The Biggest Cyber Attacks Year by Year

A decade ago, cyber attacks were considered an issue for organisations and cyber security professionals to worry about. Now, they are everyone’s problem.

Cyber attacks have become a regular occurrence, affecting individuals, businesses, and governments worldwide. Although phishing remains the most common attack method, attackers are increasing their sophistication and frequency.

Here, we highlight some of the biggest cyber attacks of the last few years.

Jaguar Land Rover cyber attack

Jaguar Land Rover experienced a cyber attack in late August 2025, forcing a shutdown of its global production facilities and IT systems throughout September. The incident, believed to be a coordinated supply chain attack claimed by a group called Scattered Lapsus$ Hunters, caused significant disruption, with estimated losses of £50 million per week and impacts on thousands of employees and suppliers.

Investigations are ongoing with the National Cyber Security Centre, while the company works to restore operations and limit further damage.

LVMH luxury brands’ data breaches

French luxury conglomerate LVMH faced a series of cyber attacks targeting its major brands throughout 2025. Louis Vuitton’s UK operations were breached in July 2025, with hackers accessing customer names, contact details and purchase history.

This followed similar attacks on Louis Vuitton’s Korean operations, as well as Christian Dior Couture in May, marking three breaches within three months. While financial data remained secure, the incidents highlighted cyber criminals’ increasing targeting of high-end retail brands.

UK retail sector ransomware attacks

In a series of attacks highlighting commercial sector vulnerability, major UK retailers such as Marks & Spencer, Co-op, and Harrods were targeted by ransomware in April 2025. The attacks were orchestrated by the groups Scattered Spider and DragonForce, who exploited vulnerabilities via third-party IT contractors and used social engineering techniques.

The campaign began with a phishing attack that compromised a key IT supplier, allowing hackers to move rapidly between the organisations.

• Marks & Spencer endured a severe ransomware attack across more than 600 systems, leading to a 46-day online outage, theft of customer data, and a profit warning totalling £300 million – a record for a UK retailer.
• The Co-op’s IT and membership systems were targeted, and data on 6.5 million members was stolen, and extortion threats issued. This forced the retailer to operate manually for several weeks.
• Harrods prevented deeper infiltration but had to impose strict operational restrictions and limit internet access across its sites as a precaution.

All three incidents were linked to a single wave of attacks, leading to the arrest of four suspects aged between 17 and 20.

Finastra data breach

In November 2024, Finastra – a major fintech company headquartered in London – suffered a massive data breach that exposed over 400GB of sensitive data, affecting financial institutions worldwide. The breach originated from unauthorised access to Finastra’s Secure File Transfer Platform, which is used to support client operations. It exposed the personal and financial information of thousands of customers.

The incident prompted a reevaluation of cyber security measures across the sector to safeguard against similar threats to the fintech industry.

Synnovis attack

In June 2024, ransomware targeted Synnovis, a private pathology provider for NHS trusts and GP practices in south-east London, including King’s College and Guy’s and St Thomas’. The attackers demanded a £40 million ransom, which was refused, leading to the leak of nearly 400GB of patient data on the dark web.

This caused cancellation of over 10,000 outpatient appointments, non-emergency procedures, and widespread delays in blood testing, impacting critical care such as organ transplants. One patient death was linked to delays resulting from the attack.

NHS England coordinated the response with the National Cyber Security Centre, restoring services over several months. GP blood testing fully resumed by September 2024.

Ministry of Defence payroll data breach

In May 2024, the UK Ministry of Defence (MoD) revealed a significant data breach involving its payroll provider, Shared Services Connected Ltd (SSCL). Hackers accessed the payroll system managing payments for around 270,000 current and former military staff. The breach exposed personal data including names, bank details, and in some cases, addresses and National Insurance numbers.

The attack went undetected for weeks. Defence Secretary Grant Shapps confirmed the breach and stated the affected system was separate from core military networks, however the breach was reported to have national security implications.

Affected employees were notified and offered identity protection services and the Ministry launched a security review.

Change Healthcare ransomware attack

In February 2024, Change Healthcare, a prominent medical claims processor in the United States, suffered a ransomware attack orchestrated by BlackCat (ALPHV) group. This incident caused widespread disruptions to healthcare services across the country, interrupted electronic payment processes, and resulted in a $22 million ransom payment.

The total financial impact was estimated to surpass $2.87 billion, marking it as one of the most consequential cyber attacks of 2024.

MOVEit software breach

In June 2023, the MOVEit file transfer software was exploited in a widespread attack. Hackers accessed sensitive data from various organisations, including several U.S. government agencies, by exploiting a zero-day vulnerability. Attackers used an SQL injection flaw to steal data from entities such as the U.S. Department of Energy, the BBC, and British Airways. This breach demonstrated the importance of timely software updates and strong security protocols to protect against increasingly sophisticated cyber threats.

Royal Mail ransomware attack

In January 2023, Royal Mail was targeted by a significant ransomware attack that severely impacted its international shipping operations. The attack was linked to a Russian criminal group using the LockBit ransomware. This caused major disruptions, particularly to Royal Mail’s overseas deliveries, as the shipping of parcels and letters through its post office branches was affected.

Royal Mail estimated that it spent at least £10 million to remediate the attack and bolster its cyber security measures. The business refused to pay the ransom demand, which was reportedly as high as $80 million (£67 million).

Advanced NHS cyber attack

In August 2022, a major ransomware attack by the LockBit group targeted Advanced Computer Software Group, a key NHS software provider, causing widespread disruption to critical healthcare services across the UK. The compromise was found to have occurred through a customer account lacking multi-factor authentication.

The attack on August 4 knocked out NHS 111 emergency helpline services, patient referral systems, ambulance dispatch, out-of-hours appointment bookings, and mental health services for weeks. The breach exposed sensitive patient data and forced healthcare staff to revert to paper-based systems while services were gradually restored.

Advanced faced a £3.1 million fine from the Information Commissioner’s Office for security failings that enabled the attack, highlighting the vulnerability of critical national infrastructure to cyber threats.

Costa Rican government ransomware attack

In a significant cyber incident that highlighted vulnerabilities in national infrastructure, Costa Rica declared a state of emergency in April 2022 after a ransomware attack targeted its Ministry of Finance and other critical government agencies. The attackers demanded a US$10 million ransom and ultimately leaked over 600GB of stolen data online after their demands were rejected.

The attack shut down key systems, disrupting services like tax collection and customs. Despite a ransom demand, the government refused to pay.

Optus data breach

In 2022, the Optus data breach was among the largest cyber attacks in Australia, affecting up to 9.7 million customers of its second-largest telecommunications company. Sensitive information, including names, birth dates, and identification numbers, was compromised, and millions of customers had to have their driver’s licenses reissued with new identification numbers.

The incident exposed significant vulnerabilities and prompted extensive efforts by Optus to mitigate risks to customers.

The Irish health service

The possibility of a major ransomware attack on a public health organisation has been a worry ever since WannaCry disrupted health organisations, including Britain’s NHS, in 2017. What happened to Ireland’s Health Service Executive (HSE) in May 2021 shows these fears weren’t exaggerated. The agent this time was the Conti ransomware, leaving numerous hospitals with no working IT systems, in the middle of a pandemic. Patient appointments dropped by up to 80%, followed by months of disruption that required the rebuilding of parts of the organisation’s network from scratch, at a staggering cost of $600 million.

The ransom demand was $20 million in Bitcoin, which the country’s politicians refused to pay before the attackers handed over the encryption keys anyway. As blogger, Brian Krebs pointed out, what stood out about Ireland’s attack response was that as a centralised, tax-funded system, managers were able to both refuse the ransom demand and prioritise major cyber security investment.

Acer ransomware attack

The top ransomware group of the year was REvil, which targets large companies able to pay huge ransoms. In that context, the suspected March REvil attack on Taiwanese computer maker Acer, reportedly exploiting Exchange ProxyLogon flaws (see separate entry on nation-state attacks), should have been no surprise, nor the world-record $50 million ransom demand that came with it.

The attackers deployed the double extortion tactic of releasing data in public to increase pressure, which in this case included spreadsheets, bank balances, and other sensitive communications. This tactic has become standard for many ransomware attacks in the last year and is based on the attackers’ realisation that large companies can often now recover from ransomware attacks without paying, hence the need for other forms of persuasion.

The attackers even offered to send Acer a report outlining the vulnerabilities that led to the compromise. This could be a ransomware trend for 2022, turning penetration testing into a protection racket.

Microsoft Exchange zero-days

Zero-days – flaws not known to defenders for which there is often no available patch – are being exploited at lightning speed. One example was April’s targeting of on-premises Exchange servers to steal emails using four separate ProxyLogon zero days. Allegedly carried out by the Chinese Hafnuim group, it transpired that Microsoft had offered patches in March, but lacking a clear indication of their urgency, many organisations didn’t apply them.

Reportedly, several hundred thousand organisations were hit by exploits, including a least 7,000 in the UK. Little wonder that an emergency directive from the US Cybersecurity & Infrastructure Security Agency (CISA) recommended either patching the issue or disconnecting affected servers from the network. A Rapid7 estimate in October was that as many as 32% of vulnerable servers still weren’t patched.

Channel 9 TV attack

Australian TV station Channel 9 suffered a suspected ransomware attack in March that disrupted its programme schedule. As is often the case with ransomware, numerous systems were affected, including email servers and software used for editing. An unusual element of this story is that although the attack bore the hallmarks of ransomware, reportedly no ransom demand was received.

This raises the possibility that either the attackers got cold feet, or the malware was simply the delivery end of a nation-state attack at a time when the country has been singled out for such attacks. The latter explanation is widely believed, which puts it in the category of similar attacks on the media in the past, including attacks on the BBC’s Persian service in 2012, French TV station TV5 Monde in 2015 by alleged Russian hackers, and the Weather Channel in 2019.

NSO Group spying on the US Government

Not all cyber attacks emanate from traditional cyber criminals, as shown by the controversy of how the Israeli NSO Group’s Pegasus spyware was allegedly used to target the iPhones of nine US State Department officials based in Uganda. For a supposedly legitimate company to be accused of being complicit in an attack on US Government officials is unheard of, but it shows how a grey zone now exists between outright illegality and nation-state behaviour.

The incident might explain why the company was blacklisted earlier in 2021 by the Biden Administration, which accused it of acting “contrary to the foreign policy and national security interests of the US.” NSO Group spyware is widely used by governments across the world to spy on rivals and NGOs, but allowing it to be used against the US might turn out to be a step too far. Separately, Apple announced it was suing the company, which follows a similar case against it by Facebook’s WhatsApp in 2019.

Azure customer hit with 2.4Tbps DDoS

Remember when DDoS attacks were big news? These days, you hear a lot less about them, mainly because their effects have become less noticeable now that enterprises use rapid mitigation services. Nevertheless, every now and again, news of a large attack emerges, with the August 2021 DDoS affecting one of Microsoft’s Azure cloud hosting customers in Europe a good illustration of what’s still possible. At 2.4tbps, this was the second biggest ever recorded (Google recently said it suffered a 2.54tbps UDP attack in 2017, still the largest publicly admitted), with short bursts of traffic over a 10-minute period.

The source was 70,000 botnet devices in and around Asia and the US, which Microsoft was able to mitigate. The main containment technique is geographical isolation, keeping traffic within its originating domain and away from distant targets. Despite this, Microsoft said it had experienced a 25% increase in DDoS attacks during the first half of 2021.

Colonial pipeline

The most-noticed cyber attack of the year was May’s Colonial Pipeline incident, which left drivers across large parts of the Eastern US unable to refuel their vehicles. Very few of them had heard of the company or its pipeline, which moves 2.5 million barrels of gasoline each day between Houston and New York. That’s the thing about critical infrastructure – people only notice it when something goes wrong.

Carried out by the Russian DarkSide group, this was another ransomware incident. Reportedly, they got in through a single old VPN account, the password for which was discovered circulating in a dark web cache. This wasn’t reassuring, but much worse was that the vital account lacked multi-factor authentication. The attackers never got near the pipeline systems, but the company shut down everything just to be sure. The company also paid a $4.4 million Bitcoin ransom, which US officials were able to recover some of in mysterious circumstances.

Kaseya ransomware/supply chain attack

What happened to customers of Kaseya’s VSA software in July is a great example of how a weakness in one company can affect thousands of others using it through a third party. Was this a supply chain attack? Arguably, yes, because the software wasn’t being used by the estimated 2,000 organisations that ended up being ransomed by the REvil Group, but dozens of managed service providers (MSPs) using Kaseya’s software on their behalf to carry out remote management. It looked like the most efficient ransomware attack in history; one company compromised, countless victims extorted.

Facebook data leak

Tech giants are supposed to collect user data, not lose it, as Facebook did when a cache relating to 533 million people was discovered circulating on a web forum in April. Personal data included names, phone numbers, birth dates, locations, Facebook IDs and, in 2.5 million cases, email addresses. According to Facebook, the leak happened when a vulnerability it patched in 2019 was used to scrape data, something it didn’t reveal at the time.

Emotet taken down

In one of the biggest cyber crime operations of recent times, police forces from eight countries seized 700 command and control servers used by the Emotet botnet, which had infected millions of computers globally. Nicknamed Operation Ladybird, the coordinated effort involved Europol, the FBI, and Britain’s National Crime Agency. Within hours, one of cyber crime’s most damaging malware delivery systems had been severely disrupted.

First detected in 2014, Emotet began as an online banking Trojan but evolved into a multipurpose botnet offering crime-as-a-service, earning its creators commission for every successful infection. The malware specialised in infected email attachments, particularly Word documents, often appearing as replies to existing email threads from known contacts to trick users into enabling macros.

Despite periodic quiet periods, police say Emotet generated millions of dollars for its creators and was among the world’s worst crimeware systems, featuring in attacks on companies, universities, schools, and city administrations.

While the takedown was celebrated as a major victory, botnets have historically proven resilient. Previous operations like 2011’s Operation Ghost Click achieved temporary success, but cyber criminals often evolve to fill the void left by disrupted networks.

As these examples show, no amount of infrastructure or investment guarantees protection from a cyber attack, but with cyber crime on the increase, addressing common weaknesses and causes of data breaches is a smart place to start.

Our cyber security checklist offers simple, practical steps you can take right away to protect your business..

Alternatively, if you can invest in third-party assessment and verification of your security measures, they can provide your stakeholders with comfort and your business with some much-needed protection.

Don’t let your business become a statistic – help to secure your operations:

• Find out more about Cyber Essentials, Cyber Essentials Plus and ISO/IEC 27001.
• Train your team with our cyber security training courses.

Get started on your journey to cyber security certification and help to protect your business – get a quote today or contact our team of experts to discuss your needs.