- Hana Skoupá
Cyber incidents can happen before you even realise it and 2025 confirmed that once again. Some incidents were the result of classic external attacks, others stemmed from poor decisions, underestimated risks, or operational chaos. In many cases, you would look in vain for technical brilliance or highly sophisticated attack methods. So what went wrong? We’ve selected seven real-life situations from last year that show one thing clearly: attackers are not always the weakest link. Often, the real problem lies in how security is handled (or not handled) in practice.
The password “LOUVRE” protecting a security system
What happened?
An investigation into a theft at the Louvre (October 2025) revealed that access to the video surveillance system was protected by the password “LOUVRE”. It also came to light that parts of the infrastructure were running on long-outdated technologies, which security experts had been warning about for years. This was not a sudden failure, but a combination of accumulated technical debt and a relaxed attitude towards basic security controls.
Why it matters and what it shows?
The Louvre is not a small organisation lacking budget or expertise. Quite the opposite. More than 10 million people visit the museum every year, and its systems protect exhibits worth billions. Yet a password that even a fifth-grader could guess was still in use. This incident reflects an environment where technical debt is tolerated because “nothing has happened so far”. In cybersecurity, the mindset of “this doesn’t concern us” is surprisingly common.
The case reminds us that prestige, size, or importance do not automatically guarantee an adequate level of cybersecurity. Basic access control failures can exist even where nobody expects them – which is exactly what makes them so dangerous.
What to watch out for?
- Shared passwords for systems accessed by multiple people
- Old cameras, NVRs and physical components nobody actively manages
- Systems that “work, so we don’t touch them”
- Access credentials that circulate among employees over time but never change
Erie Insurance: a month of disruption caused by a convincing phone call
What happened?
In June 2025, the Scattered Spider group used social engineering techniques, primarily vishing and spear phishing to gain access to internal systems at U.S. insurer Erie Insurance. There was no technical breach of security controls. Instead, attackers relied on convincing phone calls and communications that appeared legitimate. Although there was no massive data breach, the company suffered prolonged operational disruptions that took weeks to resolve.
Why it matters and what it shows?
Cyber incidents are not just about technology, but people play a critical role, including trained employees. Staff in large organisations generally know they should be cautious. The problem arises when fatigue, stress, and pressure from someone in senior management who urgently needs something all come together.
Without a clear process for verification and clarity on when it’s acceptable to say “stop” even responsible employees can become the weakest link. Not because of ignorance, but because of environmental pressure.
What to watch out for?
- Lack of a four-eyes principle
- Pressure for fast approvals
- Insufficient or irregular employee training
- Unclear processes for verifying internal requests
Marks & Spencer: £300 million in losses due to a supplier vulnerability
What happened?
The cyberattack did not hit Marks & Spencer directly, but one of its suppliers. Attackers exploited a vulnerability there and used it to access M&S internal systems managing e-commerce operations, logistics, and other key processes. The result: e-shop outages, disrupted logistics, and significant financial losses estimated at around £300 million.
Why it matters and what it shows?
Supplier relationships form the backbone of how most companies operate today. Yet supplier security is often treated as a formality — addressed at contract signing, if at all. In reality, suppliers often have deeper system access than internal employees.
Marks & Spencer showed how a single overlooked dependency can outweigh years of investment in internal security. Keep that in mind when signing contracts with vendors who access your critical systems.
What to watch out for?
- Map who does what. In reality, not just on paper
- Require minimum security standards from suppliers
- Verify that security controls are actually enforced
- Don’t buy a “sense of security” based on a supplier’s logo
- “Supplier security” ≠ “your organisation’s security”
UNFI: a cyberattack that disrupted food supply chains
What happened?
A cyberattack on UNFI, one of the largest food distributors, disrupted systems responsible for ordering, warehousing, and distribution. The incident went beyond internal IT issues and directly affected supply chains and product availability in supermarkets across the United States.
Why it matters and what it shows?
If logistics, planning, or invoicing rely on a single system or a single supplier, that can be a bigger risk than missing a security tool. This case also showed that cyber incidents don’t have to target “important” data. UNFI stood out because the impact was immediate and physical (empty shelves and disrupted deliveries).
What to watch out for?
- Single points of failure in logistics processes
- Inconspicuous integrations between systems
- Tight coupling of ERP, warehouses, and transport providers
Jaguar Land Rover: halted production and losses in the billions
What happened?
In September 2025, systems critical to Jaguar Land Rover’s manufacturing operations were hit by a cyberattack. Production was stopped at multiple plants because operations could not continue without functioning digital systems. There was no major data leak, but the financial impact reached billions of CZK.
Why it matters and what it shows?
Manufacturing companies long believed production was “separate from IT”. That is no longer true. Production lines, planning, maintenance, and reporting are now digitally interconnected. Once one link breaks, the entire chain can collapse.
The Jaguar Land Rover incident showed that a cyberattack doesn’t need to steal data to cause massive damage. Disrupting operations is enough. And many organisations are still unprepared for this scenario because production security is treated as a technical detail, not a strategic risk. The takeaway (especially for manufacturers): cybersecurity is directly tied to business continuity.
What to watch out for?
- Integration of production technology with corporate IT networks
- Legacy production systems without regular patching or vendor support
- Dependence on central digital systems (single points of failure)
- Vendor lock-in and reliance on a single technology
- The belief that “production is different from IT”
McDonald’s: 64 million job applications exposed
What happened?
In 2025, serious access control weaknesses, were discovered in McDonald’s job application management system. Security researchers found that a test administrator account used a very weak default password (“123456”), allowing legitimate access to the system.
It was later revealed that the application logic contained an Insecure Direct Object Reference (IDOR) vulnerability, enabling access to data users should not have been able to see. As a result, tens of millions of job applications could be accessed without authorisation. This was not a targeted attack on customer data or a sophisticated breach – it was a combination of weak access management and flawed application logic. The affected system was perceived as “supportive” (an HR application), which is precisely why the vulnerability went unnoticed for so long.
Why it matters and what it shows?
At first glance, job applications don’t look like “sensitive” data. They usually don’t include payment details or passwords. The real issue was scale. Tens of millions of records represent a massive reputational and regulatory risk, regardless of data type.
The McDonald’s case also highlighted how dangerous it is to label systems as “important” or “unimportant”. HR, onboarding, and form-based applications often sit outside the main focus of security teams, despite processing huge volumes of personal data. Once a small flaw turns into a mass breach, the problem is no longer technical – it’s systemic.
What to watch out for?
- Application logic and access control (not just infrastructure)
- APIs and forms developed outside the main delivery stream
- Test and admin accounts with weak or default credentials
- HR and internal systems not considered critical
SK Telecom: 27 million records leaked and regulatory intervention
What happened?
One of Asia’s largest telecom operators suffered a data breach affecting tens of millions of users. The incident involved information related to mobile service operations and triggered an immediate response from public authorities. The regulator launched an investigation and ordered specific remedial actions to strengthen security controls.
Why it matters and what it shows?
SK Telecom operates in a highly regulated sector and has long invested in security measures. Even so, the incident showed that formal compliance and documented policies alone are not enough. Once a large-scale data breach occurs, regulators are not interested in whether controls existed “on paper”, but whether protection actually worked in practice.
The consequences don’t end with a fine. Regulatory intervention means long-term oversight, forced investment under pressure, and most importantly loss of trust, which is extremely hard to regain. In regulated industries, cybersecurity becomes a board-level risk management issue.
What to watch out for?
- Confusing compliance with real security
- Managing risks, not just ticking requirements
- Insufficient oversight of data handling across processes
