Phone icon
Menu icon
Professional insurance
with a personal touch
We're here to help
0345 222 5391
Mon-Fri, 9am-5.30pm, local rate & mobile friendly

The UK’s biggest cyber-attacks and data breaches

27/04/2017

Everyone loves a good list. So here’s one that focuses on headline-grabbing cyber-attack examples and hacks suffered by British organisations.

According to government figures, around 46% of businesses have now suffered a digital attack. So, with 5.5 million companies in the UK, that suggests around 2.5 million may have been hit. It’s a huge issue and one that’s increasingly difficult to tackle – as these businesses found out to their cost.

Cyber-attack examples: read 'em and weep (for your data)

Debenhams: May 2017

A malware attack in early May 2017 exposed 26,000 Debenhams Flowers' customers' data. The breach was through an e-commerce site, Ecomnova, which just goes to show the potential vulnerabilities of working with third parties. Trust no one, basically.

Wonga: April 2017

Cybercriminals seized 250,000 customer records including – as Wonga is a payday loans company – bank account details, sort codes, addresses, phone numbers, email addresses and more. The company said cyber-attacks are 'on the rise' and... 'unfortunately becoming increasingly sophisticated'. You don’t say.

Three: March 2017

Mobile phone company Three suffered a major breach when an employee’s password was stolen and 200,000 customers’ data was compromised. The company believes the individuals involved were, in fact, after new handsets rather than anything more insidious. This followed a similar breach in 2015.

Following the, ahem, rule of three, the company suffered another setback whereby customers could see another customer’s account details, call history and data usage. Not a cybercrime as such, but certainly not compliant with current data protection legislation.

Abta: February 2017


Around 43,000 people were affected by a cyber-attack on Abta’s website. The breach was thought to include personal identity information of individuals complaining about Abta-registered travel agents

Strange data to hack perhaps, but it led to Abta offering a free-of-charge identity theft protection service to those affected – a potentially very costly exercise.

Barts Health Trust: January 2017

Attacking an NHS trust seems rather nonsensical from a cybercriminal’s point of view – they’re not exactly flush with cash. Nevertheless, Barts Health Trust experienced an attack earlier this year that seriously interfered with the smooth running of the five hospitals it manages. The hack was initially thought to be a ransomware attack but was, in fact, a Trojan and caused major disruption.

A third of NHS trusts have reportedly been infected by ransomware, with one – the Imperial College Healthcare in London – suffering 19 attacks in just 12 months. Northern Lincolnshire and Goole NHS Foundation Trust said a ransomware variant was to blame for cancelling nearly 3,000 appointments. The Trust didn’t pay the ransom but hackers have obviously cottoned on to the fact that patient data held by Trusts could be lucrative.

Lloyds Banking Group: January 2017

Britain’s largest mortgage lender isn’t immune to cyber-attacks as was proven back in January. A denial of service hack, over a period of several days, tried to block access to 20 million accounts. It could be argued that Lloyd’s security system did its job, as a cat-and-mouse chase ensued across the web, with the bank trying to stay one step ahead of hackers.

HSBC, Halifax and Bank of Scotland have all experienced similar cyber-attacks.

And going a little further back...

Tesco Bank: November 2016

Having to reimburse a staggering £2.5m to over 9,000 customers must have left Tesco execs smarting. In a fairly typical attack, hackers found a weakness in the mobile banking app that gave them access to the rest of Tesco’s financial services entity. The retailer was forced to suspend online and contactless transactions, affecting almost all its customers.

Sports Direct: September 2016

In a less well-handled security breach, retailer Sports Direct was attacked by cybercriminals who stole personal data from over 30,000 members of staff – possibly including national insurance information. However, the company didn’t report the breach to affected employees until three months after it happened because apparently there was 'no evidence that the data had been copied'. Not great.

Yahoo: July/December 2016

This one’s a biggie and worth including. Hapless Yahoo! has experienced a number of data breaches over the years and often takes a while to report them. The one from July 2016 was exposed in December when a broker was found to be selling the account names and passwords for around 200 million Yahoo! users. This follows two other major data breaches in 2014 and 2013.

While the end game for many cybercriminals is money (either from a ransom payment or the sale of data), sometimes it seems they attack simply because they can.

According to research from the National Cyber Crime Unit, many cybercriminals are very young (averaging 17 years old, but some are as young as 12) and simply enjoy the challenge of overcoming programming problems. Earning peer respect is a big draw, too.

That makes it worth remembering that while some cyber-attacks are extremely well executed and hugely sophisticated, many are simply opportunists seeking short-term gains wherever and whenever they can.

Warning bells

At the end of the day, while cyber-attack examples like these can make for entertaining reading, it's clear that there's a serious issue at stake.

And while none of the organisations here got away scot-free, particularly in terms of reputation, it could have been a whole lot worse for them. The new, stricter GDPR regulations weren't up and running at the time, which could have meant hefty fines and an investigation by the Information Commissioner's Office.

Since May 2018, GDPR has been in full force. If you run a business yourself, take that as a word of warning.

If you liked this, you might like thesethis...

Does your business insurance have hidden benefits?
Not all surprises are nice. But surprise business insurance benefits hidden within your policy documents aren't to be sniffed at. Here's what to look for:
What's employment practices liability insurance (EPLI)?
Employee disputes can happen despite your best efforts. If you're threatened with legal action, employment practices liability insurance has your back.
What is directors' and officers' (D&O) insurance?
Directors' and officers' insurance is a must if you own or help run a business. That's because you can be held personally liable if things go wrong.

More Advice, News & Know-how

Sign up to being prepared and protected

Get reliable advice on protecting and fine-tuning your business or charity sent straight to your inbox. Plus, receive other occasional bits we think you'll enjoy, like competitions and offers. We promise not to swamp you, and you can unsubscribe easily.

Sign me up