Summary
- Total number of incidents disclosed: 44
- Total number of known records breached: 1,443,150,467
Sources of breached data
- Scraped or leaked from public APIs:
- Facebook (1.2 billion records)
- Credential dump compiled via infostealers (184 million+ credentials)
- Vendor/Cloud breaches exposing customer/employee data
- Ascension Health (via third-party file tool): 437,000
- Spyware apps (stalkerware): 3.2 million
- Direct or insider breaches involving client data:
- AT&T (unconfirmed): 31 million
- Coinbase (insider at call centre): 69,461
- Co-op UK (ransomware gang): claimed 20 million
Top 5 incidents by number of records affected
The following are the largest incidents publicly disclosed in May 2025, ranked by known/claimed impact:
- Records affected: 1.2 billion.
- Data: Full names, Facebook IDs, email addresses, phone numbers, locations, birthdates and gender.
- Cause: Scraped via a vulnerable Facebook API.
- Status: Yet to be verified – Meta claims it relates to a historic breach.
2. Unknown credentials database
- Records affected: 184,162,718 email/password pairs
- Data: Plaintext credentials tied to Google, Microsoft and Meta, and banking logins
- Cause: Likely compiled from infostealer malware and left exposed online
- Status: Removed after discovery, source undetermined
- Records affected: 31 million (claimed).
- Data: Names, birthdates, addresses, phone numbers, tax IDs, device and cookie data.
- Cause: Posted to a hacking forum.
- Status: So far unverified but sample data was provided. AT&T is investigating.
4. Co-op UK
- Records affected: ~20 million (claimed by attackers).
- Data: Names, dates of birth, contact details of current and former members.
- Cause: Ransomware gang DragonForce (linked to Scattered Spider).
- Status: Under investigation.
- Records affected: 364,000 individuals.
- Data: Full names, home addresses, dates of birth, Social Security numbers, and potentially employment/salary information.
- Cause: Data breach stemming from a hacking incident in December 2024, when attackers infiltrated internal systems and accessed personal records.
- Status: Breach discovered in January 2025 and disclosed in May 2025 after investigation. Affected individuals were offered credit monitoring.
Trends in May 2025
- Significant rise in scraped/mass-exposed data
Two of the five largest leaks came from large-scale scraping or credential aggregation (Facebook and infostealer dumps), rather than direct intrusions. - Vendor risk and insider breaches rising
Incidents at Ascension Health, Adidas, and Coinbase all stemmed from third parties – either contractors or software dependencies. - Retail and tech remain prime targets
Retailers including Co-op, Harrods, Adidas, Dior, and Victoria’s Secret were targeted or affected this month. Cloud services (TeleMessage, spyware vendors) and edtech (Pearson) also saw notable activity. - UK particularly affected
More than 5 major incidents involved UK organisations, including Co-op, Marks & Spencer, Harrods, the Legal Aid Agency and Pearson.
Key vulnerabilities exploited
- GitLab personal access token (Pearson):
A misconfigured or exposed token gave attackers source code access and credentials to internal services. - Infostealer malware (unknown credentials database):
Though not tied to a single software flaw, this dataset was likely gathered silently over months from infected devices lacking endpoint protection. - AWS misconfiguration (TeleMessage):
An unsecured S3-like store enabled unauthorised access to archived, plaintext versions of government messages.
List of incidents
| Disclosure date | Organisation | Country | Sector | Incident Type | Records Affected |
| May 1, 2025 | Ascension Health | USA | Healthcare | Third-party data breach (vulnerability exploit) | 430,000 patients |
| May 1, 2025 | Barnstable County Sheriff’s Office | USA | Government (Law Enforcement) | Insider data leak | 101 employees |
| May 1, 2025 | Cobb County, Georgia | USA | Government (County) | Ransomware (Qilin) | Unknown (150 GB claimed) |
| May 1, 2025 | Synnovis (UK Labs) | UK | Healthcare (Laboratory) | Ransomware (Qilin) | ~8,000 patients (est.) |
| May 1, 2025 | Commvault | USA | Tech (Data Management) | Targeted cyberattack (zero-day exploit) | Unknown |
| May 1, 2025 | Bartlesville Public Schools | USA | Education (K-12) | Cyberattack (network outage) | 6,000+ students |
| May 2, 2025 | Co-op | UK | Retail (Grocery) | Ransomware (DragonForce) | Up to 20 Million (claimed) |
| May 2, 2025 | Nova Scotia Power (Emera) | Canada | Energy (Utility) | Cyberattack (unauthorized access) | Unknown (customer data) |
| May 2, 2025 | Harrods | UK | Retail (Luxury) | Cyberattack (attempted intrusion) | Unknown |
| May 2, 2025 | Raw Dating App | USA | Technology (Dating App) | Data leak (misconfiguration) | 500,000+ users (Android installs) |
| May 2, 2025 | Magento e-Stores | Global | E-commerce (Retail) | Supply-chain attack (Magecart) | 500–1,000 stores |
| May 2, 2025 | Saskatoon Children’s Hospital | Canada | Healthcare | Privacy breach (insider access) | 314 patients |
| May 4, 2025 | TeleMessage (Signal clone) | USA | Technology (Encrypted Messaging) | Hack (server takeover) | Unknown (Gov’t comms data) |
| May 5, 2025 | Coweta County Schools | USA | Education (K-12) | Cyberattacks (ransomware suspected) | 23,000 students |
| May 6, 2025 | Masimo | USA | Healthcare (MedTech) | Cyberattack (operations disruption) | Unknown |
| May 6, 2025 | iHeartMedia | USA | Media (Radio) | Data breach (hackers undetected) | Unknown (multi-state) |
| May 7, 2025 | Insight Partners | USA | Finance (Venture Capital) | Cyberattack (social engineering; data theft) | Unknown (employees & investors) |
| May 7, 2025 | South African Airways | South Africa | Transportation (Airline) | Cyberattack (IT disruption) | Unknown |
| May 8, 2025 | Pearson plc | UK | Education (EdTech) | Cyberattack (token compromise; data theft) | “Millions” of customers (legacy data) |
| May 8, 2025 | Japan FSA | Japan | Government (Financial Regulator) | Account compromises (fraudulent trades) | Unknown (≈$2 B funds moved) |
| May 8, 2025 | SogoTrade, Inc. | USA | Finance (Online Brokerage) | Email account breach (phishing) | 48,696 clients |
| May 10, 2025 | iClicker | USA | Education (EdTech) | Website compromise (malware) | Unknown |
| May 11, 2025 | Global Crossing Airlines | USA | Transportation (Airline) | Cyberattack (hacktivist data theft) | Unknown |
| May 12, 2025 | State of Alabama | USA | Government (State) | “Cybersecurity event” (suspected ransomware) | Unknown |
| May 13, 2025 | Marks & Spencer | UK | Retail (Department Store) | Ransomware (DragonForce/Scattered Spider) | Unknown (mass scale) |
| May 13, 2025 | Nucor Corporation | USA | Manufacturing (Steel) | Cyberattack (IT disruption) | Unknown |
| May 13, 2025 | Multiple Orgs – SAP NetWeaver | Global | Various (Energy, Water, Manufacturing, Gov’t) | Nation‑state hacking (vulnerability exploits) | 581 systems (across orgs) |
| May 14, 2025 | Coinbase | USA | Finance (Cryptocurrency) | Insider breach + extortion | 69,461 customers |
| May 14, 2025 | Australian Human Rights Commission | Australia | Government (Civil Rights) | Data leak (misindexed documents) | “Hundreds” of files |
| May 14, 2025 | Lecardo Clinic | Russia | Healthcare (Private Hospital) | Cyberattack (hacktivist disruption) | Unknown |
| May 19, 2025 | UK Legal Aid Agency | UK | Government (Legal Services) | Cyberattack (data breach) | Millions (15 yrs of applicants) |
| May 19, 2025 | Arla Foods | Denmark (and Germany) | Food & Agriculture | Cyberattack (OT disruption) | Unknown (production only) |
| May 20, 2025 | Kettering Health | USA | Healthcare (Hospital Network) | Ransomware (Interlock) | 67,000 patients (warned) |
| May 20, 2025 | Peter Green Chilled | UK | Logistics (Food Supply) | Ransomware (Scattered Spider) | Unknown (operations impact) |
| May 20, 2025 | Cellcom | USA | Telecom (Mobile Carrier) | Cyberattack (service outage) | 300,000 customers (approx.) |
| May 22, 2025 | Coca-Cola | USA/Middle East | Beverage (Retail) | Ransomware (Everest) | 959 employees (+ data claim) |
| May 22, 2025 | Open Credentials Database | Global | N/A (Multiple platforms) | Data leak (unsecured server) | 184,162,718 accounts |
| May 26, 2025 | MathWorks (MATLAB) | USA | Technology (Software) | Ransomware attack (IT outage) | Unknown |
| May 26, 2025 | Adidas | Germany | Retail (Apparel) | Third-party breach (vendor hack) | Unknown (customer count) |
| May 27, 2025 | City of Sheboygan, WI | USA | Government (City) | Ransomware (Chort) | 67,000 residents |
| May 28, 2025 | LexisNexis Risk Solutions | USA | Data Analytics (Broker) | Data breach (hacking) | 364,000 individuals |
| May 28, 2025 | Victoria’s Secret | USA | Retail (Apparel) | Cybersecurity incident (site offline) | Unknown |
| May 29, 2025 | ConnectWise | USA | Technology (IT Software) | Cyberattack (supply chain) | Unknown (limited clients) |
| May 30, 2025 | ASVT ISP (Moscow) | Russia | Telecom (Internet Provider) | DDoS attack (service outage) | ~40,000 customers |
Discover your vulnerabilities before attackers do
To avoid falling victim to cyber attacks, it’s critical to understand where you are most vulnerable to attack. Then you can close any security gaps before it’s too late.
Don’t leave your vulnerabilities to chance. Collaborate with a team that understands your risks and delivers actionable solutions.
Contact our penetration testing experts today to discuss your security needs.
The post Global Data Breaches and Cyber Attacks in May 2025 – More Than 1.4 Billion Records Breached appeared first on IT Governance Blog.
