May 2025 has proven to be a brutal month for cybersecurity, and the data doesn’t lie. From global retail brands like Adidas and Marks & Spencer to digital finance heavyweight Coinbase, some of the world’s most trusted organizations have faced serious data breaches.
With ransomware threats, insider collusion, and third-party failures leading the charge, the top data breaches of May sent shockwaves across sectors including healthcare, crypto, and consumer goods.
In this roundup, we break down the most damaging May data breaches, the methods behind them, and the lessons every business must learn before it’s too late. These are the major data breaches we’ve dug into in detail below:
- Coca-Cola Breach
- Coinbase Breach
- Adidas Breach
- Marks & Spencer Breach
- Ascension Breach
- AT&T Leak
1. Coca-Cola Ransomware Gang Leaks Employee Documents After Ignored 20 Million Demand
Coca-Cola’s Middle East division was targeted by the Everest ransomware gang, which exfiltrated and publicly leaked sensitive employee documents after the company refused to negotiate a ransom, reportedly set at $20 million. A second breach claimed by another hacker group suggests deeper systemic vulnerabilities across Coca-Cola’s global IT infrastructure.
How the Breach Happened?
The Everest group likely used phishing or remote desktop protocol (RDP) vulnerabilities to access internal Coca-Cola systems. Once inside, the attackers extracted personnel files and issued a ransom demand. Coca-Cola’s refusal led to the publication of sensitive HR documents on dark web forums.
What Data Was Exposed?
- Passport and visa scans
- Employee ID documents
- Internal HR communications
- Possibly confidential company records
The breach primarily affected Coca-Cola employees based in the Middle East and possibly some support functions in other regions.
Number of Affected Individuals
Approximately 959 employees were directly impacted based on leaked data. Another claim by a separate group referenced 23 million records allegedly stolen from Coca-Cola Europacific Partners.
Vendor Involvement
Though not confirmed, experts suspect regional vendors or inconsistent cybersecurity standards across Coca-Cola’s global operations played a role in enabling the breach.
Business Impact
- Loss of employee trust and reputational damage
- Potential legal action from affected staff
- Rising scrutiny from international regulators
- Emergency cybersecurity overhauls
- Reinforced pressure to harmonize global IT security protocols
Company Response
Coca-Cola:
- Declined ransom negotiations
- Publicly acknowledged the breach
- Launched internal and external investigations
- Offered support to impacted employees
- Reviewed global security architecture
Key Lesson
Decentralized operations require unified cybersecurity standards — or threat actors will find the weakest regional link.
Sources
- CyberNews
- HackRead
2. Coinbase Insider Agents Leak Customer Data in 20 Million Ransom Plot
Coinbase confirmed a security breach involving nearly 70,000 users. The incident was orchestrated by cybercriminals who bribed overseas customer support agents to gain internal access to sensitive customer data. Instead of paying the demanded $20 million ransom, Coinbase publicly offered a $20 million reward for information leading to the attackers’ arrest.
How the Breach Happened?
The attackers exploited insider access by bribing third-party contractors working in Coinbase’s customer support. These insiders used their tools to extract sensitive user data with the intent of conducting targeted social engineering attacks, such as impersonation scams to hijack crypto wallets.
What Data Was Exposed?
- Full names, emails, and phone numbers
- Home addresses
- Government-issued IDs
- Last four digits of SSNs
- Bank identifiers and transaction metadata
- Internal training materials (limited)
No funds, passwords, or crypto keys were accessed directly.
Number of Affected Individuals
Approximately 69,461 users were affected, under 1% of Coinbase’s active customer base. The breach had been ongoing since late 2024 before detection in May 2025.
Vendor Involvement
The breach stemmed from overseas third-party customer service providers. Coinbase has since ended those contracts and centralized support operations in the U.S.
Business Impact
- $180M–$400M estimated response cost
- Class-action lawsuits and SEC attention
- 7% drop in stock value post-disclosure
- Long-term trust and compliance damage
Company Response
Coinbase terminated the insiders, launched a global investigation, notified affected users, and implemented tighter access controls. A U.S.-based support hub was also launched.
Key Lesson
Insider threats are real, especially when third-party agents have access to critical systems. Outsourcing without stringent controls invites significant risk.
Sources
- Coinbase
- Reuters
- The Verge
3. Adidas Customer Service Vendor Breach Exposes Contact Information
Adidas disclosed a data breach caused by unauthorized access to a third-party customer service platform. The incident compromised customer contact details of individuals who interacted with Adidas’ support team. No financial data or passwords were involved, but the breach highlights growing risks in third-party SaaS integrations.
How the Breach Happened?
Attackers infiltrated a third-party vendor system used for customer support management. The vulnerability likely stemmed from poor access controls or outdated security configurations, allowing attackers to access communication records and associated customer data.
What Data Was Exposed?
- Full names
- Email addresses
- Phone numbers (where provided)
- Customer service inquiry logs
No payment, authentication, or account credential data was affected.
Number of Affected Individuals
Adidas has not specified the total impact, but cybersecurity analysts estimate the breach could affect several hundred thousand customers, based on typical usage of the compromised platform.
Vendor Involvement
The breach originated solely from a third-party vendor’s environment. Adidas has not disclosed the vendor’s name, but stated the system has since been disconnected and is under investigation.
Also Read: Six Must-Ask Questions for Security Testing Vendors
Business Impact
- Limited to reputational risk and customer concern
- Regulatory reporting under GDPR initiated
- Emergency audits and potential vendor churn
- Increased scrutiny over data-sharing practices
Company Response
Adidas acted promptly by:
- Isolating the vendor system
- Launching an internal review with third-party forensics
- Notifying affected users and regulators
- Reevaluating third-party data sharing and access policies
Key Lesson
Third-party vendors often represent the weakest link in corporate data security. Even non-critical services like customer support must be held to strict security standards.
Sources
- Reuters
- Bleeping Computer
4. Marks and Spencer Cyberattack Disrupts Services and Exposes Customer Data
Marks & Spencer (M&S), one of the UK’s largest retailers, confirmed one of a significant data breaches of may 2025, timed during the Easter weekend. The breach, linked to the hacking group “Scattered Spider,” disrupted systems and exposed personal customer information. Investigations suggest the breach may have involved M&S’s IT outsourcing partner, Tata Consultancy Services (TCS).
How the Breach Happened ?
Cybercriminals exploited social engineering tactics to gain access to internal tools, potentially through TCS-managed infrastructure. The timing over a holiday period suggests the attackers aimed to exploit weakened oversight. The exact point of compromise remains under forensic analysis.
What Data Was Exposed
- Full names
- Email addresses
- Postal addresses
- Dates of birth
- Internal customer account metadata
No payment or login credential data was confirmed compromised.
Number of Affected Individuals
While M&S did not confirm a specific number, analysts estimate the breach may have impacted hundreds of thousands of users, based on system size and historical breach patterns.
Vendor Involvement
The breach likely involved infrastructure operated by TCS. While TCS has not been officially blamed, scrutiny has increased regarding its security protocols and access permissions.
Business Impact
- Online services went offline for over 72 hours
- Potential losses of up to ÂŁ300 million
- Operational and inventory disruption across UK stores
- Regulatory inquiry by the UK Information Commissioner’s Office (ICO)
- Damage to brand trust, especially among older demographics
Company Response
- M&S initiated a swift response:
- Notified affected customers
- Engaged forensic cybersecurity teams
- Reviewed vendor agreements and access management protocols
- Communicated openly with the public and authorities
Key Lesson
Outsourcing critical IT systems without robust oversight introduces major breach risk, especially during periods of low vigilance.
Sources
- The Guardian
- TechRadar
5. Ascension Third Party Software Failures Expose Health Data of 437000 Patients
Ascension, one of the largest non-profit health systems in the U.S., disclosed multiple data breaches of May 2025 involving third-party vendors. The most significant breach was tied to a former business partner using vulnerable software, resulting in unauthorized access to protected health information (PHI) for over 437,000 patients.
How the Breach Happened?
A third-party vendor’s outdated software was exploited by attackers to access PHI retained from previous business engagements. In a separate but related incident, cloud systems managed by another third-party service were also compromised, revealing a pattern of weak vendor security controls across Ascension’s ecosystem.
What Data Was Exposed?
- Full names
- Home addresses
- Social Security numbers
- Clinical and insurance information
- Medical appointment and treatment records
This data is highly sensitive and ideal for medical identity theft and fraud schemes.
Number of Affected Individuals
Ascension confirmed that 437,385 patients were notified. Additional exposure is possible as investigations into linked systems continue.
Vendor Involvement
Both breaches stemmed from third-party systems — one from a legacy partner with continued access to data, and another from an active cloud-based service provider.
Business Impact
- Potential HIPAA violations and fines
- Reputational damage in the healthcare community
- Resource diversion to incident response and compliance audits
- Legal exposure from affected patients
- Intensified pressure to modernize vendor access protocols
Company Response
Ascension responded with:
- Rapid public disclosure and patient notifications
- Identity theft protection offerings
- Collaboration with federal regulators
- Internal audits of all vendor relationships and data-sharing protocols
Key Lesson
Healthcare data is gold for attackers, and third-party systems must be treated as extensions of core infrastructure, not afterthoughts.
Sources
- Data Privacy & Security Insider
- TechTarget
6. AT&T Major Data Leak Exposes 31 Million Customer Records
Overview
A threat actor has reportedly leaked a dataset containing 31 million AT&T customer records on a prominent dark web forum. The 3.1GB dataset is structured in both JSON and CSV formats, raising serious concerns about its legitimacy and the scale of the breach. While the leak remains unconfirmed by AT&T, cybersecurity analysts are treating the incident as potentially serious.
How the Breach Happened
The threat actor posted the data on a dark web forum, claiming it was extracted from AT&T’s systems. Though the method of breach is unclear, the structured and indexed nature of the leak suggests access to sensitive databases. The attack vector may have involved internal misconfigurations or legacy system vulnerabilities.
What Data Was Exposed
- Full names
- Dates of birth
- Genders
- Tax IDs
- Device and cookie identifiers
- IP addresses
- Residential addresses
- Email addresses and phone numbers
If verified, this data could fuel identity theft and coordinated social engineering attacks.
Number of Affected Individuals
The threat actor claims 31 million records were leaked. Researchers reviewing a sample confirmed at least one individual’s details, estimating that over 3 million could be affected if the full dump is valid.
Vendor Involvement
There’s no indication of third-party involvement, though internal system vulnerabilities are suspected.
Business Impact
- Reputational damage and erosion of customer trust
- Potential legal exposure under U.S. data privacy laws
- Heightened regulatory interest and scrutiny
- Urgency for AT&T to investigate and respond publicly
Company Response
AT&T has not confirmed the breach or released a statement as of this writing. Security experts urge the company to address the claims and reassure customers.
Key Lesson
Monitoring and proactive response are critical — unverified leaks can still impact customer confidence and brand integrity.
Sources
- Cybernews
- SC Media
- Cybersecurity News
Conclusion
The data breaches of May 2025, from insider collusion at Coinbase to third-party failures at Ascension, aren’t just isolated lapses. They’re signals of a broader shift in the threat landscape. These breaches cut across industries and geographies, exposing everyone from individual consumers to massive enterprises.
What’s clear is that cyber risk isn’t confined to the IT department anymore. It’s a boardroom issue, a customer trust issue, and for many, a financial survival issue. As these stories unfold, they remind us that the attackers are organized, persistent, and often a step ahead.
For organizations, this month wasn’t just a rough patch — it was a mirror. What you do next with that reflection may define the rest of your year.
Related Reads: