← Back to Blogs

Why do cyberattacks always happen over the holidays?

Ami Hofman · January 7, 2026

The unseen seasonality of cyber risk and how to defend against It in 2025

“It’s Boxing Day. Your CISO’s in up in Sunshine coast, your IR lead is camping off-grid and your SOC just lit up like it’s Diwali. Again.”

There’s a growing meme in the cybersecurity world: major incidents don’t just happen randomly, they seem to love long weekends, festive seasons and school holidays.

But is this just our collective trauma talking, or are there real trends behind holiday-timed breaches?

Let’s unpack the reality of 2024–2025 cyber threats:

  • Real-world data showing the timing effect of attacks
  • Why attackers are optimising for business impact and defender fatigue
  • Fresh examples from the last 18 months (Marks & Spencer, DP World, Clorox, Qantas)
  • The critical role of context-driven detection, SOAR and predictive threat modelling
  • Practical defence strategies you can deploy before the next ski trip

This Isn’t Paranoia—It’s Pattern Recognition

Let’s look at verified breach patterns over the last 18 months:

2024–2025 Data Points:

  • CrowdStrike 2024 Threat Intel Report: 28% of intrusions were initiated within 5 days before or during public holidays in affected geographies.
  • Mandiant M-Trends 2024: Median dwell time increased from 8 days to 15 days during December–January, with notable spikes in attacker lateral movement.
  • CERT Australia noted higher volumes of BEC and credential phishing in weeks leading up to end-of-financial-year, school holidays, and Christmas.

Let’s not forget:

  • Marks & Spencer (UK): Breach impact revealed in May 2025, traced back to unauthorised access during the UK Easter break.
  • DP World (Australia): Ransomware attack struck during Melbourne Cup weekend, disrupting ports nationwide.
  • Clorox (USA): The attack tied to remote access misuse, showed delayed detection and remediation as the company entered its Q3 sales cycle.
  • Qantas (Australia): Alleged Scattered Spider activity spiked in early June, targeting business systems and personnel during international mid-year travel surges.

This isn’t anecdotal anymore. It’s intentional timing.

Why holiday periods are prime time for attackers

1. Reduced defensive posture

  • Skeleton staff = fewer eyes on glass
  • On-call rotation fatigue = slower MTTR
  • Internal escalations and approvals = delayed during executive leave

Observation: Several enterprise clients report 40–60% fewer Tier-2+ security staff during Dec–Jan compared to peak April–May.

2. Business leverage is highest

  • Retail peak (Nov–Dec), logistics surges, travel seasons: all amplify pressure to pay ransoms or stay quiet.

Example: Lockbit’s 2024 Australian retail campaign exploited high shipping loads to time their ransomware for Black Friday + Christmas.

3. Threat actor playbooks are getting smarter

Groups like Scattered Spider, UNC3944 and FIN7 are:

  • Using executive travel data (via LinkedIn and public schedules)
  • Triggering MFA fatigue during off-peak coverage hours
  • Combining SIM swapping + help-desk phishing + timing campaigns to maximise dwell time

Tactical Lessons From Recent Breaches

1. DP World: Ransomware via VPN misconfiguration

  • Exploited: unmonitored remote access portal
  • Mistake: critical alert generated but not triaged over holiday weekend
  • Fix: Implemented auto-response playbooks + VPN behavioural baselines

2. Marks & Spencer: A cautionary tale of partial visibility

  • Breach executed weeks before detection
  • Delayed disclosure linked to internal audit calendar + legal review backlog
  • Remediation hindered by poor integration between IT Ops and Security

3. Qantas: Executive phishing + MFA exhaustion

  • Abused help-desk reset process
  • No context-aware anomaly detection
  • Executive-specific travel model now in place

What smart defenders are doing for 2025

Step 1: Run a Holiday Threat Model

  • What systems are critical to your revenue window?
  • What coverage gaps exist during seasonal rotations?
  • What adversary patterns have previously hit your industry?

For effective simulation – use STIX 2.1 + MITRE ATT&CK heatmaps to visualise seasonal risk scenarios.

Step 2: Deploy predictive telemetry

  • Collect behavioural patterns: user, device, data, network
  • Use machine learning + statistical baselining for:

Step 3: Automate low-level triage

  • Use SOAR to:

Example: you can use TAXII 2.1 feeds to pull adversary IOCs pre-season.

Step 4: Patch with business context

  • Patch prioritisation must be aligned with:

You can use a platform like Seemplicity, to build an effective business logic layer and overlay scoring based on timing AND exposure.

Final checklist: Holiday resilience in practice

Article content

The 2025 Takeaway

Cyber risk never sleeps, but you should be able to. That’s only possible if you plan around the seasons of your business and the psychology of your adversaries.

Your next breach attempt might happen while you’re in Niseko, Mykonos, or Noosa. But with predictive telemetry, automation, and board alignment, you won’t be the next headline.

Because the real threat isn’t the attack. It’s pretending your skeleton crew can defend against modern adversaries while you’re offline.

Plan for it. Automate for it. Build for it.

🎿 Then go enjoy that second mulled wine.

A note on the Australian reality: Are we learning fast enough?

In Australia, the past two or three years have been a brutal masterclass in what not to do. The Optus breach (2022) exposed fragile identity verification processes. Medibank (2022) suffered reputational damage through poor breach comms and lack of encryption. Latitude Financial (2023) highlighted third-party weaknesses and now Qantas (2025) joins the list as an attack timed perfectly to disrupt a trusted brand during peak travel.

Each incident chipped away at public trust while reinforcing a common theme: we still treat cyber security as an afterthought until it’s too late.

Are we learning? Yes, but slowly. Our critical infrastructure reforms and the 2023–2025 National Cyber Strategy signal intent. But many Australian enterprises still lack:

  • True board-level cyber fluency
  • Coordinated incident response with government
  • Timely investment in predictive and proactive capabilities

We don’t need more policies. We need more partnership, telemetry, and operational resilience.

Because while headlines may fade, trust, especially in a fairly small, interconnected market like Australia, is hard to rebuild.