Cyber attacks ‘tipping point’ warning issued after Harrods and M&S targeted
Cyber attacks came to the fore in 2025, inflicting significant financial damage on major British businesses and exposing widespread weaknesses across the economy.
High-profile targets include automotive giant Jaguar Land Rover, retail pioneer Marks & Spencer and luxury department store Harrods, underlining how susceptible firms of all sizes are to sophisticated digital threats.
Bank of England Governor Andrew Bailey has expressed his belief that cyber attacks represent one of the most significant threats to the UK’s financial stability, stressing that collaborative defense is a “critically important” need.
Mike Maddison, CEO of cybersecurity firm NCC Group, called 2025 a “turning point.”
“Cyber attacks are far from new, but 2025 has shown how deeply intertwined cyber risk is with economic stability and business continuity,” he said.
NCC Group’s data has revealed a record rise in global ransomware attacks, with 590 cases recorded in January and 886 in February.
Ransomware, a malicious software, allows cybercriminals to encrypt computer systems or steal data and hold it hostage until payment is made.
A survey by insurer Hiscox earlier this year showed that 59 percent of small and medium-sized businesses had experienced a cyber attack in the previous 12 months, and 27 percent had faced a ransomware demand.
According to the survey of 5,750 respondents worldwide, 60 percent of payers recovered some or all of the data, but 31 percent reported that attackers demanded further payment.
The UK’s National Cyber Security Center (NCSC) reported 204 “nationally significant” cyber attacks by September; this number was 89, a sharp increase from the previous year.
“Compared with previous years, these attacks have been more widespread and costly, reaffirming that cybersecurity is no longer just an IT issue,” Mr Maddison said.
He added: “CEOs and government leaders must now be acutely aware that cyber resilience is fundamental to the UK’s long-term growth and resilience.”
The most significant and costly cyber attack in the UK this year was undoubtedly against Jaguar Land Rover.
The carmaker halted production at its UK factories for five weeks from September 1 following an attack the previous day.
This disruption led to a loss of over £1bn in revenue in the quarter to September and a significant loss for the company.
More importantly, the lockdown was also cited as a major factor in the contraction of the UK economy in September and October as car production slowed.
Experts from the not-for-profit Cyber Monitoring Center described the incident as “the most financially damaging cyber incident to hit the UK”, estimating that the incident cost the country around £1.9 billion.
Food, fashion and homewares retailer Marks & Spencer has also suffered a major attack, with major consequences and highlighting the risk of customer data being stolen from leading home brands.
The retailer was forced to suspend all online orders for around six weeks and faced empty shelves due to disruptions to its logistics systems after it was targeted around the Easter weekend.
M&S reported a loss on sales of £324 million but managed to recover £100 million through an insurance payout.
Customer personal data was also compromised, potentially including names, email addresses, postal addresses and dates of birth.
M&S wasn’t alone; Luxury department store Harrods and supermarket group Co-op were among other retailers to suffer damaging cyberattacks in 2025.
The president of the cooperative confirmed that the data of all 6.5 million members was stolen.
Mr Maddison warned that 2025 “should be seen as a clear warning, not a one-off peak”, predicting that cybercriminals will increasingly use artificial intelligence to detect phishing attempts and system vulnerabilities.
He predicted: “Supply chains will remain key targets as their complexity means disruptions can spread quickly across sectors and intensify pressure to pay ransom.”
But he also observed: “At the same time, cyber maturity is evolving,” and “Boards are increasingly realizing that true cyber resilience goes beyond prevention and detection.”
In response, the government is developing a Cybersecurity and Resilience Bill that aims to give regulators the power to impose fines on companies that fail to comply with cybersecurity regulations.
New proposals from the Home Office would oblige businesses to notify the government if they plan to pay ransoms to cybercriminals, while also banning public sector bodies and operators of critical national infrastructure from making such payments.
