UK Cybersecurity Failures 2024: Cost and Impact of Breaches

Key Takeaways

• Transport for London was affected by a cyber security incident on Monday, Sept. 2.
• The attempted hack is the latest in a string of cybersecurity failures in the country.
• According to a government report, 21% of companies experience cybersecurity breaches around once a month.

Since the start of 2024, a string of cybersecurity failures has affected businesses and government departments in the UK, with organizations including the electoral commission and London’s transport agency among those affected. 

In the latest case, Transport for London (TfL) was hit by a “cyber security incident” on Monday, Sept. 2, as attackers attempted to gain unauthorized access to its systems.

Transport for London Hit by Cyber Attack

In a statement , the transport operator said: “At present, there is no evidence that any customer data has been compromised and there has been no impact on TfL services.”  Chief Technology Officer Shashi Verma added that the agency was working closely with the National Crime Agency and the National Cyber Security Centre to respond to the incident.

Complicating the matter, the London overground network experienced severe delays on Monday evening following a signal failure at Richmond. TfL did not immediately respond to CCN‘s request for comment.

London’s transport system has previously been attacked by hackers from several angles.

In 2020, TfL acknowledged that some customers’ online accounts were accessed maliciously. More recently, in 2023, the Russian ransomware group Cl0p compromised a database kept by one of TfL’s suppliers that contained information on 13,000 drivers.

In the 12 months to April, the UK government estimates that businesses in the country were subjected to 7.78 million cyber crimes, ranging from email phishing to massive data breaches, many of which could have been prevented by better cybersecurity.

With 21% of surveyed businesses reporting breaches around once a month, even the country’s democratic institutions are threatened by cybersecurity failures. 

Security Failures Behind Electoral Commission Hack 

After the UK’s intelligence agency GCHQ disclosed that the Electoral Commission had been targeted by Chinese hackers, the Information Commissioner’s Office found that it failed to implement “basic measure[s]” to protect voters’ personal data.

The report concludes that the Electoral Commission didn’t have an “appropriate patching regime” to protect against known Windows vulnerabilities, nor a dedicated password management policy for staff as required by law.

Cost of Cyber Incidents

Among the businesses impacted by cyber crimes in 2023/24, 3% had money stolen, while 2% paid out ransoms to hackers. However, some of the most expensive cybersecurity incidents aren’t theft or ransomware but data breaches.

According to IBM, in the 2023/24 financial year, each data breach cost UK businesses $4.53 million on average.

Biggest UK Data Breaches

*Costs estimated by CCN based on fines, compensation claims and public disclosures.

As well as major international data breaches involving companies like Dell, Facebook, eBay, and Equifax, British consumers have been affected by a series of more localized attacks in recent years.

Businesses compromised include airlines (British Airways, RyanAir), mobile carriers (3 Mobile, TalkTalk) and the hospitality firm JD Wetherspoon and Camelot Group, the operator of the UK’s national lottery. 

Consumers, the Real Victims

The immediate costs of cybersecurity failures to businesses only tell half the story. In many cases, the real victims are the individuals whose personal data is exposed.

As a result of the Electoral Commission breach, hackers gained access to the personal information of around 40 million people, including their names, home addresses, email addresses, and phone numbers.

For its part, the Commission has downplayed the impact of the cyber attack, arguing that much of the stolen data was already in the public domain. Nonetheless, given the sensitive nature of other records held by the organization, the security lapse remains alarming.

While victims of corporate data breaches can often participate in class action lawsuits against large companies, victims of public sector security failures have little recourse for compensation.