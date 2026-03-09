By Karthikeyan VS, Director & Head of Asia, Expleo

2025, more than any recent year, revealed the structural weaknesses embedded in enterprise data security. What firms encountered was not a run of isolated cyber incidents but a systemic failure in which data breaches disrupted global operations, destroyed billions in value, and weakened trust across industries. Manufacturing lines halted overnight, and retailers faced coordinated ransomware extortion.

On the other hand, airlines saw millions of customer records exposed, while public infrastructure became a target of politically motivated attacks. At the same time, artificial intelligence (AI) reshaped both defence and offence, accelerating innovation while amplifying risk. Nearly 68 per cent of organisations reported data leakage associated with use of AI tools, and poor data quality alone resulted in average losses of USD 12.9 million per organisation.

As regulators raced to respond, firms found themselves directing increasing compliance pressure without adequate visibility or control over their data. The lessons from 2025 are clear: data security is no longer a technical safeguard. Instead, it is a business resilience imperative.

When Breaches Became Business Disruptions

In 2025, data breaches crossed a critical threshold. They no longer stopped at data loss; they triggered full-scale operational shutdowns. The manufacturing and automotive sector experienced cyber incidents that stalled global production, severed supplier relationships, and created cascading economic losses measured in billions. Retailers faced ransomware attacks that combined encryption with data exfiltration. This was followed by extortion targeting both organisations and high-profile individuals. The aviation industry was similarly exposed, with attacks affecting millions of customers globally.

These incidents revealed a shared weakness: overextended access privileges, slow credential revocation and limited visibility across distributed systems. Recovery time, not just breach prevention. But, it has also evolved as a critical factor in limiting damage.

AI’s Double-Edged Impact on Data Security

AI significantly dominated enterprise agendas in the year 2025. Nevertheless, its security implications were underestimated. While generative AI improved efficiency, it also introduced new data leakage pathways. Various firms experienced data exposure due to employee interactions with AI tools, often involving sensitive or regulated information. In addition, 13 per cent reported breaches involving AI models or applications. Amongst these, 97 per cent were related to weak access controls. As a result, 60 per cent of the AI-related security incidents led to compromised data and 31 per cent led to operational disruption.

Meanwhile, the consequences of weak AI governance extended beyond security incidents. Almost all surveyed firms reported financial and operational losses related to AI-driven risks, including regulatory non-compliance and poor data quality. Data sovereignty emerged as a critical concern, as AI tools processed vast quantities of enterprise data without clear jurisdictional oversight, exposing organisations to cross-border compliance risks.

Supply Chains: The Persistent Weakest Link

The software and technology supply chain proved to be one of the most exploited attack surfaces of the year. Enterprises across healthcare, education, manufacturing, and logistics were compromised through unpatched vulnerabilities in widely used third-party software and file transfer tools. Apart from enterprise software, malicious code embedded in open-source repositories enabled large-scale data exfiltration, targeting credentials, personal information as well as proprietary data.

The lesson was unmistakable: organisational security is only as strong as the least secure dependency. Annual vendor assessments failed to keep pace with continuous threats, underscoring the need for real-time third-party risk visibility and stricter access segmentation.

Regulation Accelerates, Complexity Persists

In 2025, 82 per cent of the global population was covered by data protection and privacy legislation. Novel AI-focused regulations and updates to existing privacy laws reflected growing concern over automated decision-making, data misuse, and cross-border processing. Yet, overlapping regulations across regions increased compliance complexity rather than simplifying it. Organisations that treated compliance as a checklist struggled, while those embedding regulatory principles into data architecture and access governance exhibited greater resilience.

All in all, the defining takeaway from 2025 is the urgent need to reframe data security around access. Credential compromise continued to drive breaches, intensified by AI-enabled phishing and social engineering, rendering multi-factor authentication, least-privilege access, and Zero Trust essential. Equally essential is treating AI as core infrastructure, strengthening supply chain security and embedding compliance into operational design. With threats increasing faster and more interconnected, resilience will be defined by control over access, data flows as well as enterprise decisions.