Significant cyber incidents

What happened?

In April 2025, Marks & Spencer (M&S) suffered a major ransomware attack attributed to the cyber criminal group, Scattered Spider.

Online sales worth £3.8 million daily were halted, inventory systems failed, and shelves were left empty during peak season. Analysts estimate a £700 million market value drop, compounded by reputational damage and long-term customer attrition.

How did it happen?

Attackers infiltrated M&S’s systems as early as February using social engineering - a tactic where someone impersonates a trusted individual to gain access. In this case, the hackers tricked an employee into providing login details through a third party that had access to M&S’s systems.

The intrusion leveraged compromised credentials and used double-extortion tactics, combining encryption with the threat of data leaks.

Key takeaways

Cyber security isn’t just about the protection of systems, and the human element is often overlooked. The rise in social engineering attacks demonstrates the need for continuous employee awareness training.

What happened?

In November 2025, three London councils - Kensington and Chelsea, Westminster City, and Hammersmith and Fulham - experienced a data exfiltration attack on their shared IT infrastructure.

Critical services such as housing applications, benefits processing, and council tax systems were disrupted for weeks. Residents faced delays in essential services, and the councils incurred significant recovery costs.

The incident triggered investigations by the National Crime Agency and the Information Commissioner’s Office, raising compliance and reputational concerns.

How did it happen?

The breach allegedly originated from Kensington and Chelsea’s environment, where attackers gained unauthorised access and copied sensitive resident data. The compromise likely involved privilege escalation, where an attacker gains higher-level permissions than they’re supposed to, within shared Active Directory domains, where users, computers and resources within a network are managed.

Key takeaways

This incident highlights that shared services can introduced shared risk. When IT environments are shared across different organisations, strict segmentation and independent security controls is essential. It is also important to limit the volume of sensitive data stored in shared systems to limit exposure.

What happened?

On 31 August 2025, Jaguar Land Rover (JLR) was hit by what is now considered the most damaging cyberattack in UK history. The attack involved ransomware and data exfiltration, attributed to a coalition of threat actors known as Scattered Lapsus$ Hunters (a merger of Scattered Spider, Lapsus$, and ShinyHunters).

The attack halted manufacturing for five weeks, causing a 27% drop in UK car production and severe disruption across JLR’s global supply chain. Financial losses are estimated at £1.9 billion and thousands of supply chain workers were temporarily laid off.

How did it happen?

There are varying reports about how the cyber criminals were successful in their attack, but it commonly thought that they initially gained access via compromised credentials and social engineering tactics, followed by privilege escalation and deployment of malware across JLR’s global IT and OT environments. The attackers targeted production control systems, forcing JLR to proactively shut down its systems to contain the breach.

Key takeaways

Credential theft remains a major entry point, which can be leveraged for initial access to systems, so monitoring for compromised corporate usernames and passwords is essential.

What happened?

In October 2025, the UK Information Commissioner’s Office (ICO) fined Capita £14 million for a 2023 data breach affecting 6.6 million individuals.

The breach affected 325 pension schemes, exposing financial information and special category data of scheme members. Beyond the £14 million fine, Capita faces High Court claims and reputational fallout.

How did it happen?

The breach occurred when an employee’s device automatically downloaded a malicious JavaScript file, which can occur when a user unintentionally downloads malicious code by simply visiting a compromised or malicious website, even without clicking or opening a file. Despite detecting the attack within 10 minutes, Capita failed to quarantine the compromised device for approximately 58 hours, which allowed the hackers to move laterally across domains. Nearly 1TB of sensitive data was exfiltrated before ransomware was deployed.

Key takeaways

Failing to have adequate controls in place can result in significant fines from regulators, even two years down the line. Ensuring basic cyber hygiene (privilege management, vulnerability patching and penetration testing, to name a few) are foundational controls which must be enforced.

What happened?

On January 16, 2025, Insight Partners, a venture capital firm managing USD 90 billion in assets, suffered a ransomware attack.

Over 12,600 individuals were affected, including staff and partners. The breach exposed highly sensitive financial and strategic data, creating reputational risk and regulatory scrutiny. The recovery required extensive forensic analysis and system restoration.

How did it happen?

Threat actors infiltrated their servers to exfiltrate sensitive data before deploying ransomware. The compromised data included fund details, portfolio company information, banking and tax records, and personal data of employees and limited partners.

Key takeaways

Despite rapid containment, the cybercriminals had been dwelling for months until they chose the right time to attack. The reality is the point of detection is often not the point of compromise – the likelihood is the attacker has already been there for a while before they were identified.