Top 25 Cybersecurity Breaches in the UK: What Went Wrong

Introduction

Data breaches aren’t new; they’ve been happening year after year, affecting companies of all sizes, from small startups to household-name giants. Each breach is more than just a news headline; it’s a lesson in how vulnerabilities, human error, or cybercriminal tactics can expose sensitive information.  

By examining these incidents, we can identify patterns in how breaches occur, how companies respond under pressure, and the steps they take afterwards to strengthen their security. Some organisations recover quickly, learning and evolving, while others face lasting reputational damage. Looking back at these events not only highlights the scale of the threat but also offers valuable insights for businesses, consumers, and anyone concerned about digital safety.  

In this post, we’ve rounded up some of the most significant and talked-about data breaches in the UK, cases that shocked the public, changed the way companies handle data, and still serve as cautionary tales today.

1. Sony PlayStation Network UK Users (2011)
Sony PlayStation Network serves millions of gamers across the UK and is a core part of Sony’s global gaming ecosystem.
The breach took place in 2011 and affected users worldwide, including a significant number in the UK.
Hackers compromised user account data including names, email addresses, passwords, and payment card details, impacting around 70 million users globally and forcing the PlayStation Network offline for several days. The UK Information Commissioner’s Office later fined Sony £250,000 for failing to adequately protect customer data, citing negligent security practices that put users at risk of identity theft. Sony initially appealed the decision but later dropped the appeal, stating that continuing would risk exposing sensitive security information, while maintaining that it disagreed with the ruling.

2. JD Wetherspoon (2014)
JD Wetherspoon is one of the UK’s largest pub chains, operating hundreds of locations across the country.
The breach was discovered in June 2014 after unusual activity was identified on its payment systems.
Hackers installed malware on point-of-sale terminals in several pubs, allowing them to steal customer card details during transactions. JD Wetherspoon said fewer than, 100 pubs were affected, but customers were warned to check their bank statements for suspicious activity. The company removed the malware, worked with banks and card providers, and stated that no customer addresses or PIN numbers were compromised.  

3. Morrisons (2014)
Morrisons is one of the UK’s largest supermarket chains, employing tens of thousands of staff nationwide.
The incident occurred in 2014 and came to public attention soon after the data was published online.
A senior internal auditor deliberately leaked the payroll data of nearly 100,000 employees, including names, addresses, bank account details, and salary information. The data was uploaded to a public file-sharing website and sent to newspapers, in an attempt to damage the company. While Morrisons was ultimately found not to be directly liable for the employee’s actions, the case became a landmark example of the insider threat and highlighted the risks organisations face from privileged access misuse.

4. T-Mobile UK (2015)
T-Mobile UK was a major mobile network provider operating across the country and later became part of EE.
The breach occurred in 2015, but details emerged over time as investigations continued.
Hackers gained unauthorised access to a customer database, exposing personal information including names, addresses, dates of birth, and phone numbers. While financial details such as card numbers were not compromised, the breach highlighted weaknesses in customer data protection and contributed to regulatory scrutiny of telecom providers’ security practices in the UK.

5. TalkTalk (2015)
TalkTalk is a British Telecoms provider offering broadband, phone, and TV services to millions of customers in the UK.
The breach occurred in October 2015 when attackers exploited SQL injection vulnerabilities in legacy webpages inherited from TalkTalk’s acquisition of another company. The vulnerability allowed unauthorised access to an underlying customer database containing names, addresses, dates of birth, phone numbers, email addresses, and financial information. In total, 156,959 customers had personal data accessed and in 15,656 cases bank account details and sort codes were also exposed. The UK Information Commissioner’s Office found TalkTalk had failed to take basic security measures such as updating outdated software and monitoring for vulnerabilities, and it issued a record £400,000 fine for contravening the Data Protection Act. The company later settled the fine early at £320,000, and the incident prompted a parliamentary inquiry into telecom security practices

6. Yahoo UK Users (2013 to 2014, disclosed 2016)
Yahoo was one of the world’s largest email and online service providers, with millions of users in the UK.
The breaches occurred between 2013 and 2014, but Yahoo only publicly disclosed them in December 2016.
Hackers accessed account information for over one billion users globally, including names, email addresses, telephone numbers, dates of birth, hashed passwords, and security questions and answers. UK users were among those affected. The breach, one of the largest in history at the time, raised serious concerns about Yahoo’s security practices and prompted investigations by regulators and lawsuits from users whose personal information was compromised.

7. Tesco Bank (2016)
Tesco Bank is the financial services division of the UK supermarket chain Tesco, providing current accounts, savings, and cards to millions of customers.
The breach occurred in November 2016 when cybercriminals exploited weaknesses in the bank’s online systems. The attackers stole approximately £2.5 million from around 9,000 customer accounts, forcing Tesco Bank to temporarily suspend online payments while investigating the attack. The UK Financial Conduct Authority later fined Tesco Bank £16.4 million for failing to have adequate systems and controls in place to prevent the attack. The incident highlighted the importance of robust cybersecurity measures in financial institutions and the regulatory expectation that banks must proactively protect customer funds.

8. Uber UK (2016, disclosed 2017)
Uber is a global ride‑hailing platform widely used in the UK by both drivers and passengers.
The breach occurred in 2016 but was not publicly disclosed until November 2017.
Hackers accessed personal data including names, email addresses, and phone numbers of around 57 million users and drivers worldwide. The attackers gained entry by using login credentials stored on a private code repository on GitHub that Uber had failed to secure. Rather than report the incident to regulators at the time, Uber paid the hackers $100,000 to delete the stolen information and kept the breach secret for more than a year. When the breach was finally revealed, Uber faced regulatory investigations, legal action, and widespread criticism over both the security failure and the decision to conceal the breach from users and authorities.

9. Equifax (2017)
Equifax is a global credit reference agency that provides credit reports and financial data services to millions of people worldwide, including in the UK.
The breach occurred in 2017 when attackers exploited a known vulnerability in Equifax’s systems that had not been patched.
Personal data of tens of millions of consumers was exposed globally, including names, birth dates, addresses, and in some cases credit card details. In the UK, up to 15 million consumers’ records were affected. The incident led to regulatory scrutiny in multiple countries, fines, and legal action, highlighting the critical importance of timely software updates, strong security practices, and the risks of storing large volumes of sensitive consumer data.

10. WHSmith (2018)
WHSmith is a prominent UK retailer with stores on high streets, in airports, and at train stations.
The breach was identified in 2018 when malware was discovered on the retailer’s payment systems at multiple locations.
Customer payment card details were exposed, affecting transactions processed through the compromised systems. WHSmith worked with banks and payment providers to protect affected customers, while the incident raised wider concerns about point-of-sale security in retail and the importance of monitoring and updating payment infrastructure to prevent similar attacks.

11. Cathay Pacific UK Customers (2018)
Cathay Pacific is a major international airline with a significant UK customer base.
The breach was disclosed in October 2018 after unauthorised access to airline systems was detected.
Personal data of around 9.4 million passengers globally was compromised, including names, dates of birth, passport numbers, and contact information. UK customers were among those affected. Cathay Pacific stated that no financial information or travel history was believed to have been accessed, but the breach prompted criticism over the airline’s cybersecurity practices and raised concerns about how airlines handle sensitive passenger data.

12. British Airways (2018)
British Airways is one of the UK’s largest airlines, serving millions of passengers domestically and internationally.
In mid-2018 the airline suffered a sophisticated cyberattack on its online booking system.
Attackers injected malicious code into the British Airways website and mobile app, intercepting personal and payment card information of around 429,000 customers. The breach led to regulatory scrutiny under the EU General Data Protection Regulation (GDPR), resulting in a £20 million fine by the UK Information Commissioner’s Office and multiple class-action claims from affected customers. The incident highlighted the risks posed by online booking platforms and the growing importance of GDPR compliance for protecting consumer data.

13. Virgin Media (2020)
Virgin Media is a leading UK provider of broadband, TV, and telecommunications services, serving millions of customers.
The incident came to light in March 2020, although the misconfigured database had been publicly accessible for several months prior.
Personal information of around 900,000 customers, including names, phone numbers, and account details, was exposed online due to the database misconfiguration. Virgin Media promptly secured the database, notified affected customers, and worked with cybersecurity experts to prevent further exposure. The breach highlighted the importance of proper configuration and monitoring of online databases to protect sensitive customer information.

14. Interserve (2020)
Interserve was a major UK construction and outsourcing company providing services to both public and private sector clients.
The cyber incident occurred in May 2020 when a ransomware attack disrupted the company’s IT systems.
The attack exposed personal data of employees and contractors, including names, addresses, and employment details. The UK Information Commissioner’s Office later fined Interserve £4.4 million for failing to implement appropriate security measures to protect personal information, highlighting the risks posed by weak cybersecurity in organisations that manage sensitive data for clients and the wider public.

15. EasyJet (2020)
EasyJet is a major UK budget airline serving millions of passengers domestically and internationally.
In May 2020, the airline disclosed a cyber-attack that had occurred earlier in the year, affecting personal data of approximately nine million customers.
Attackers accessed names, email addresses, and travel details, and for over 2,200 customers, payment card information was also compromised. EasyJet described the incident as a “highly sophisticated” attack and reported it to the UK Information Commissioner’s Office. The breach prompted enhanced cybersecurity measures across the airline, customer notifications, and highlighted the importance of robust protection for passenger data in the aviation sector.  

16 The Labour Party (2021)
The UK Labour Party is one of the country’s major political parties, responsible for managing sensitive member and supporter information.
The cyber incident was identified in October 2021 when a third-party supplier, Tangent, experienced a security breach that rendered a significant quantity of Labour Party data inaccessible.
Investigations showed that the data potentially affected included only the names of individuals who were members in 2014. The Labour Party immediately engaged cybersecurity experts and reported the incident to the National Crime Agency, the National Cyber Security Centre, and the Information Commissioner’s Office, which later closed its investigation. The party took steps to strengthen IT security and ensure that personal data is processed and retained safely, highlighting the risks political organisations face from third-party suppliers and the importance of robust data management practices.  

17. UK Electoral Commission (2021 to 2022, disclosed 2023)
The Electoral Commission is the independent body that oversees elections and regulates political finance in the UK.
The breach took place between August 2021 and October 2022, but it was only publicly disclosed in August 2023 after forensic investigations and system remediation.
Hostile actors accessed the Commission’s servers, including its email system and reference copies of electoral registers held for research and regulation. The registers contained the names and home addresses of everyone registered to vote in Great Britain between 2014 and 2022, plus those registered in Northern Ireland in 2018, as well as contact details and any personal data submitted via email or webforms. The UK Information Commissioner’s Office found that the Commission did not meet required data protection standards prior to the attack and issued a reprimand, though no fines were applied. The incident raised serious concerns about the security of voter data, the length of time the breach went undetected, and the risks posed to democratic institutions, prompting improvements in authentication, patching practices, and overall cyber resilience.

18. Capita (2023)
Capita is one of the UK’s largest outsourcing and business services providers, delivering IT, HR, pensions, and other systems for both public and private sector clients.
In early 2023 the company suffered a significant ransomware attack that affected multiple parts of its network and IT systems.
Hackers exfiltrated sensitive data relating to staff, clients, and pension scheme members across a range of services. The incident disrupted operations for several weeks, delaying processes for public bodies, employers, and pension administrators while Capita engaged specialist support to contain the attack, restore systems, and notify affected parties. Millions of individuals’ records were potentially involved and the company faced regulatory scrutiny, significant remediation costs, and efforts to strengthen cyber resilience across its estate. Capita published a detailed response outlining what happened, how it responded, and the measures it would take to improve security and reduce future risk.  

19. British Library (2023)
The British Library is the UK’s national library and one of the world’s largest research libraries, holding millions of books, manuscripts, and digital resources.
In October 2023 the library suffered a serious ransomware attack that disrupted its online catalogue, digital services, and internal systems for months.
The attackers encrypted key systems and exfiltrated about 600GB of data, including personal information from user and staff databases, which was later posted or offered for sale online. The group responsible, known as Rhysida, reportedly demanded a ransom which the library refused to pay. The breach forced the library to shut down affected systems, work with cybersecurity experts and national agencies to restore services, and use a significant portion of its financial reserves to recover from the attack. The UK Information Commissioner’s Office later issued a statement noting the lack of multi‑factor authentication on an administrator account contributed to the escalation of the incident but decided not to pursue further enforcement action given the library’s transparency and steps taken to improve security. The attack highlighted risks to cultural and research infrastructure and the importance of robust authentication and patching practices.

20. Zellis Payroll Services (2023)
Zellis is a UK‑based payroll and HR services provider that handles payroll processes for a wide range of large organisations.
In May 2023 a zero‑day vulnerability in the widely used MOVEit file transfer tool, which Zellis employed for data transfers, was exploited by cybercriminals, leading to a major supply‑chain breach.
The incident exposed personal data of employees from several major UK employers, including the BBC, British Airways, Boots, and others, with compromised information such as names, dates of birth, home addresses, and national insurance numbers. Some organisations also warned staff that bank account details may have been impacted. Zellis immediately disconnected the affected systems, engaged external incident response experts, and notified the Information Commissioner’s Office and the National Cyber Security Centre as part of the response. The breach highlighted the serious risks posed by vulnerabilities in third‑party software and the importance of patching and monitoring supply‑chain tools.

21. MoD Payroll Breach (2024)
The UK Ministry of Defence is responsible for the country’s defence systems and for managing payroll and personnel records for armed forces staff.
The breach was reported in early May 2024 after a third‑party payroll provider’s systems were compromised in what was widely described in cybersecurity reporting as a suspected state‑linked attack.
Personal data relating to military personnel, including names, service numbers, contact details and payroll information, was exposed, raising serious concerns about the security of sensitive defence personnel data. The incident prompted emergency reviews of third‑party risk, accelerated security upgrades across defence payroll systems, and reinforced warnings that even the most well‑resourced organisations face significant cyber threats. The MoD and its partners worked to contain the breach and strengthen authentication and monitoringto prevent similar attacks in future.

22. Jaguar Land Rover (2025)
Jaguar Land Rover is one of the UK’s biggest automotive manufacturers and exporters, producing luxury vehicles at factories in Solihull, Halewood, and Wolverhampton.
The cyberattack began on 31 August 2025 when attackers infiltrated the company’s IT systems, forcing an immediate shutdown of production across its UK plants and halting vehicle manufacturing for several weeks.
The disruption was so severe that JLR paused production until at least early October as it worked to investigate and restore systems, with staff sent home and supply chain partners facing cascading impacts. The incident did not appear to involve direct theft of customer payment data, but it caused widespread operational and economic damage, with experts estimating the total cost to the UK economy at around £1.9 billion and thousands of businesses in the supply chain affected. The attack became one of the most financially damaging cyber events in UK history, prompting government support measures including a £1.5 billion loan guarantee to stabilise JLR and its suppliers, and renewed focus on industrial cybersecurity and supply chain resilience.

23. Kido International (2025)
Kido International operates early-years nurseries across Greater London and internationally, caring for thousands of children and employing staff at multiple sites.
In September 2025 the company disclosed a ransomware attack on its UK operations after a group calling itself Radiant claimed it had accessed systems and stolen personal data relating to around 8,000 children and staff.
The exposed information included names, dates of birth, home addresses, contact details, and photographs of children, alongside data linked to parents, carers, and employees. Hackers posted samples of the data online and attempted extortion, prompting a Metropolitan Police investigation and the arrest of two teenagers. The ICO was notified, and the National Cyber Security Centre highlighted the heightened safeguarding risks posed by breaches involving children’s data.

24. Louis Vuitton UK Customer Data Breach (2025)
Louis Vuitton is a global luxury fashion brand with a strong UK customer base, part of the French luxury group LVMH.
In July 2025 the company confirmed that an unauthorised third party had accessed systems in its UK operations and stolen customers’ personal information after discovering the breach on 2 July 2025.
The compromised data included names, contact details, and purchase histories of affected customers, although the company said financial information such as payment card or bank details were not accessed. Louis Vuitton notified affected customers and relevant authorities, including the UK Information Commissioner’s Office, and urged vigilance against phishing and fraud attempts that could follow from the exposure of personal data. The incident was part of a wider series of breaches affecting several LVMH brands and underscored the growing cyber threat to luxury retailers and their customer databases.

25. Retail Cyberattack Wave including Harrods, Co-op, M&S (2025)
In 2025 UK authorities identified a coordinated spate of high‑profile cyberattacks targeting major retail organisations, highlighting rising threats to consumer brands and supply chains.
Retailers including Marks & Spencer, the Co‑op, and Harrods reported significant disruptions to their IT systems after attackers infiltrated networks and deployed ransomware or unauthorised access attempts that affected customer services, stock systems, payment systems, and online ordering platforms. Marks & Spencer was forced to suspend online orders for nearly seven weeks with an estimated £300 million profit impact, while the Co‑op experienced payment and stock issues, and Harrods restricted internet access to protect its systems. Authorities including the UK National Crime Agency arrested four individuals aged between 17 and 20 on suspicion of offences under the Computer Misuse Act and organised cybercrime in connection with these incidents. Investigators have linked the attacks to sophisticated groups such as Scattered Spider, and the events have driven renewed focus on strengthening cyber resilience across the UK’s retail sector to protect customer data and maintain continuity of service.

Protect your organisation before you become the next headline

These breaches show a clear pattern: attackers exploit blind spots faster than many organisations can detect them. Whether it’s unpatched systems, third-party software, insider misuse, or exposed credentials, the result is the same: operational disruption, regulatory scrutiny, and lasting reputational damage. For UK organisations, the stakes are even higher under GDPR and growing public expectations around data protection.

CYJAX helps organisations move from reactive defence to proactive risk reduction by providing real-time visibility into criminal activity across the surface, deep, and dark web, enabling security, fraud, and risk teams to identify emerging threats, exposed assets, and attacker behaviour before damage occurs.

Don’t wait for a breach to find out what attackers already know about your organisation.
👉 Contact CYJAX to see how our threat intelligence can help you protect your people, data, and operations.