Our use of cookies 
How can my business survive a cyberattack?
Cyberattacks on UK businesses are becoming increasingly relentless, with over 40% of UK businesses reporting cybersecurity breaches in 2024. Most incidents don’t make the news, but when a serious attack lands, the financial, legal and reputational damage is severe. This is true whether you’re a global retailer or a small supplier in the chain.
In this article, we break down four real-world cyberattacks on UK businesses. We delve into what went wrong, their response, and what lessons can be drawn from their experience.
💡 Key takeaways:
- M&S and supermarket supply chain attacks of 2025: Relying on third parties without rigorous security due diligence can expose the entire business. Vet your suppliers as critically as your systems.
- Royal Mail (2023): Even large organisations can fall victim to basic phishing. However, strong recovery planning and refusing to pay ransom can prevent long-term damage.
- UK Electoral Commission (2023): Weak security posture and inattention to known vulnerabilities make any organisation a target. No one is too small or obscure to be attacked.
- Tesco Bank: Meeting compliance standards isn’t enough. Legacy systems and outdated controls can still result in significant financial and reputational losses.
Cyberattack survival case studies
These four real-world examples show how cyberattacks unfold, how organisations respond under pressure, and what the rest of us can learn.
M&S and supermarket supply chain attacks of 2025
In 2025, a wave of ransomware attacks exposed serious vulnerabilities in the UK retail supply chain. The incidents revealed how even household names can be disrupted by weaknesses in their smaller partners.
Timeline
Here is a timeline of what happened:
| Date | Event | Impact |
|---|---|---|
| Mid-April 2025 | M&S Supplier breach detected | Ransomware disables online ordering; digital systems taken offline. |
| Late April 2025 | Public disclosure | M&S confirms breach; cites disruption to fulfilment and data integrity. |
| Mid-May 2025 | Peter Green Chilled attacked | Tesco, Aldi & Sainsbury’s deliveries delayed; order system compromised. |
| Late May 2025 | Harrods, Co-op incidents | Related supply chain firms report similar cyber disruptions. |
| July 10, 2025 | Arrests made | Four UK-based suspects (ages 17–20) arrested; linked to hacking group "Scattered Spider". |
| Ongoing | Recovery & review | Affected firms working with NCSC and private cyber firms to secure systems. |
What happened
Beginning in mid-2025, attackers launched coordinated ransomware campaigns targeting key suppliers to major supermarkets. The attacks have been linked to hacking group Scattered Spider (which is partially operated by English-speaking teens), who used social engineering tactics (phishing) like helpdesk impersonation and SIM swapping to gain access.
Once inside, they deployed ransomware that crippled operations at firms like Peter Green Chilled (a supplier to Tesco, Sainsbury’s, and Aldi) and caused widespread disruption at high-profile retailers including M&S and Harrods.
These weren’t isolated attacks as attackers clearly followed a deliberate strategy of breaching smaller, less-protected vendors to reach larger targets.
Response
Retailers and suppliers acted swiftly by isolating affected systems, reverting to offline backups, and alerting law enforcement. The National Crime Agency (NCA) coordinated with international partners and arrested four suspects (ages 17–20) on July 10, 2025. The individuals were linked to the ransomware groups behind the attacks.
Suppliers like Peter Green Chilled kept critical logistics moving but had to pause digital ordering. M&S faced weeks of online service outages.
Financial impact
- M&S losses are expected to exceed £300 million, primarily from downtime and reputational damage.
- The retail sector more broadly suffered delivery delays, supply disruptions, and lost consumer confidence.
- Several firms have since invested in boosting cybersecurity training, better defences, and supplier audits.
Key lessons
There are four key lessons from the supply chain hacks of 2025:
- Supply chains are a prime targets: Small partners can be exploited to access big brands.
- Social engineering bypasses traditional defences: Staff training is now critical for all businesses.
- Preparedness reduces damage: Backups, Incidence Response playbooks, and containment strategies are essential.
- Cybersecurity is everyone’s responsibility: Your weakest partner can become your biggest risk.
The Royal Mail ransomware attack of 2023
In early 2023, Royal Mail fell victim to a ransomware attack that disrupted international shipping for several weeks, highlighting the growing threat to national infrastructure.
As a designated Critical National Infrastructure (CNI) operator, Royal Mail was under strict regulatory obligations, but even those weren’t enough to prevent the breach.
Timeline
Here is a timeline of what happened:
| Date | Event | Impact |
|---|---|---|
| Nov 2022 | Emotet Detected | Malware found on servers; risk of further attack. |
| Early Jan 2023 | Ransomware Attack Starts | LockBit RaaS disrupts Belfast center. |
| Mid-Jan 2023 | Public Acknowledgment | Disruption to international services announced. |
| Feb 2023 | Ransom Ultimatum | $40M demand made; Royal Mail opts not to pay. |
| Late Feb 2023 | Service Restoration Begins | £10M spent on cybersecurity; services resuming. |
| Ongoing | Security Enhancements | Upgrades to malware defenses, staff training. |
What happened
The incident began in November 2022, when malware was detected on the systems of Royal Mail’s Heathrow Worldwide Distribution Centre. Despite the early detection, the attackers were able to escalate privileges, perform internal reconnaissance, and move laterally across systems.
Over the following weeks, they deployed LockBit 3.0 ransomware to critical systems handling international shipments.
On January 10, 2023, Royal Mail confirmed the attack publicly after suspending international parcel services. By that point, the damage was severe, with printers at a Belfast distribution centre issuing out thousands of ransom notes, a hallmark scare tactic of LockBit attackers. The ransom demand reportedly reached $80 million.
Royal Mail refused to pay the ransom, opting instead for internal recovery and long-term remediation. Disruption to international services is reported to have lasted more than a month.
Royal Mail’s response
Despite early struggles to contain the threat, Royal Mail acted in line with its regulatory duties:
- Notified the National Cyber Security Centre (NCSC) and law enforcement.
- Publicly disclosed the attack once operations were affected.
- Refused to pay the $80 million ransom demand from LockBit.
- Launched an emergency £10 million investment to improve cyber resilience.
Royal Mail worked with internal teams and cybersecurity consultants to rebuild and recover operations. They had to wipe and rebuild infected systems from known-clean backups, isolate compromised network segments to prevent further spread and deploy new threat detection and monitoring technologies.
Financial impact
The ransomware incident significantly worsened Royal Mail’s already difficult financial position:
- A loss of at least £12 million was reported
- Direct incident response and security investments totalled approximately £10 million
- Indirect losses (disruption, refunds, reputational harm) are unquantified but likely substantial
Key lessons
The attack yields four key takeaways:
- Compliance isn’t a shield: Regulatory frameworks improve readiness but can’t prevent persistent cybersecurity threats.
- Early detection must be followed by rapid containment: The dwell time from November to January enabled a deeper compromise and broader impact.
- Non-payment is viable, but difficult: Royal Mail’s decision to reject the $80m ransom avoided funding criminals but came at a high operational cost.
- Incident response planning is critical: Well-rehearsed playbooks, internal escalation protocols, and communication strategies must be ready before crisis strikes.
The UK Electoral Commission 2023 data breach
Recognised as one of the most significant UK public-sector cyber incidents, the Electoral Commission’s systems were compromised for 14 months before detection.
The breach exposed Personally Identifying Information (PII) for nearly every registered voter and sparked serious concern over electoral security.
Timeline
Here is a timeline of what happened:
| Date | Event | Impact |
|---|---|---|
| Aug 2021 | Undetected Breach | Unauthorized access to the Commission’s servers; breach begins but goes undetected. |
| Oct 2022 | Suspicious Activity Detected | Commission alerted by suspicious login patterns; breach confirmed. |
| Aug 2023 | Public Notification | Electoral Commission publicly acknowledges the breach nearly a year after detection. |
| Ongoing | Security Enhancements | Strengthening of network login requirements, improvement of threat monitoring, and firewall policy updates. |
Background
Before the breach, the Electoral Commission had infamously failed to become certified under the Cyber Essentials scheme due to malpractice, including failing to update Windows on company laptops and using an outdated version on organisation mobile phones.
While these vulnerabilities weren’t directly exploited (the attack targeted its email servers), they highlighted a lack of stringent practices, something that attackers were likely aware of.
What happened
The data breach was detected in October 2022, following the observation of suspicious login activity on the Electoral Commission’s email systems. Forensic analysis later revealed that attackers had first gained access in August 2021, remaining undetected for over a year.
The attack focused on email infrastructure and internal controls. Notably, threat actors accessed copies of the full electoral register, which contains the names and addresses of nearly all registered voters in Great Britain from 2014 to 2022, including those overseas.
The exposed data included sufficient metadata to enable potential misuse through targeted phishing attacks, disinformation campaigns, and social engineering, leveraging voter trust.
Attackers also accessed internal emails, web form submissions, and possibly personal correspondence. No stolen data has surfaced publicly or on dark web marketplaces, but the risk of misuse remains active and long-term.
Ensure your business is secure with our super effective dark web monitoring service.
The Electoral Commission’s response
Upon detection, the Electoral Commission engaged with the National Cyber Security Centre (NCSC) and external cybersecurity partners. The immediate actions included:
- Identifying and isolating compromised systems.
- Revoking unauthorised access credentials.
- Conducting a forensic review of affected infrastructure.
- Reporting the breach to the Information Commissioner’s Office (ICO) within 72 hours.
Despite fulfilling their legal obligations, the Electoral Commission made the controversial decision not to notify affected individuals, stating that the exposed data did not meet the threshold for “high risk” under UK GDPR, a point widely criticised by cybersecurity professionals.
It later emerged that prior to the breach, the Commission had failed Cyber Essentials certification, citing issues like outdated versions of Windows on company laptops and phones.
Although these specific vulnerabilities were not directly exploited, they reflect a poor overall security posture and likely served as low-hanging fruit to threat actors during early reconnaissance.
Financial impacts
The Electoral Commission has not disclosed specific financial figures related to the incident. However, based on the scale and regulatory scrutiny involved, the likely financial impacts include:
- Incident response and forensic investigation costs.
- Cybersecurity remediation and infrastructure upgrades.
- Legal and compliance-related expenses.
- Long-term investment in technology modernisation.
In July 2024, the Information Commissioner’s Office (ICO) issued a formal reprimand for systemic failures, including poor patching and weak password practices. No financial penalty was imposed.
Key lessons
These are the four key takeaways from this attack:
- Patch delays are a critical vulnerability: Unpatched Exchange servers were the root cause, highlighting the need for continuous, enforced updates.
- Extended dwell time equals extended damage: 14 months of undetected access gave attackers ample opportunity to move laterally and exfiltrate sensitive data.
- Security posture reflects culture: The Commission’s prior failure to meet Cyber Essentials standards signalled wider systemic issues.
- Transparency builds trust: While not legally required, notifying affected individuals may have helped restore public confidence.
Tesco Bank: The 2016 funds theft
In one of the UK’s earliest high-profile cyber fraud cases, over 8,000 Tesco Bank customers had money stolen from their accounts over a single weekend.
Timeline
| Date | Event | Event Description |
|---|---|---|
| Pre-2016 | Insufficient cybersecurity | Tesco Bank conducted routine security assessments but did not fully address vulnerabilities in their systems. |
| November 5-6, 2016 | Cyberattack | The cyber attack began, targeting the bank’s debit card and transaction processing systems. |
| November 5-6, 2016 | Emergency Response | Tesco Bank detected unusual transactions and halted online banking and contactless payments to prevent further losses. |
| Late 2016 to 2017 | Post-Attack Remediation | Tesco Bank undertook significant security overhauls and implemented changes to enhance cybersecurity measures. |
| October 2018 | Fine Imposed | The FCA fined Tesco Bank £16.4 million for failing to prevent the foreseeable attack. |
What happened
In November 2016, attackers exploited flaws in Tesco Bank’s debit card authorisation protocols to steal funds from 8,261 customer accounts over a 48-hour period.
Using automated scripts, attackers bypassed security controls and executed a rapid series of unauthorised transactions, suggesting a coordinated, technically sophisticated attack.
System weaknesses around PIN verification and fraud detection enabled the breach. Reports indicated Tesco’s cards were vulnerable to a “guessing attack,” where valid card and security data were generated to authorise fraudulent transactions undetected.
No personal data was stolen, but the breach showed that data theft isn’t necessary for major financial harm.
Tesco Bank’s response
Tesco Bank stopped the attack by suspending all online debit card transactions for several days, with most customer accounts being restored by midweek, and full online debit card functionality resumed shortly thereafter. Also:
- Affected customers were fully reimbursed within days.
- The bank issued public communications via press releases, emails, and its website, acknowledging the incident transparently.
Tesco Bank also provided ongoing updates to customers throughout the investigation and encouraged account monitoring, password changes, and vigilance against follow-up scams.
Behind the scenes, Tesco worked with regulators and forensic investigators to identify the root causes and secure its systems against future attacks.
Financial impacts
The Tesco Bank cyber incident had a substantial financial toll, both in direct losses and long-term regulatory and reputational consequences:
- Tesco Bank fully reimbursed all affected customers, matching the £2.5 million loss.
- In 2018, the FCA issued a £16.4 million fine, citing failures to prevent a foreseeable and avoidable cyberattack.
- Operational and remediation costs (including cybersecurity upgrades, system redesign, and consultancy) were not officially disclosed but are estimated to run into the millions.
The incident caused significant reputational damage, impacting customer confidence and potentially influencing long-term retention and acquisition, though this is not directly quantifiable.
This event remains one of the most expensive cybersecurity failures in UK retail banking history.
Key takeaways
There are five key takeaways from this cyberattack:
- Not all cyberattacks are about data theft: This case shows that exploiting flaws in financial transaction logic can be just as devastating.
- Fraud detection systems must evolve continuously: Tesco’s systems failed to react to a rapid, automated fraud pattern, proving that static thresholds and legacy fraud rules are insufficient.
- Compliance doesn’t equal resilience: Although Tesco Bank was regulated under FCA guidelines, it failed to apply effective controls in practice, particularly in areas such as transaction authorisation and real-time monitoring.
- Customer communication matters: Tesco Bank’s transparency in acknowledging the issue, offering rapid reimbursements, and keeping customers informed helped prevent deeper reputational fallout.
- Automation amplifies impact: Attackers used bots to scale their theft, underscoring the critical importance of having systems capable of detecting and halting anomalies at machine speed.
Key takeaways on cyberattack survival
Cybersecurity isn’t just about firewalls or insurance; it’s about business continuity. Through the stories of Tesco Bank, Royal Mail, the Electoral Commission, and major supermarket suppliers, one truth stands out:
Every business is vulnerable, but not every business is prepared.
These were large organisations with national reach, but their attackers didn’t always go through the front door. Some went through the small suppliers that supported them, meaning SMEs are becoming the entry point for these hacks.
Regardless of industry, all businesses are exposed, from local farms to logistics providers, online retailers, software vendors, and consultancies.
So how do you survive a cyberattack? Below are the key takeaways.
What is the first thing to do after a cyberattack?
From the case studies we’ve looked at, this is what you should do:
Start by disconnecting compromised systems immediately as per your incident response plan (IRP):
- The Electoral Commission isolated its systems and reported the attack to the ICO.
- Tesco Bank froze transactions.
- Royal Mail isolated critical systems.
- M&S’s supplier, Peter Green Chilled, paused digital systems to contain the threat.
Then, call your cybersecurity support. If you use a managed IT service, alert them. If not, engage a certified cybersecurity firm urgently.
Then, you’re legally required to report it:
- To the Information Commissioner’s Office (ICO) within 72 hours if personal data is involved.
- To Action Fraud and potentially the National Cyber Security Centre (NCSC).
Finally, you need to consider communication:
- Tesco’s quick, transparent communication helped reduce reputational damage.
- The Electoral Commission’s silence for 10 months had the opposite effect.
How long does it take to recover?
It depends on your preparedness:
- Tesco Bank refunded customers and resumed services in days.
- Royal Mail took weeks to restore international shipping.
- The Electoral Commission spent two years cleaning up.
- M&S’s supplier saw weeks of order system downtime, disrupting multiple major retailers.
If your backups are ready, systems are segmented, and you know who to call, you recover faster. If not, downtime stretches, and so do the costs.
Should you pay a ransom in a ransomware attack?
None of the organisations we covered paid ransoms, even when under immense pressure:
- Royal Mail refused LockBit’s $40m demand.
- M&S’s suppliers restored operations manually.
- Law enforcement ultimately arrested members of Scattered Spider, the UK–US teen cyber gang behind the 2025 attacks.
Paying may seem faster, but it doesn’t guarantee results, could be illegal, and makes you a target for future attacks.
Is Cyber Essentials enough to protect my business?
Cyber essentials certification and compliance in general are a strong start, but not a complete defence.
- The Electoral Commission, which had previously failed Cyber Essentials, lacked basic patching and device security.
- Tesco Bank, regulated by the FCA, still suffered a large-scale theft due to outdated fraud detection systems.
- Supermarket suppliers, often smaller businesses, lacked the advanced controls that would’ve blocked ransomware deployment or lateral movement.
How can my business improve its cybersecurity?
Based on the real-world attacks we’ve explored, here’s what every UK business should prioritise:
Start with cybersecurity basics
- Apply security updates promptly: The Electoral Commission breach started with unpatched systems
- Use multi-factor authentication (MFA): especially on email and admin accounts
- Back up your data offsite: Royal Mail recovered without paying ransom because of this
- Train staff to spot phishing: Attackers often get in through human error
- Limit admin access: The fewer people with critical access, the better
Advice for SMEs:
- Get Cyber Essentials certification to defend against common attacks
- Review your role in your clients’ supply chains. Peter Green Chilled was a supplier, but the breach hit Tesco, Aldi, and Sainsbury’s
- Ensure your systems can detect and respond to suspicious activity quickly
Advice for handling sensitive data or financial transactions
- Upgrade to Cyber Essentials Plus
- Build and test an incident response plan
- If you’re in a regulated sector (like Tesco Bank or Royal Mail), ensure you meet FCA or NIS requirements
Back to blog
