The past few years have seen an array of high-profile cyber incidents, from supply chain attacks to zero-day vulnerabilities, ransomware to deepfakes. Threat actors are evolving their attempts to access business networks, steal sensitive data, and defraud organisations.
In this Halloween special blog, the IO exec team share the incidents that sent shivers down their spine.
Kido Schools – Supply Chain Attack
Our CFO, Jon Orpen, says:
In September, hackers accessed the data of thousands of children at nursery chain, Kido Schools. They initially gained access to the information via childcare management software, Famly. The attackers published profiles of 20 children online and threatened to publish more unless they were paid in Bitcoin. They also threatened parents directly via phone calls. I have young children and have been through the ‘nursery system’, so this attack really resonated with me.
Soon after the threats were made, there was significant public backlash. The attackers removed the posts and claimed to have deleted the information, with the attack being condemned as a ‘new low’ for cybercriminals. However, the attack shows us that cybercriminals are indiscriminate in their attacks, even willing to target children to achieve their aims.
The Kido Schools cyberattack is just one of several recent high-profile attacks in which threat actors targeted suppliers to access organisations’ sensitive data. Our State of Information Security Report 2025 found that three in five (61%) of respondents had been impacted by a cybersecurity or information security incident caused by a third-party vendor or supply chain partner and more than a quarter (27%) had been impacted more than once.
Reviewing the information security measures that your suppliers have in place is a must in the current threat landscape.
Oracle E-Business Suite – Zero-Day Vulnerability
Our CPO, Sam Peters, says:
Oracle recently patched an E-Business Suite vulnerability, CVE-2025-61884, that may have been used by threat actors to exfiltrate sensitive corporate data from multiple businesses. An update from Oracle described the vulnerability as “remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may allow access to sensitive resources.”
The business stressed that it recommends customers to remain on actively supported versions and apply Security Alerts and Critical Patch Update security patches without delay.
While zero-day attacks are unpredictable by nature, businesses can shore up their defences by ensuring software is up to date, patches are installed and by taking a comprehensive approach to risk management. The ISO 27001 standard, for example, provides a framework that supports businesses in building and maintaining a robust information security management system, and bolstering operational resilience in the event of an attack.
Implementing the comprehensive, considered incident response and business continuity plans required for ISO 27001 compliance will enable organisations to respond swiftly to zero-day exploit and minimise damage.
Marks & Spencer – Supply Chain and Ransomware Attack
Our CEO, Chris Newton-Smith, says:
An attack on UK retail giant Marks & Spencer (M&S) made headlines in April this year. Threat actors harvested customer data and deployed ransomware that disrupted the company’s IT systems as well as its online and in-store operations, leading to estimated financial losses of £700m.
The attackers reportedly used social engineering and targeted an M&S ICT supplier to gain access. They impersonated an M&S employee and convinced the third-party provider to reset an internal user’s password. Upon gaining access to the network, they also harvested sensitive customer data before deploying the ransomware to encrypt M&S systems.
The business quickly shut down online ordering systems and suspended contactless payments to prevent further damage being done, reverting physical sales to manual processes. It also involved law enforcement, engaged external cybersecurity experts and communicated the incident and ongoing impact to customers. While some reports criticised the retailer for lacking business continuity plans and incident response plans, it’s clear that M&S took immediate steps to mitigate further risk.
This multi-layered attack demonstrates the importance of ongoing third-party risk management for businesses; it also highlights the need for network segmentation to limit the extent of damage that can be done in the event of an attack.
Again, ISO 27001 can support organisations here. Compliance and certification to the standard require organisations to assess and implement necessary security controls, including regular backups, information security measures implemented as part of broader business continuity plans, and actionable steps to identify, assess, respond to and manage incidents.
Arup – AI Deepfake
Our CMO, Dave Holloway, says:
This year’s State of Information Security Report shows a decline in deepfake incidents compared to our 2024 report (20% vs 30%) but AI-powered threats are still top of mind for organisations. One notable and extremely sophisticated deepfake attack last year saw engineering business Arup lose $25 million to cybercriminals.
It’s reported that an Arup employee was manipulated into making the transaction when perpetrators posed as senior company officers in a hoax video conference. The employee initially suspected they had received a phishing email, as it specified the need for a transaction to be carried out. However, attackers used AI-generated deepfakes to impersonate the officers, which convinced the employee of the call’s legitimacy; they then made the transactions.
In an interview with the World Economic Forum, Arup’s CIO, Rob Grieg, described the incident as “technology-enhanced social engineering” and suspects that “this happens more frequently than a lot of people realize.”
Combating AI-powered threats represents an ongoing and evolving challenge for businesses. Employee training can ensure staff are aware of red flags to look out for, and role-based access controls ensure only specific employees can access specific networks or confidential information, such as financial information. However, a robust and well-rehearsed incident response plan is still vital to have should an attack be successful.
Salesforce – Ransomware Attack
Our CRO, Ross Down, says:
The attack on CRM provider Salesforce follows a similar pattern to the attack on M&S. Hackers targeted employees and third-party apps to gain access to the company’s networks, reportedly compromising third-party integration, Salesloft Drift, using stolen OAuth tokens to gain unauthorised access.
Once they’d gained access, the threat actors were able to export significant amounts of sensitive data, and claim to have stolen nearly a billion records across dozens of Salesforce customers including Fujifilm, Qantas, The Gap, and more.
The group demanded a ransom from Salesforce, but it also instructed ransoms from the impacted customers and began leaking victim data online. However, it’s reported that Salesforce refused to pay the ransom, and there’s no evidence that any of the victims paid ransoms, either. Instead, Salesforce has since disabled Drift’s connection to its systems.
At the time of writing, the incident is still ongoing, with attackers continuing to threaten to leak further Salesforce customer data. This incident is yet another reminder of the importance of third-party risk management, business continuity planning and incident response planning to reduce and mitigate the impact of an attack.
The good news is that organisations are preparing for these eventualities. 80% of respondents to our State of Information Security Report 2025 said they’d adopted improved incident response preparedness and recovery capabilities, while 18% plan to do so in the next 12 months.
Risk Management: Proactivity is Key
As AI evolves, supply chains grow and the attack surface broadens, cyberattacks like the incidents IO’s exec team have highlighted are only going to increase in both complexity and sophistication. Implementing best practice standards like ISO 27001 for information security management and ISO 42001 for AI management allows organisations to mitigate cyber risk, as well as improving incident identification and response.
Ready to act? Our Cyber Hygiene Checklist provides ten best practices businesses can implement to bolster their cyber defences.
