Real-world cybersecurity horror stories and lessons learned

Posted: 29/10/2025

This Halloween we bring you stories not of witches nor of werewolves but of something far scarier: cybersecurity threats that lurk in the shadows of our servers.

Ghosts in the machines

Our Halloween horror anthology begins on the night of 31 August when JLR, the UK's biggest automotive employer, which manufactures the Jaguar and Land Rover brands, fell victim to a sinister cybersecurity incident. Dubbed by experts as Britain's costliest hack, for over a month, production lines shuddered to an eerie halt and retail outlets flickered into darkness.

While the government has since announced that it will underwrite a £1.5 billion loan to JLR and the company will resume manufacturing in the coming weeks, the damage has been done and, like all good horror stories, this one leaves behind a trail of unsettling truths

1. JLR was attacked on a Sunday evening and this strike at witching hour was no accident. It was a calculated ambush. The hackers knew the weekend would bring slower response times and fewer guards at the gate.
   
   
2. Automotive companies like JLR are particularly vulnerable to attacks. Their vast interconnected and increasingly digitised infrastructure is a tempting target for cyber predators, as a single incident can wreak havoc across an entire network and supply chain.
   
   Unsurprisingly, the ripple effect of this incident has been felt severely by JLR's 2,200 suppliers, many of whom are based in the West Midlands and the Northwest, and have begun to lay off workers. Small car part makers have been particularly affected. Reportedly, left cash-strapped by the production halt, some individuals have been asked by banks to put up their homes as personal guarantees to obtain emergency loans.
   
   
3. Government intervention will be a welcome relief for JLR's estimated 32,000 employees and the further 104,000 employees in its supply chain. However, critics question whether it sets a dangerous precedent for other large companies that may be vulnerable to future attacks. They also suggest that large businesses may become complacent and avoid purchasing cybersecurity insurance as a result.

The curse of the weak password

This summer, KNP, a 128-year-old Northamptonshire haulage firm that had weathered war, financial downturns and global pandemics met its end, it is thought, when a cybercriminal gang guessed a single feeble password.

It was reported that in a chilling ransom note, the hackers wrote:

 "If you're reading this it means the internal infrastructure of your company is fully or partially dead…Let's keep all the tears and resentment to ourselves and try to build a constructive dialogue".

Despite having cybersecurity insurance in place, KNP could not afford the estimated £5 million ransom price to decrypt the stolen data and restore access to the company's system. Unable to operate, the company collapsed resulting in the loss of 700 jobs.

This tale is a stark reminder of how easily cyber gangs can take advantage of simple security lapses such as a weak password. Operational resilience in the face of these threats relies on companies taking measures such as:

1. enforcing strong password policies and regular update
2. implementing multi-factor authentication
3. backing up data securely with proper encryption
4. training staff to spot the signs of cyber sorcery

Attacks against big names like JLR, Harrods and M&S often attract media attention. However, this cautionary tale demonstrates the devastating impact that cybersecurity incidents can have on small and medium enterprises (SMEs), like KNP, which may lack the capital resources or defences to survive, are unlikely to receive government bailouts and, consequently, are more prone to collapse.

For example, data from Coalition Research suggests that 75% of the 133 UK companies publicly listed by ransomware groups in 2025 had fewer than 200 employees. The group most affected by cyber-attacks was those companies with 10 employees or fewer. This reinforces the importance of cybersecurity for SMEs who appear to be disproportionately impacted.

This is not just a hack…this is an M&S hack and tales of other retail cybersecurity incidents

Earlier this year, M&S was among three retailers, along with the Co-op and Harrods, that were victims of cyber incidents. The culprit behind this hack on M&S is thought to be a web of cybercriminals known as the Scattered Spider. The attack left shelves bare and resulted in the disruption of online orders and click-and-collect services for seven and 15 weeks respectively. Customer data was also stolen. The financial ramifications have been significant with the incident estimated to have cost the retail giant around £300 million in lost profits this year.

The Co-op weathered no better. All 6.5 million members had their data stolen and the incident contributed to a pre-tax loss of £75m.

However, amongst these dark tales, there are commercial and legal lessons to be learned:

1. Strong crisis communication: From a commercial perspective, timely and transparent communications with employees, customers and the media, among other stakeholders, is crucial to help the company take control of the narrative and protect their reputation.For example, M&S kept customers informed about the breach through statements from the CEO, which were effective at showing accountability from the top. The National Cyber Security Centre recommends preparing for a potential incident by developing pre-approved templates for communications with various stakeholders, as well as identifying an official company spokesperson who is trained on crisis communication and is aligned with the company's messaging.
   
   From a legal perspective, effective communication is also crucial for complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. While meeting legal obligations, organisations must not lose sight of the human impact of a crisis, which requires clear and compassionate messaging to help maintain trust and support those affected.
   
   
2. Reporting obligations: In addition to complying with Article 34 of the GDPR, both M&S and the Co-op would have needed to notify the Information Commissioner's Office (ICO) without delay and no later than 72 hours after becoming aware of the breach under Article 33(1) of the GDPR. This was because there was a risk to the rights and freedoms of their customers. Both companies reported the incident to the National Cyber Security Centre (NCSC) and other companies should consider this where a significant cyber incident occurs.
   
   
3. Crisis preparedness: It is also reported that M&S had an excellent cybersecurity response plan and had conducted a mock cyber-attack in the year before the incident. A robust incident response plan is your spellbook for containing an attack.
   
   
4. Cybersecurity insurance: This is where the stories of M&S and Co-op diverge. It is believed that M&S will be able to recover at least part of its losses through cybersecurity insurance. Meanwhile, the Co-op did not have specific cybersecurity insurance and will bear the full financial impact of the attack.
   
   However, companies should be aware that having insurance is not a 'get out of jail free card' and should think carefully about the level of insurance coverage they require. As described above, KNP had insurance and still was forced to shut down.

Remedies and fancy (re)dress

If the worst happens and a cybersecurity breach occurs, what are your legal remedies?

For individuals 

For an individual whose data has been compromised, there may be several causes of action. For example, if the company holding the data did not take sufficient steps to secure it and/or did not have appropriate policies in place, claims for breach of contract, negligence or breach of statutory duty may be made out. The value of this kind of data breach compensation claim is often low, but claimants can join together to bring a group data breach claim. The likelihood of success of such claims has recently been increased by the Court of Appeal's ruling in Farley and Others v. Paymaster (1836) Limited (trading as Equiniti) [2025] EWCA Civ 1117, which held that there is no 'threshold of seriousness' which must be met. M&S is already facing a group claim from its data breach by at least one law firm, Thompsons Solicitors, whose website suggests over 10,000 individuals have 'signed up' for the potential claim (which does not appear to have been issued yet) so far

For companies

For a company that has suffered a breach, there are several potential civil and criminal remedies that can be pursued. For example, injunctions can be sought - even against persons unknown - to prevent further dissemination or use of the data. In the recent case of HCRG Care -v- Person(s) Unknown [KB 2025-000736], the attackers, known only as 'Medusa', stole confidential data belonging to employees, clients and third parties of a prominent UK health care organisation.

Faced with extortion threats, HCRG successfully obtained an interim - and then final -injunction for breach of confidence to prevent further misuse or disclosure of the stolen information. Despite the inherent difficulties in serving injunctions on 'unknown persons', service was achieved via a web portal and ultimately by email. The case highlights the English court's flexible approach to bringing those responsible for ransomware attacks to justice.

Proprietary or freezing orders can be obtained to trace and recover any assets stolen as part of the hack and Norwich Pharmacal orders can offer a means of tracing and identifying wrongdoers by obtaining relevant disclosure from third parties as to the identity of the hackers.

Plainly, none of these spooky solutions are as effective as avoiding the breach in the first place. This year, as you celebrate Halloween, make sure you are not taken in by any of the 'tricks' listed above and instead, 'treat' yourself to some cybersecurity and up-to-date legal advice!

This article has been co-authored by Georgia Morris, a trainee solicitor in the commercial dispute resolution team.

Return to news headlines