IAM Failures: Lessons From 2025’s Biggest Breaches

Uploaded on 2025-05-26 in TECHNOLOGY--Resilience, TECHNOLOGY--Hackers, FREE TO VIEW

The year 2025 has witnessed a surge in cyberattacks against major brands, with weak Identity and Access Management (IAM) playing a significant role in security failures.

 From Marks & Spencer’s supply chain breach to the Co-op’s ransomware attack and Harrods’ insider data leak, organisations are paying the price for outdated access controls.  

This article explores:  

  • How recent 2025 breaches exploited IAM weaknesses.
  • Common IAM vulnerabilities exposed.
  • Best practices to strengthen security.
  • Future trends shaping IAM .

2025’s Major Breaches: The IAM Connection

Recent High-Profile Attacks Linked to IAM Failures

Attack (2025)   ImpactIAM Failure
Marks & Spencer   Supplier portal breach customer data exposedShared vendor credentioal, no MFA
Co-opRansomware attack Stores offline for daysCompromised admin account, weak MFA
HarrodsEmployee payroll data leakedInsider abuse of excessive access rights
Tesco BankFraudulent transactions via credential stuffingWeak customer password policies
British AirwaysLoyalty programme hacked via third-party APIInadequate partner access controls

How Attackers Exploited IAM Gaps

  • Marks & Spencer – Attackers breached a third-party vendor portal using default or reused credentials, then pivoted into internal systems.
  • Co-op – Hackers phished an IT admin, bypassed SMS-based MFA, and deployed ransomware.
  • Harrods – A disgruntled employee accessed and leaked salary data due to overly broad HR access permissions.
  • Tesco Bank – Attackers used credential stuffing from earlier breaches; no system was in place to detect compromised passwords.
  • British Airways – A compromised API key from a travel partner gave attackers access to loyalty accounts.

Key Takeaway: Most 2025 breaches were not the result of elite hacking - they stemmed from avoidable IAM oversights.

The Top 3 IAM Vulnerabilities Exploited in 2025 

1. Third-Party & Supply Chain Weaknesses  

  • Marks & Spencer’s breach originated from a vendor’s weak credentials.  
  • British Airways suffered due to mismanaged API keys by a travel partner.  

Fix: 

  • Enforce **phishing-resistant MFA** for third-party access.  
  • Isolate** and monitor vendor access using **Zero Trust Network Access (ZTNA)**.

2. Weak or Outdated MFA 

  • Co-op’s** breach succeeded due to phishable SMS-based MFA.  
  • Tesco Bank** lacked mandatory MFA for customer accounts.  

 Fix:

  • Implement **phishing-resistant MFA** (e.g., **FIDO2 keys, biometrics**).  
  • Decommission **SMS MFA** for privileged accounts.

3. Excessive Permissions & Insider Threats

  • Harrods** exposed the risk of over-permissioned employees.  
  • An NHS contractor breach (2025)** occurred due to access not being revoked post-termination.  

Fix:

  • Apply **least privilege access** (**RBAC or ABAC**).  
  • Conduct quarterly **access reviews** and automate user lifecycle management.

How to Prevent the Next Big IAM Breach

1.Treat Third-Party Vendors as High-Risk   

  • Review all vendor access to ensure **strong authentication**.  
  •  Segment their access to **limit lateral movement**.  

2. Eliminate Passwords Where Possible  

  •  Adopt FIDO2 or biometric authentication used by Microsoft and Google.  
  •   Block breached passwords by integrating tools like Have I Been Pwned.  

3. Monitor and Automate Identity Threat Detection  

  •  Deploy **Identity Threat Detection and Response (ITDR) tools.  
  • Use AI/ML to detect anomalies (e.g., an HR account downloading all payroll data at 3 AM).  

4. Prepare for Post-Breach Scenarios 

  • Define and test rapid access revocation workflows (disable compromised accounts within **10 minutes).  
  • Conduct IAM-focused breach drills during incident response tests.

The Future of IAM: 2025 and Beyond

 AI-Powered Identity Defence 

  • Behavioural analytics to detect **risky logins** before credential abuse.  

Decentralised Identity (Self-Sovereign Identity)

  • Blockchain-based** digital identities reduce single points of failure.  

Continuous Authentication

  • Real-time verification via behavioural biometrics (e.g., mouse movements, keystroke rhythm).  

 Regulation Driving IAM Evolution  

  • GDPR 2.0 (Expected 2026) may **require passwordless MFA** for all customer-facing services.  

Conclusion: IAM is Your First - and Last Line of Defence

2025’s breaches have made one thing clear - Identity and Access Management is non-negotiable.  From Co-op’s ransomware disaster to Harrods’ insider scandal, outdated IAM has been the common denominator.  

Ask yourself:  

  • Are your employees, vendors, and customers truly protected?  
  • Can you detect and respond to access abuse in real time?  
  • Are you ready for a passwordless future?  

The next major breach is already forming in someone’s inbox or API log -don’t let it be yours.

Sidra Mobeen is an IAM & Risk Strategist & EMCC Practitioner Coach

Image: Ideogram

You Might Also Read: 

Understanding Identity & Access Management:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« FBI Warns Of Surging Use Of Vishing
Japan Enacts Landmark Cyber Defence Legislation »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

2|SEC Consulting (2-SEC)

2|SEC Consulting (2-SEC)

At 2|SEC Consulting, we deliver an end-to-end service of cyber and information security solutions which are tailored to each client’s exact security needs.

Protegrity

Protegrity

Protegrity is an enterprise and cloud data security software for data-centric encryption and tokenization to protect sensitive data while maintaining usability.

Brainwave GRC

Brainwave GRC

Brainwave GRC is a leading European software provider focused on Identity Analytics and intelligence to strengthen IT security and compliance.

Nixu

Nixu

Nixu is the largest Nordic specialist company in information security consulting.

Granite Partners

Granite Partners

Granite is a cloud service for the development of business risk management, cyber security and privacy and occupational safety and health.

Aptible

Aptible

Aptible is a Platform as a Service (PaaS) that gives startups everything developers need to launch and scale apps and databases that are secure, reliable, and compliant.

Swisscom Blockchain

Swisscom Blockchain

Swisscom Blockchain is focused on supporting the implementation and adaption of Blockchain-based platforms in enterprises across diverse industries.

Perch Security

Perch Security

Perch is a co-managed threat detection and response platform backed by an in-house Security Operations Center (SOC).

Blackbird.AI

Blackbird.AI

Blackbird.AI provides an intelligence and early-warning system to help users detect disinformation and take action against threats.

Internet Security Research Group (ISRG)

Internet Security Research Group (ISRG)

ISRG's mission is to reduce financial, technological, and educational barriers to secure communication over the Internet.

Atlantic Data Security

Atlantic Data Security

Atlantic Data Security is skilled in the analysis, recommendation, deployment, and management of all critical components of the security infrastructure.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

eCapital

eCapital

eCAPITAL is a leading venture capital firm that provides early to growth stage funding to technology companies in fields including software & information technology, cybersecurity and industry 4.0.

Randaemon

Randaemon

RANDAEMON’s mission is to create True Random Number Generators (TRNG) that are hardware-based and integrated into System-on-Chip.

Secuvy

Secuvy

Secuvy leads in data security, privacy, compliance, and governance, offering a unified platform for proactive data discovery, management, protection, and enhanced data value.

Deloitte Denmark

Deloitte Denmark

Swift incident management, worldwide support, and advanced defense strategies ensure comprehensive recovery and enterprise security with our IR service.