Time to Check your IT Security and Data Governance 

The recent string of high profile cyber-attacks on large established UK retailers and others, has definitely highlighted the escalating threat of cybercrime and personal data breaches. The significant financial impacts, operational disruptions and reputational damage are sobering. 

To take a few of the most recent 2025 attacks, there have been well circulated news articles reporting on:  

• Marks & Spencer suffering a cyber-attack over Easter 2025. where the hackers used social engineering techniques to rely on human error to access systems, rather than a technical security problem.  Ransomware was then used to scramble M&S’ servers which led to problems with its click-and-collect and contactless payments, as well as its entire online ordering service. Customers nationwide reported empty shelves in their stores.  It is understood that customer and employee data has also been stolen by the hackers. At the time of writing in May 2025, M&S have said publicly stated: "We expect online disruption to continue throughout June and into July as we restart, then ramp up operations". The attack has been estimated to hit the retailer’s profits by c. £300 million, expected to wipe out 1/3 of its profits. Insurance will only partly cover its losses and we’ll have to see what regulatory action follows. You can’t insure against fines as a matter of public policy.  
• Co-op - at the time of writing believed to have been hit by the same hackers – also suffered an attack. It is understood that Co-op staff took systems offline to prevent a ransomware infection, but that a large amount of customer and staff data had already been stolen and held to ransom. Day to day operations at the organisation’s supermarkets and funeral services have been badly affected. Customers around the country couldn’t help but notice that they too have been struggling to keep shelves stocked. Press reports also suggest that 70k members of staff were asked to remain vigilant to the threat that hackers were still inside their systems – being told to keep cameras on in calls, not record or transcribe those calls etc. 
• Harrods were then reportedly targeted. It is understood that they managed to restrict internet access at their sites to prevent unauthorised access to its systems, and the retailer appeared able to continue operating its  physical stores, as well as its website. The attack may not have had the wide ranging financial and operational impact of the successful attacks on the other retailers, but has nevertheless led to a lot of adverse publicity, and no doubt plenty of internal resources were burnt through. 
• The Legal Aid Agency also reported a breach in relation to its online digital services which legal aid providers use to log work and receive payment from the UK Government. A combined press release by the Agency and UK Ministry of Justice on 19 May 2025 highlighted that the attack was quickly understood to have been more extensive than originally thought. The hackers accessed a large amount of information relating to legal aid applicants who had used the digital service since 2010. The personal data included contact details and addresses of applicants, their dates of birth, national ID numbers, criminal history, employment status and financial data such as contribution amounts, debts and payments. To protect against further loss, the Agency had also taken its online service down and were trying to ensure that those most in need of legal support and advice can continue to access the help they need during this time.

The Information Commissioner’s Office (ICO) has referred concerned individuals and organisations to the National Cyber Security Centre (NCSC) guidance on how to handle security incidents – see here. 

Before this recent spate of attacks, there have of course been many organisations suffering similar cyberattacks. This has happened across all sectors – even in education where the Harris Federation, a group of 55 schools in the London and Essex area, reported that they had been hacked and blackmailed to pay $4m (£3m) in cryptocurrency within 10 days, or it would escalate to $8m. The operational impacts on the schools were wide ranging – school group finances were hit, leaving staff and bills unpaid. Teaching materials, lesson plans, registration systems, medical records and telephone systems were lost or affected.

So what do you do if you find yourselves in a cyber-attack or a personal data breach situation? 

Don’t panic, we’re here to help you manage your personal data breaches – see our article here explaining more about personal data breaches and how to handle them.

If you need help, please get in touch. The best way is to contact us with the subject “URGENT ADVICE REQUIRED”. We will be in touch straight away.