. For the affected companies, the consequences include significant financial costs from regulatory fines (e.g., under GDPR or CCPA), incident response, and litigation. Furthermore, these incidents cause severe, long-lasting reputational damage and erosion of customer trust. The report argues that the focus on exotic threats often distracts from the more probable and damaging risk of failing to implement basic security controls.
Lessons Learned & Guidance
- Eliminate Default Credentials: Implement strict policies to change all default passwords on any system or application before it is deployed into production. This is a non-negotiable security baseline.
- Cloud Security Posture Management (CSPM): Continuously scan and monitor cloud environments for misconfigurations like public S3 buckets or Azure blobs, overly permissive IAM roles, and missing encryption. Automate remediation where possible.
- Vendor Risk Management: Implement a robust third-party risk management program. This must include security assessments as part of the procurement process, contractual security requirements, and ongoing monitoring of vendors' security postures. Assume your vendors will be targeted.
- Adopt a Zero Trust Mindset: Move away from the outdated concept of a trusted internal network with a hard perimeter. Assume that any user or device could be compromised and require verification for every access request, regardless of its origin.
- Security by Design: Integrate security into the entire lifecycle of applications and systems, rather than treating it as an afterthought. This includes secure configuration and coding practices.
Timeline of Events
Article Updates
January 19, 2026
Cloud breaches surged 21% in 2025, costing $5.1M per incident, driven by credential compromise, misconfigurations, and insecure APIs.
Update Sources:
MITRE ATT&CK Mitigations
Password Policies
Enforce strong, unique passwords and strictly prohibit the use of default credentials in production environments.
Mapped D3FEND Techniques:
Software Configuration
Implement secure configuration standards for all assets, especially cloud storage, to prevent unintended public access.
Mapped D3FEND Techniques:
User Training
Train developers and IT staff on secure cloud configuration and the shared responsibility model.
D3FEND Defensive Countermeasures
To prevent breaches like the one at McDonald's, a non-negotiable Strong Password Policy must be enforced across the entire organization. This goes beyond simple complexity requirements. Critically, the policy must explicitly forbid the use of any vendor-supplied default credentials in a production environment. Technical controls, such as configuration management tools or pre-deployment scripts, should be used to programmatically change default passwords during system setup. Regular audits and vulnerability scans must include checks for default or weak credentials on all systems, from network devices to applications. A single default password on an internet-facing system can negate millions of dollars in other security investments.
The TalentHook breach caused by a public Azure Blob is a direct failure of Application Configuration Hardening. Organizations must treat cloud storage configuration as a critical security control. All cloud storage (Azure Blobs, AWS S3 buckets, etc.) must be configured to be private by default. Access should only be granted through explicit IAM policies or signed URLs with limited lifetimes. The use of Cloud Security Posture Management (CSPM) tools is essential to continuously monitor for and automatically remediate misconfigurations like public buckets. This hardening must be part of the infrastructure-as-code (IaC) templates used for deployment, ensuring that secure settings are the default from the very beginning.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats