Financial & Legal News

Trustpilot

This is not just any cyber attack…

  • Posted on
This is not just any cyber attack…

There have been several high-profile supermarket cyber attacks causing major disruption to the UK retail sector.  M&S, Co-op, Harrods and Peter Green Chilled (Logistics supplier to major UK supermarkets) have been the ones hitting the headlines, with the M&S attack reportedly costing the retailer £300m – around a third of its expected profits – and disruption continuing for months (BBC News, M&S cyber-attack disruption to last until July, 21 May 2025).

The impact of cyber attacks on businesses

Why are cyber attacks on businesses so disruptive and what can you do to protect your business?

Personal data protection

Just one consequence of such an attack is a potential personal data breach. Under the UKGDPR and Data Protection Act 2018, businesses that process personal data are required to adopt ‘appropriate technical and organisational measures’ to ensure protection of that data.

Although the legislation provides instructions for what type of data security is required, cyber security is not the end of the story. There are still plenty of instances of more ‘physical’ causes – theft or loss of equipment, misplacement of hard copy data and so on. Employee training and awareness is vital in tackling data security as human error continues to be a large factor in security breaches.

Preparing for cyber attacks

Similarly, preparedness for a cyber-security incident is key. Reports suggest that the impact of the attack on Co-op was significantly reduced because it was identified in the early stages and the plug was pulled immediately (Cyber Daily, Ransomware denied: Co-op’s quick action leads to a quick recovery, 19 May 2025). Even so, Co-op admitted that personal data had been affected (Co-op, Cyber Incident Update, 2 May 2025).

Physical security is still important and might include assessing locks on doors or storage, alarms and CCTV, access to premises and supervision of visitors, and confidential waste disposal. Technical measures might include system security, security of data held within those systems, security of websites and emails, and device security.

Data security has to be considered as part of an overall risk management plan.

A data protection audit will identify the personal data processed by your business and how that data will be managed, enabling the business to adopt appropriate policies and procedures to enhance security. Understanding what data you process, what systems access it, and where it is stored and recorded, will help you in the event of a security breach to understand if and what information has been accessed.

Data Protection Impact Assessment

When adopting new systems or processes, you may be required to carry out a Data Protection Impact Assessment to ensure that you have considered the impact on personal data. If you are designing new systems or processes these should be designed with data protection in mind (data protection by design).

Ensure that you have a data breach management plan in place, with specific staff roles accountable for implementing the plan.

The law also requires you to have a process for regularly testing, assessing and evaluating the effectiveness of your security.

Train your staff to implement the plan. Test the plan and your systems. If you do experience an incident, reflect on it afterwards and implement ‘lessons learned’.

Producing policies and procedures for data security, like an Information Security Policy, Privacy Policy, Data Retention Policy, Bring your Own Device Policy, Data Breach Reporting Policy and Data Breach Management Plan all demonstrate that you are taking data security seriously, but these policies and procedures need to be effectively implemented and staff need to be trained properly.

Data breach action plan

In the event of a data breach, you must be able to identify quickly whether a breach needs to be reported to the ICO and/or the data subjects. Prompt action can protect your business, not only against the reach of a cyber-attack but also against increased fines implemented by the ICO or other regulators.

Data breach cases

Undoubtedly cyber attacks are becoming more frequent and often more sophisticated. But the ICO made it clear as far back as 2020 (in the case of a large data breach at British Airways (BA)) that although BA had been the victim of a malicious attack, the fact that it had no intent itself was irrelevant – BA had not done enough to maintain its systems, resulting in significant vulnerabilities. BA, you may recall, was fined £20m.

Marriott International Inc was similarly fined £18.4m in 2020 and the ICO found there was insufficient monitoring of its systems and accounts. The responsible malware had in fact been installed four years earlier in the systems of a company purchased by Marriott, which just shows how vital appropriate IT due diligence is when investigating targets for purchase – but it is crucial that this scrutiny continues after the acquisition.

Whilst the fines imposed on Marriott and BA were huge, and related to the size and impact of the breach, data security is a priority for all businesses. The projected impact on M&S to its profits and its reputation show that fines are by no means the only financial woes attached to security breaches.

The Co-op demonstrated that fast action can mitigate damage and, in the BA and Marriott cases, it also significantly reduced their fines from the ICO, because acting quickly mitigated the effects of the security breach. Your ability to act quickly can be vastly improved if you are well-prepared as a business and know what to do.

Third party data breach

Reports suggest that hackers’ access to M&S systems was via a third party working with the store. As part of your risk analysis these contact points with third parties have to be viewed as a potential vulnerability and need to be managed through a combination of contractual safeguards, together with practical security monitoring and testing.

It does not matter if the third parties are accessing your personal data directly, they can still provide a gateway into your systems, either technically or through ‘social engineering’, meaning that initial information gathered is used to convincingly persuade individuals to provide access to critical systems. This reinforces how important employee training is and regular testing of the process, to ensure the training is effective.

Document a data breach

The legislation requires that you keep records of everything from your processes and your tests and their results to each suspected or potential security breach.

There is never any guarantee that cyber attacks will not succeed, but all businesses will need to demonstrate that they have done everything they can to protect themselves.

How can we help?

If you need legal advice related to data protection-related, whether it is guidance on the records you keep, producing appropriate policies and procedures, or carrying out a data protection audit, contact Keith Kennedy on 0161 785 3500 or email enquiries@pearsonlegal.co.uk to speak to our in house team of data protection experts.

Please note that the information and opinions contained in this article are not intended to be comprehensive, nor to provide legal advice. No responsibility for its accuracy or correctness is assumed by Pearson Solicitors and Financial Advisers Ltd or any of its members or employees. Professional legal advice should be obtained before taking, or refraining from taking, any action as a result of this article.

Written by Keith Kennedy

Author

Trustpilot
  • UK Leading Firm - The Legal 500
  • Manchester Legal Awards 2025 Finalist

    How can we help?

    Please fill in the form and we’ll get back to you as soon as we can.