5 Lessons Learned from the Biggest 2025 Cybersecurity Breaches

Learning from 2025 Breaches:

2025 continued the trend of high-volume cyber breaches, not because defenders were facing entirely new problems, but because familiar weaknesses kept failing at scale.

The volume of reported breaches remained exceptionally high, with the ITRC counting 3,322 U.S. data compromises in 2025 and Privacy Rights Clearinghouse capturing 4,080 unique breach events affecting at least 375 million individuals. Just as telling, the ITRC found that only 30 percent of breached organizations clearly explained how the attack happened. That means 2025 was not simply a bad year for security. It’s another year proving old assumptions are still breaking faster than many institutions can adapt.

For state governments, local governments, public utilities, K-12 systems, higher education, healthcare networks, and other public-service organizations, the lessons aren’t as straightforward. I’ll describe some of the biggest breaches in 2025 and their impacts to state and local governments, and essential services organizations. While the flavor of breach is a little different, the scale of public service and mission service usually has a large ripple effect.

PowerSchool becomes a statewide problem

The PowerSchool breach became one of the defining education-sector stories of 2025. Reuters reported that the attacker used credentials tied to a PowerSchool contractor, and later reporting put the exposure at more than 60 million students and 10 million teachers. In May, Reuters also reported that multiple school districts were being extorted with previously stolen data. This is exactly what public-sector concentration risk looks like. One trusted platform, embedded deeply enough across districts, can turn a vendor compromise into a multi-state education crisis.

The lesson for state and local leaders is not simply “manage vendors better.” Large SaaS providers are hard to manage, and we need them for many essential services. Sometimes we have no choice but to use them.

What to do about it:

State education agencies and technology leaders need a clear view of their largest and most critical platforms, especially the ones that concentrate on student, parent, employee, and operational data. On the vendor side, CISOs should work closely with procurement to make sure security requirements, independent security testing, response obligations, breach notification timelines, and recovery expectations are built into the contract from the start. Many states and essential service organizations have already moved in this direction because they know vendor risk is not theoretical.

From there, the work becomes about preparedness. The hardest, and arguably most important, step is understanding what data creates risk and how an attacker could use it. Could it support fraud, business email compromise, credential harvesting, or password spraying against staff and families? When leaders understand that up front, they are in a far better position to deploy the right defenses quickly, contain damage, and buy valuable time on a bad day.

Nevada proved that cybersecurity basics still work

Nevada’s statewide cyber incident was one of the most useful public-sector case studies of 2025 because the state released an after-action report instead of hiding behind generic breach language. The state said it did not pay the ransom, restored statewide services within 28 days, recovered about 90 percent of impacted data, and relied on pre-established incident playbooks and vendor agreements during the response. The after-action reporting also described an intrusion that began months earlier, involved destructive activity against backups, and still did not turn into a total collapse of state operations.

What to do about it:

Cybersecurity basics still work. Good preparation, clear planning, and disciplined execution can turn a bad day into just a day instead of a month-long recovery. Nevada is a reminder that the fundamentals still matter most: knowing who makes decisions, knowing how to recover, knowing how to contain, and knowing who is already lined up to help. None of that is glamorous. It is quiet, often uncelebrated work, but it is usually what carries an organization when the flashy tools do not perform the way people hoped they would.

Pennsylvania and the federal courts showed how cyber incidents disrupt the justice system itself

In August 2025, the Pennsylvania Office of Attorney General said a cyber incident knocked offline its website and disabled email accounts and landlines, with restoration taking place over the following days and weeks. Around the same time, the federal Judiciary disclosed that it was strengthening defenses around its case management system in response to escalated cyberattacks, and Reuters reported that the breach raised concerns about sealed cases and exposed sensitive individuals tied to court proceedings. They struck at the ability of legal institutions to move cases, communicate with stakeholders, and protect sensitive information.

What to do about it:

The lesson here is one public-sector leaders often underestimate. Some systems are not merely “important applications.” They are mission execution itself. It is sometimes easy to lose sight of just how important a system really is until it goes down. That is why strong business continuity planning, and a clear understanding of recovery time objectives and recovery point objectives, are so important for mission-critical systems. This matters even more for agencies and public services that are legally required to operate. When that planning is not done well, the impact is not limited to downtime. It can create weeks or even months of workflow disruption, case delays, and backlog ripple effects across the organization.

Maryland Transit and UNFI turned cyber risk into service-delivery risk

The Maryland Transit Administration’s 2025 cyber incident disrupted parts of transit operations, including Mobility services, while the agency worked through investigation and recovery. Around the same time, UNFI disclosed unauthorized activity on its systems and said containment measures, including taking systems offline, temporarily affected its ability to fulfill and distribute customer orders. The sectors are different, but the lesson is identical. When operational systems are impaired, cybersecurity instantly becomes a continuity-of-service issue. People do not experience these incidents as “IT events.” They experience them as missed deliveries, unavailable services, and broken trust.

What to do about it:

Breach mitigation measures aside, the real lesson here is awareness. Public services are deeply interconnected, and when one provider gets hit, everyone in the region feels it. The disruption does not stay neatly inside one agency, one hospital, one transit system, or one utility. It creates ripples and disruption across a regional population.

That is why “whole of state” cannot be reduced to the security of a single public entity. It has to be a methodology for securing the connected pieces across state, local, utility, emergency services, and healthcare environments. Incidents like this are proof of both the risk and the opportunity. They show why state CISOs are in a unique position to lead, convene, and drive a more coordinated model of regional resilience.

BRICKSTORM Nation-state tradecraft raised the floor for what “prepared” now means

Late 2025 reporting from CISA and partners on BRICKSTORM and broader Chinese state-sponsored activity made another point clear. Public-sector entities are not collateral exposure. They are strategic targets for espionage, persistence, and operational advantage. CISA’s 2025 advisories described PRC-linked activity affecting public-sector and information technology systems, as well as broader compromise of networks worldwide to support an espionage system.

What to do about it:

What that means in practice is less glamorous than many leaders would like. The work starts with the basics. Know what assets you have. Know where they are. Know what information lives on them and why it matters. From there, the next step is reducing attack surface, tightening administrative exposure, and proactively managing vulnerabilities before they become somebody else’s access path. None of that makes for a flashy board slide, but it is the kind of disciplined, unglamorous work that improves overall risk posture and makes both criminal and nation-state intrusion materially harder.

What States Should Prepare for in 2026

The breaches of 2025 reinforced a hard truth for state, local, and essential-service leaders: the most damaging cyber incidents did not come from wildly new attack methods, but from familiar weaknesses failing at a large public scale. Third-party concentration risk, weak identity controls, incomplete business continuity planning, interconnected service dependencies, and basic exposure management all showed up again and again.

Here’s what states should prepare for:

1. Concentrated platform risk is now a statewide issue. When a major SaaS platform or service provider is compromised, the blast radius can extend across districts, agencies, and entire regions. 

   Top 3 Focus Areas:

   • Identifying the largest and most critical platforms in your environment
   • Building stronger vendor security, testing, notification, and recovery requirements into contracts
   • Understanding what data creates the highest downstream risk if exposed

    

    
2. Cybersecurity basics still matter most. Good planning, clear decision-making, and tested recovery paths can turn a bad day into a manageable one instead of a prolonged disruption.
   

   Top 3 Focus Areas:

   • Executive clarity on who makes incident decisions
   • Tested recovery and containment playbooks
   • Pre-positioned partners and support agreements before a crisis starts
    
3. Mission-critical systems need continuity planning, not just security tooling. Some systems are not merely important applications, they are the delivery mechanism for justice, safety, benefits, and legally required public services.
   

   Top 3 Focus Areas:

   • Business continuity planning for mission-critical systems
   • Clear recovery time objectives and recovery point objectives
   • Recovery priorities based on mission harm, not just technical severity
    
4. Whole-of-state must mean more than one entity. Public services are interconnected, and disruption in one area can ripple quickly across transportation, healthcare, utilities, emergency response, and local government.
   

   Top 3 Focus Areas:

   • Regional dependency mapping across essential services
   • Coordinated resilience planning across state, local, utility, and healthcare partners
   • State CISO leadership that does the hard political work to get shared interest parties to the table
    
5. Nation-state readiness starts with unglamorous operational discipline. Public-sector organizations are strategic targets, and the best preparation still begins with fundamentals.

• Continuous asset discovery and understanding where critical information resides
• Reducing attack surface and tightening administrative exposure
• Proactive vulnerability and risk posture management over time

The closing lesson from 2025 is simple. Public-sector resilience will not be built by compliance language alone, nor by assuming that one agency can secure itself in isolation. It will be built by leaders who understand their dependencies, protect the systems that matter most, and treat preparedness as an operational discipline rather than an annual exercise. States that act on those lessons in 2026 will not just reduce cyber risk. They will strengthen the continuity and trust their residents depend on every day.