PKWARE’s series of 2025 data breach reports is useful because it collects disparate incidents into a pattern view that practitioners can act on. These writeups are not original reporting, but they highlight the same themes I see in incident desks and vendor postmortems: third-party and file transfer weaknesses, insider and contractor risk, ransomware that prioritizes exfiltration of unstructured data, and slow or inconsistent disclosure practices.
Third-party managed file transfer software and vendor tools keep reappearing as the root cause or vector. The Western Alliance breach is a textbook example: a vulnerability in a third-party secure file transfer product allowed access to customer files and led to notification of roughly 22,000 impacted customers. That sequence — vulnerable vendor software, silent exploitation, late discovery, delayed disclosure — is now familiar and preventable if organizations treat data movement infrastructure as high risk.
Closely related is the rise of insider and contractor-assisted compromises. The Coinbase incident demonstrated how attackers can recruit or bribe support agents to retrieve sensitive customer records and then extort the company. The remediation costs and operational fallout in that case illustrate a harsh truth: access controls and monitoring for human agents and contractors matter as much as perimeter defenses.
Ransomware groups continue to evolve tactics toward large-scale exfiltration of unstructured data rather than just encryption for impact. That shift drives a demand signal for data-centric controls. Attacks that publicly leak source code, HR records, or student data show attackers prefer leverage and reputational damage in addition to direct ransom payments. The PowerSchool incident underlines the stakes when education records are exposed at scale.
Supply chain and outsourced IT relationships are another recurring theme. The Jaguar Land Rover disruption in September is a reminder that cyber incidents can cascade from outsourced systems into production and logistics, with significant operational impact beyond immediate data loss. When suppliers and integrators are compromised, downstream customers are collateral.
A few technical realities are particularly important. Managed file transfer products have had high-severity vulnerabilities this cycle, and nation-scale exploitation campaigns have used them to reach multiple victims quickly. Treat MFT appliances and file-exchange endpoints as critical attack surface, patch aggressively, and apply compensating controls where patching cannot be immediate.
What this means for practitioners — actionable recommendations
-
Stop treating encryption as an afterthought. Apply persistent, policy-driven encryption and tokenization to sensitive fields and files so that exfiltrated material is less useful to attackers. Data-at-rest and data-in-motion protections must be enforced at the data layer, not only at the network layer.
-
Inventory and classify data proactively. If you cannot answer what sensitive data you host and where it moves, you cannot prioritize remediation or triage after an incident. Automated discovery and classification pay for themselves in reducing exposure windows.
-
Harden vendor and contractor access. Enforce least privilege, use short-lived credentials and strong attestation for third-party sessions, require MFA and privileged access monitoring for support portals, and routinely audit contractor activity. Incidents like Coinbase show that people with legitimate access are prime targets.
-
Treat file transfer platforms as high risk. Apply network segmentation, host-based controls, strict logging, and immediate compensating controls for legacy MFT tools until they are fully patched or replaced. Assume attackers will try to use these systems to move data out.
-
Prepare for ransomware-with-exfiltration. Backups remain necessary but insufficient. Implement detection that looks for large, anomalous data aggregations moving off network, and maintain a tested legal and communications playbook for extortion demands and disclosure obligations.
-
Demand better disclosure and SLAs from vendors. Contracts must include breach notification timelines, access to forensic data, and remedies. When suppliers delay or obfuscate, downstream customers must have contractual rights to visibility and the ability to require mitigation.
Why this is more than vendor marketing
Vendors like PKWARE package these trends as reasons to adopt data discovery and protection platforms. That positioning is commercial, but the underlying technical advice is sound: protect the data itself, reduce the window of opportunity for attackers, and harden the touching points where data moves or is serviced. The test for any product or control is whether it measurably reduces risk in vendor and contractor scenarios, not whether it sounds good in a checklist.
Bottom line
2025’s incidents make the same structural point repeatedly: breaches are rarely single-point failures. They are multi-party failures in software hygiene, access governance, and data visibility. Practical fixes exist and they are operational rather than theoretical. Start with data inventory and classification, lock down who can move or decrypt sensitive files, and treat file-transfer and support systems as crown jewels when you assess risk. Implement those steps before your next notification letter is drafted.