Once again threat actors kept cyber pros on their toes in 2025 in a never-ending cat-and-mouse game.
But amid the noise, there were some notable stories and incidents affecting household names in the UK – the likes of Marks & Spencer, Co-op, and Jaguar Land Rover – meaning that 2025 will undoubtedly live long in the memory.
Here are Computer Weekly’s top cyber crime stories of 2025
Heralding a dominant narrative in 2025 – that of threat actors exploiting artificial intelligence (AI) models – at the start of the year, Google’s Threat Intelligence Group (GTIG) published new information revealing how nation-state-backed threat actors hailing from countries such as China, Iran, North Korea and Russia were attempting to abuse its Gemini AI tool.
GTIG said it observed threat actors using Gemini to support various phases of their attack chains, including procuring infrastructure and bulletproof hosting services, reconnoitering targets, researching vulnerabilities, developing payloads and assisting with malicious scripting and post-compromise evasion techniques.
At the end of March, the UK’s Information Commissioner’s Office (ICO) issued a £3.07m fine to Advanced Computer Software Group, since renamed OneAdvanced, over a 2022 LockBit ransomware attack that crippled NHS services when the victim was forced to pull a key patient management platform offline.
In a warning to others, the regulator found that OneAdvanced’s health subsidiary lacked appropriate technical and organisational measures to guarantee to security of its systems, and highlighted gaps in multifactor authentication (MFA), vulnerability scanning and patch management.
In April, just before the Easter holiday weekend, one of the biggest cyber attacks of the year unfolded against high street stalwart Marks and Spencer (M&S). The initial incident saw the retailer forced to pull multiple public-facing services offline, including online shopping, click-and-collect, and contactless payments.
Days later, a second cyber attack affecting the Co-op Group drew more attention, and it soon emerged that the attacks were not the work of career Russian hackers, but an English-speaking hacking collective known as Scattered Spider.
By midsummer, Scattered Spider attacks were spreading fast, with the hacking gang’s members turning their attention to other industries – at first the insurance sector and then aviation.
Almost as soon as Mandiant threat researchers issued an alert on 27 June, multiple airlines reported cyber incidents, and more were to follow.
On 10 July, the UK’s National Crime Agency (NCA) announced the arrests of four people in its investigation into the M&S and Co-op attacks.
The arrests of two men aged 19, a third aged 17 and a 20-year-old woman were made at their home addresses in London, Staffordshire and the West Midlands, with support from West Midlands Regional Organised Crime Unit (Rocu) and the East Midlands Special Operations Unit.
In August, a string of attacks by the ShinyHunters hacking collective orchestrated via Salesforce products caught the world’s attention, with Adidas; LVMH brands Dior, Louis Vuitton, and Tiffany & Co; jewellery company Pandora; insurance companies such as Allianz; and airlines such as Qantas and Air France-KLM all implicated.
Researchers working the problem turned up evidence suggesting a deliberate partnership between ShinyHunters and Scattered Spider, both of which had previously been linked to the wider cyber crime network known as The Com.
At the start of September, UK carmaker Jaguar Land Rover (JLR) became the latest organisation to fall victim to a major cyber attack, and once again, it was hackers linked to alleged to be responsible for the incident, which hit production at the company.
In the following days and weeks, the scope of the cyber attack began to widen to include many of JLR’s suppliers, as the firm was forced to repeatedly delay restarting its production lines.
From summer onwards, multiple organisations, including many prominent universities and media organisations in the US, and possibly some NHS bodies, were targeted by the Cl0p cyber extortion gang after its members successfully weaponised a vulnerability in Oracle E-Business Suite (EBS).
In October, Oracle responded with an out-of-band patch for the remote code execution (RCE) flaw in the widespread EBS ecosystem – the product is deeply embedded in enterprise financial and operational systems, meaning Cl0p may have had access to a large number of extremely high-value targets.
As disruption from the JLR incident rolled on through the autumn, and the economic effects widened to include a contraction in the UK’s gross domestic product (GDP), the Cyber Monitoring Centre (CMC), a cyber security non-profit, declared the incident a Category 3 Systemic Event on its ‘hurricane’ scale.
Accounting for various factors, the CMC said the financial cost of the incident would likely hit about £1.9bn, and could potentially run higher, and described it as the single most damaging cyber attack ever to hit the UK.
There was, however, good news for (some) hackers at the close of 2025, as the long-running battle to reform the outdated Computer Misuse Act (CMA) of 1990 took a step forward when it was announced that the government planned to make changes that would protect ethical hackers from prosecution by giving them a statutory defence in law.
The CMA, while it has successfully been used to prosecute cyber criminals, also risked criminalising ethical hackers and security researchers for doing their job through the specific offence of ‘unauthorised access to a computer’. Campaigners say changing the law will boost Britain’s security industry.
