Major Developments in Incident Response – June–July 2025

June and July 2025 have been marked by a surge in high-profile cyber incidents and significant advancements in how organizations detect and respond to security breaches. Major ransomware attacks and data breaches struck companies across sectors – from food distribution and airlines to insurance and tech – testing the robustness of incident-response plans worldwide. In parallel, cybersecurity providers and government agencies introduced new tools, automation platforms, and guidelines to speed up detection and containment of threats. Industry experts stressed that effective incident response requires not only cutting-edge technology (including AI-driven systems) but also well-prepared teams, updated playbooks, and supportive regulatory frameworks. This report compiles the most significant incident-response developments of the period, citing original sources and expert commentary throughout.

Major Cyber Incidents and Response Actions (June–July 2025)

• Food Supply Disruption (UNFI Ransomware): On June 5, United Natural Foods Inc. (UNFI) – a primary grocery distributor for Whole Foods – detected unauthorized activity on its IT network darkreading.com. In response, UNFI shut down large portions of its systems and activated its incident response plan, causing immediate disruptions to food deliveries nationwide techcrunch.com techcrunch.com. The company worked with third-party cybersecurity experts and law enforcement while implementing workarounds to continue shipping orders on a limited basis techcrunch.com darkreading.com. Shutting down its network helped contain the attack’s spread, but led to empty shelves in some stores until systems were safely restored techcrunch.com techcrunch.com. Industry experts highlighted lessons from this incident: Grant Geyer, Chief Strategy Officer at Claroty, noted that organizations should enhance IT/OT network segmentation, continuous monitoring, and anomaly detection to limit the blast radius of attacks, and thoroughly vet third-party access to critical systems darkreading.com.
• Airline Data Breach (Qantas): Australia’s largest airline, Qantas, disclosed on June 30 that a cyber breach in a third-party call center platform exposed personal data of about 6 million customers darkreading.com darkreading.com. The incident – discovered and contained within the same day – prompted Qantas to launch a full incident response: the airline isolated the affected systems, stood up a dedicated support hotline and website for affected customers, and tightened its network monitoring and access controls darkreading.com. Qantas is investigating alongside federal authorities and warned that the impact “will be significant” darkreading.com darkreading.com. CyberCX, a firm assisting in the response, indicated the breach bore hallmarks of the “Scattered Spider” threat group (also known as UNC3944), which the FBI had recently warned was targeting the aviation sector darkreading.com. Australian officials urged vigilance against follow-on scams; the country’s cybersecurity minister advised Qantas customers to treat any unexpected calls or emails as potential phishing attempts and verify communications via official channels darkreading.com. This breach underscored the importance of rapid containment and public communication in incident response for large consumer-facing organizations.
• Insurance Industry Under Attack (Scattered Spider Campaign): In mid-June, Google’s Threat Intelligence Group warned that the Scattered Spider hacking collective had shifted its focus to U.S. insurance companies bleepingcomputer.com bleepingcomputer.com. Indeed, at least two major insurers suffered disruptive attacks during this period. Aflac (U.S.) revealed that hackers breached its network via social engineering on June 12, stealing customers’ sensitive claims data including Social Security numbers and health information techcrunch.com techcrunch.com. Aflac confirmed it swiftly contained the intrusion and that ransomware was not involved – the culprits are believed to be a financially motivated cybercrime group known for targeting insurers techcrunch.com techcrunch.com. Meanwhile, Erie Insurance (a U.S. property & casualty insurer) experienced a cyberattack around June 7 that knocked its customer portals offline bleepingcomputer.com bleepingcomputer.com. Erie’s security team detected unusual network activity and immediately activated incident-response protocols, taking systems offline to stop the spread bleepingcomputer.com bleepingcomputer.com. The company engaged law enforcement and forensic experts, and warned customers to be alert for fraud during the outage (emphasizing it would not call or email to request payments) bleepingcomputer.com. Another firm, Philadelphia Insurance (PHLY), also disclosed that on June 9 it found unauthorized access in its network and disconnected affected systems to contain the attack bleepingcomputer.com. These incidents illustrate a trend of sector-wide campaigns: Scattered Spider’s sophisticated social engineering tactics (targeting help desks and call centers) allowed them to bypass security controls, prompting experts like Google’s John Hultquist to put the entire insurance sector on high alert bleepingcomputer.com bleepingcomputer.com. Early detection and decisive containment (e.g. severing network connections) were critical in limiting damage for these companies bleepingcomputer.com bleepingcomputer.com.
• Mass Data Breaches (Global): Other sizable breaches in June hit organizations around the world, testing their incident-response readiness. In India, car-sharing giant Zoomcar reported that a hacker accessed personal data of 8.4 million users (names, phone numbers, car plate numbers) techcrunch.com. Zoomcar discovered the intrusion on June 9 after employees received extortion emails from a threat actor, and it “promptly activated its incident response plan,” according to an SEC filing techcrunch.com. The company brought in external cybersecurity experts and implemented additional safeguards – increasing cloud/network monitoring and reviewing access controls – while notifying regulators and law enforcement of the breach techcrunch.com. Notably, Zoomcar stated that no financial data or passwords were compromised and its operations were not materially disrupted techcrunch.com techcrunch.com. In another case, North Face (an apparel retailer) had nearly 3,000 customer accounts breached via credential-stuffing attacks in June, and luxury brand Cartier disclosed a breach as well – both incidents were linked by researchers to the Scattered Spider group’s activity cm-alliance.com cm-alliance.com. These examples highlight that robust incident-response processes – from quick internal alerts to engaging experts and regulators – were crucial in addressing breaches, regardless of region or industry.

Advances in Incident-Response Tools and Technologies

• Managed Detection & Response Expansion: The incident-response technology sector saw major consolidation and investment during this period, indicating a push toward more unified and scalable services. Notably, LevelBlue, a cybersecurity services firm spun out of AT&T, announced on July 1 that it will acquire Trustwave, aiming to form the world’s largest independent managed security services provider (MSSP) darkreading.com darkreading.com. Trustwave is well-known for its incident response and threat intelligence (SpiderLabs) capabilities. LevelBlue’s CEO said the acquisition will give the combined company over 30,000 customers and ~$1 billion in revenue, greatly expanding its global incident-response reach darkreading.com. A key asset is Trustwave’s Fusion platform – a cloud-native security operations platform providing a centralized view of an organization’s security stack with analytics for incident detection and automated response orchestration darkreading.com. LevelBlue plans to integrate its risk management services with Trustwave Fusion, leveraging its SOAR (Security Orchestration, Automation and Response) features to streamline incident response for customers darkreading.com. This move, along with LevelBlue’s parallel purchase of Aon’s cyber consulting groups, reflects a trend of service providers merging threat detection, incident response, and consulting into one-stop platforms for faster, more coordinated responses to attacks.
• AI-Powered Detection and Response: Artificial intelligence continued to make inroads into security operations, promising faster threat detection and reduced workloads for human analysts. New “AI SOC analyst” solutions were touted as “force multipliers” for incident response. These systems use machine learning to triage alerts, investigate common threats, and even initiate remediation steps autonomously. According to The Hacker News, organizations deploying AI-based SOC automation have seen up to a 90% reduction in false-positive alerts requiring human review thehackernews.com. By filtering out benign activity and prioritizing high-risk alerts through behavioral analysis, AI-driven platforms free up analysts to focus on real incidents and complex response tasks thehackernews.com thehackernews.com. Crucially, these AI systems learn and adapt from analyst feedback and past incidents – improving accuracy over time and accelerating containment of threats. Metrics important to incident response are markedly improved: mean time to investigate/respond can drop from hours to minutes when first-tier analysis is automated thehackernews.com. For example, repetitive steps like log correlation and evidence gathering can be handled by an AI “co-pilot,” allowing human responders to make quicker decisions on containment and eradication thehackernews.com thehackernews.com. With the cybersecurity talent shortage still acute (an estimated 4 million unfilled roles globally), such agentic AI SOC tools are increasingly viewed as essential to augment strained incident-response teams. They address analyst fatigue and burnout by handling the “noise,” thereby improving not only speed but also retaining skilled staff for critical decision-making thehackernews.com thehackernews.com. In short, June–July 2025 saw AI-based detection and response mature from a buzzword into practical deployments that many organizations are evaluating to bolster their incident response capabilities.
• Built-in Resilience and Recovery Features: Software vendors have also started baking incident-response readiness into their platforms. Microsoft, for instance, unveiled a Windows Resiliency Initiative (announced late Q2 2025) that introduces new features to help organizations recover from cyber incidents more swiftly. One highlight is “Quick Machine Recovery,” a capability (in preview as of July 2025) that lets IT admins remotely apply fixes via Windows Update even to machines that are unbootable thehackernews.com. This means that after a destructive malware attack or system failure, administrators could restore critical systems without needing hands-on access or full reimaging, dramatically reducing downtime. Another update allows certain security tools and anti-malware scanners to run in user-mode (like regular apps) rather than with kernel-level access, making it safer to remediate infected systems without destabilizing the OS thehackernews.com. These changes (rolling out in Windows 11 and via Microsoft’s Secure Future Initiative) aim to “reduce impacts at the operating system level in the event of a crash or error,” effectively providing faster recovery options post-incident thehackernews.com thehackernews.com. By partnering with endpoint security vendors and using features like hot-patching and configuration auto-refresh, the goal is to contain attacks and restore system integrity with minimal disruption thehackernews.com thehackernews.com. Such built-in resilience features reflect a broader trend: technology providers are acknowledging that breaches are inevitable (“assume breach”) and are focusing on minimizing damage and downtime through better automated recovery and safe restore mechanisms.
• Government and Open-Source Tools: Government agencies continued to support incident-response efforts with new tools and advisories. For example, U.S. CISA released an open-source “Untitled Goose Tool” earlier in 2025 (building on its “Malcolm” network monitoring suite) to help incident responders parse cloud logs and detect threat actor activities in Microsoft Azure and M365 environments (particularly relevant given several cloud-based breaches). Meanwhile, in late June, CISA and partners updated the #StopRansomware advisories with new ransomware group playbooks and indicators – e.g., an alert on the “Play” ransomware group (AA25-163A) was updated June 16 with newly observed tactics and mitigation guidance cisa.gov. These shared playbooks and tools enable organizations to hunt for attacker footprints and respond more effectively using community knowledge. (Note: The #StopRansomware update is referenced from CISA/IC3 advisories on Play ransomware on June 4, 2025, which provided fresh IOCs and recommended actions for incident response teams to defend against that active threat cisa.gov.)

Evolving Incident Response Landscape: Expert Commentary and Trends

• Escalating Threats, Faster Response Needed: Cyberattack volumes and impacts continued to climb in 2025, putting pressure on incident-response teams. Verizon’s newly released 2025 Data Breach Investigations Report (DBIR) recorded an 18% year-over-year increase in confirmed breaches, with a 34% surge in breaches that began with exploiting vulnerabilities in unpatched software thehackernews.com. This trend reinforces that many incidents are preventable with basic hygiene (patch management), yet adversaries are quicker to exploit known flaws. Ransomware in particular remained a dire threat – as security pioneer John Kindervag remarked in June, “Ransomware attacks are no longer just a cybersecurity concern. They are a direct threat to national security.” illumio.com Critical infrastructure saw attacks with real-world effects (from pipelines and power grids to transportation), heightening the stakes for effective incident response. Kindervag and other experts advocate adopting Zero Trust principles and network segmentation enterprise-wide so that even if attackers breach a perimeter, they cannot easily move laterally to critical systems illumio.com illumio.com. Segmentation and “assume breach” mentalities allow incident responders to isolate affected parts of the network swiftly and contain damage (a strategy validated by multiple incidents this summer). Additionally, continuous monitoring and advanced anomaly detection were cited as crucial for spotting intrusions early – preferably before ransomware detonates or data is exfiltrated darkreading.com.
• Importance of Preparedness and People: A consistent theme in expert commentary was that technology alone is not a panacea; human expertise and preparation are paramount in incident response. Even as organizations invest in AI and automation, they must ensure their incident response plans (IRPs) are up-to-date, practiced, and truly actionable. Cybersecurity advisors noted that many companies still lack comprehensive IR plans or have never tested them in realistic scenarios thehackernews.com. This period provided stark reminders of the value of preparation: companies like UNFI and Zoomcar that had rehearsed response procedures were able to act decisively (shutting down networks, activating backup processes, etc.), potentially averting worse outcomes techcrunch.com techcrunch.com. Best practices for IRP design were highlighted, such as keeping playbooks brief, clear, and role-specific (so they can be followed even under crisis conditions) and ensuring a cross-functional incident response team – involving not just IT security, but also legal, communications/PR, HR, and executive stakeholders morganlewis.com. Regular tabletop exercises and breach simulations are now seen as essential to prepare these teams for real incidents morganlewis.com cm-alliance.com. Notably, regulatory and business pressures are enforcing this: cyber insurance providers and boards increasingly expect proof that organizations conduct routine incident-response drills and can respond within hours, not days, to emerging threats cm-alliance.com cm-alliance.com.
• Regulatory Drivers and Information Sharing: The evolving regulatory landscape in mid-2025 is also reshaping incident response. In the United States, the SEC’s cybersecurity disclosure rules (which took effect in 2023) are now in full swing – public companies are required to promptly disclose material cyber incidents (generally within 4 business days of determining an incident is material). These rules are pushing enterprises to establish internal processes for escalating incidents to leadership and legal teams quickly and to coordinate public disclosure as part of the incident response cycle morganlewis.com morganlewis.com. Industry lawyers note that companies must anticipate complex questions – e.g. assessing which events trigger notification obligations under a patchwork of 50+ state breach laws or international regulations – and build those considerations into their response plans morganlewis.com morganlewis.com. In the EU, the new NIS2 Directive reached its national implementation deadline by late June 2025, vastly expanding the scope of organizations that must follow strict incident-response and reporting rules. Under NIS2, “essential” entities in sectors from energy and healthcare to digital services now face a 24-hour deadline to provide an initial incident report (“early warning”) to authorities after becoming aware of a significant cyber incident darktrace.com. This is a dramatic tightening from the previous “without undue delay” language, effectively mandating that companies have real-time detection and notification mechanisms. NIS2 also introduces hefty penalties (up to €10 million or 2% of global turnover) for failing to comply, and even holds senior management personally liable for ensuring cybersecurity measures and incident-response preparedness darktrace.com. These regulatory changes are driving organizations worldwide to bolster their incident-response programs – from investing in 24/7 monitoring and incident reporting tools, to conducting crisis drills with executives so that decision-makers are ready to handle compliance and public communications in the immediate aftermath of a breach.
• Government Alerts and Collaboration: Governments themselves were active in the incident-response arena during June–July 2025, issuing warnings and sharing threat intelligence to help defenders. Following geopolitical events (such as conflict involving Iran), U.S. Homeland Security warned in late June of expected Iranian state-sponsored cyberattacks on U.S. networks, particularly critical infrastructure techcrunch.com. The DHS bulletin noted that Iranian hackers and aligned hacktivists often exploit “targets of opportunity” – i.e. organizations with poorly secured, unpatched systems or default credentials – to cause disruption or steal data techcrunch.com techcrunch.com. CISA echoed these concerns in a June 30 alert, urging critical infrastructure operators to “stay vigilant” and implement recommended mitigations against potential Iranian cyber operations cisa.gov cisa.gov. These mitigations included straightforward but vital steps: disconnecting sensitive OT systems from the internet, enforcing strong passwords and multi-factor authentication, and patching known vulnerabilities – as well as reviewing and updating incident-response plans in light of the heightened threat environment cisa.gov cisa.gov. Similarly, law enforcement agencies in multiple countries took action against cybercriminal infrastructure during this period (for example, Europol coordinated takedowns of illicit markets and the U.S. DOJ announced the seizure of certain ransomware group servers), underscoring the value of public-private collaboration in incident response. Such efforts mean that when organizations do suffer attacks, they increasingly have access to government-provided threat intel, playbooks, and even “safe channels” to report incidents and request assistance. The overarching message from officials: the threat landscape is intensifying, but through vigilance, preparedness, and collaboration, the impact of cyber incidents can be contained.

Outlook

As the midpoint of 2025 passes, the incident-response domain is rapidly evolving to meet new challenges. The events of June and July demonstrated both the destructive potential of modern cyberattacks and the encouraging progress in responding to them. We saw that organizations with robust, practiced incident-response processes (and an understanding that speed is everything) fared far better at mitigating damage. The integration of advanced technologies – from AI-driven SOC platforms that sniff out intruders faster, to cloud and OS-level recovery features that enable near-instant fixes – is gradually tilting the balance in defenders’ favor, or at least narrowing the window of exposure. Meanwhile, a greater emphasis on “resilience” is emerging: assuming breaches will happen and focusing on limiting their impact on business continuity and data protection. This is reflected in everything from insurance requirements and laws (which demand quick reporting and response) to how companies like Microsoft and AWS are building products with incident recovery in mind.

Experts predict the remainder of 2025 will bring further convergence of automation and human expertise in incident response. We can expect more security orchestration tools to leverage AI for decision support, more threat intelligence sharing across industries, and possibly regulatory moves (such as the proposed U.S. CIRCIA law) that require certain sectors to report incidents to the government within 72 hours or less, similar to NIS2. With ransomware and supply-chain attacks showing no signs of abating, incident-response teams will remain on high alert. The key trends to watch include the maturation of extended detection and response (XDR) platforms that unify endpoint, network, and cloud telemetry for faster investigations, the use of generative AI assistants to aid responders in parsing large data dumps or attacker chat logs, and an increased focus on post-incident digital forensics and lessons-learned reviews to prevent repeat incidents.

In summary, June–July 2025 underscored that incident response is now a board-level priority and a fast-moving discipline. Organizations worldwide are investing in stronger defenses and smarter response tactics – because when the next incident strikes (and it will), the difference between a contained event and a crisis often comes down to preparedness, technology, and the agility of the incident-response team.

Sources:

• Dark Reading – “United Natural Food’s Operations Limp Through Cybersecurity Incident” darkreading.com darkreading.com
• TechCrunch – “Ongoing cyberattack at US grocery distributor UNFI affecting customer orders” techcrunch.com techcrunch.com
• Dark Reading – “Qantas Airlines Breached, Impacting 6M Customers” darkreading.com darkreading.com
• TechCrunch – “US insurance giant Aflac says customers’ personal data stolen during cyberattack” techcrunch.com techcrunch.com
• BleepingComputer – “Erie Insurance confirms cyberattack behind business disruptions” bleepingcomputer.com bleepingcomputer.com
• BleepingComputer – “Hackers switch to targeting U.S. insurance companies” bleepingcomputer.com bleepingcomputer.com
• TechCrunch – “Car-sharing giant Zoomcar says hacker accessed personal data of 8.4 million users” techcrunch.com techcrunch.com
• Cyber Management Alliance – “Major Cyber Attacks… of June 2025” cm-alliance.com cm-alliance.com
• Dark Reading – “LevelBlue Acquires Trustwave, Forms World’s Largest Independent MSSP” darkreading.com darkreading.com
• The Hacker News – “ConnectWise Hit by Cyberattack; Nation-State Actor Suspected…” thehackernews.com thehackernews.com
• The Hacker News – “Business Case for Agentic AI SOC Analysts” thehackernews.com thehackernews.com
• The Hacker News – “Microsoft Launches Windows Resiliency Initiative to Boost Security…” thehackernews.com thehackernews.com
• CISA Alert (AA25-183A) – “CISA and Partners Urge Critical Infrastructure to Stay Vigilant…” cisa.gov cisa.gov
• TechCrunch – “Homeland Security warns of Iran-backed cyberattacks targeting US networks” techcrunch.com techcrunch.com
• Darktrace Blog – “Implications of NIS2 on cybersecurity and AI” darktrace.com darktrace.com
• Morgan Lewis – “Key Cybersecurity Considerations for Data Centers in 2025” morganlewis.com morganlewis.com