You’re on the United Kingdom website. Choose your country or region to see location-specific content
UK
US
Contact
Hicomply
Resources
Staying Compliant
March 27, 2026

Who Bounced Back from the UK's Season of Cyber Chaos?

A year on from the 2025 UK cyber attacks, we examine what separated fast recovery from prolonged disruption — and how your business can prepare.

By
Lucy Murphy
Lucy Murphy
Lucy Murphy
5 min read
March 27, 2026
A cybersecurity analyst monitors multiple screens displaying code and global threat data in a darkened operations centre
Ask AI to summarize Who Bounced Back from the UK's Season of Cyber Chaos?

We are just shy of one year on from the start of what became an uncomfortable few months for UK businesses. The series of high-profile cyber incidents that hit from the end of March 2025 felt relentless at the time, arriving one after another through spring and into summer. Starting with Marks & Spencer, Co-op and Harrods followed in quick succession. Later, Jaguar Land Rover brought disruption into manufacturing.

The disruption was unusually visible. As systems went offline, online orders halted, shelves ran low and customers were suddenly aware of how dependent everyday services are on complex digital infrastructure. Nearly a year on, the more interesting question is not who was breached. It is who managed to recover, and what made the difference which other organisations can learn from.

Marks & Spencer: Weeks of disruption and a 99% profit drop

Marks & Spencer was first to feel the impact. The retailer confirmed a cyberattack over the Easter weekend in March 2025 after detecting unusual activity across its systems. Online ordering was paused while the business worked to contain the incident. For several weeks, disruption rippled through digital operations and the supply chain.

Its household-name status brought with it heavy press coverage and significant financial scrutiny. Statutory profit before tax fell 99%, from £391.9m to £3.4m for the first half of the year. Services have since been restored, but the financial impact of those weeks was hard to ignore.

Co-op: 6.5 million members’ data exposed and £206m in lost revenue

The Co-op Group disclosed its own incident shortly after, when attackers gained access to core systems in late April. Ordering and logistics were disrupted, some stores reverted to manual processes and cash-only operations, and the personal data of around 6.5 million members was exposed.

The financial toll was significant. The attack contributed to an £80 million hit to operating profit and around £206 million in lost revenue in the first half of 2025. Despite that, the business did manage to restore systems and stabilise operations over the following months.

Harrods: Fast containment meant stores stayed open

Harrods confirmed it had restricted access to parts of its systems after detecting an attempted intrusion in early May. The business moved quickly to shut down sections of its IT infrastructure while investigations were carried out. Unlike the incidents before it, the disruption was largely contained before it could significantly affect operations. Both physical stores and online services continued to trade.

That swift containment is likely why the incident avoided the same level of operational and financial fallout. Decisive action in the early stages paid off. Following two high-profile incidents before it, heightened vigilance may also have played a part in the business's readiness.

Jaguar Land Rover: Production halted, £2 billion hit to the UK economy

Later in the year, attention shifted from retail to manufacturing. Jaguar Land Rover suffered a cyberattack that forced the company to halt production across several UK plants, including Solihull and Halewood. Manufacturing lines were brought to a standstill while systems were taken offline and investigations began, with production disruption lasting weeks.

Because modern car manufacturing relies on interconnected digital systems and just-in-time supply chains, the impact spread quickly beyond JLR itself. Suppliers paused deliveries, dealerships faced delays, and analysts later suggested the disruption cost the UK economy close to £2 billion. Into 2026, JLR continued to report losses directly tied to the incident.

So how did some businesses recover quicker than others?

The tricky reality of cyber incidents is that it is rarely a question of if, it is a question of when. What matters far more is how organisations respond once systems are compromised and if they are ready for it.

Businesses that already have structured security frameworks in place are often better prepared because they have documented processes for incident response, risk management and reporting. Frameworks like ISO 27001 force organisations to think about governance, accountability and response planning before a crisis arrives. Without that structure, organisations often find themselves trying to build those processes in the middle of an incident, which extends disruption and increases regulatory exposure.

The Harrods response illustrates this well. Containment was fast, stores stayed open, and the financial loss was minimal compared to the incidents that preceded it. Preparation like this is what separates the businesses who recover fast and those who suffer from attacks like these.

This risk for organisations going forward…

As cyber incidents become more common, there is a real danger that organisations start to accept them as the cost of doing business, which is a massive mistake to make when there are easy ways to prepare.

Cyber warfare is a constant threat, and digital infrastructure has become a target in global conflicts. Large multinationals may have the resources to absorb the shock of a major incident, while many other organisations do not have that option. Cash-strapped public services, local authorities and the small and medium-sized businesses that make up the backbone of the UK economy could struggle to survive a serious attack. For organisations that serve communities directly, whether that is hospitals, councils or essential local services, prolonged disruption carries a human cost that goes well beyond the only financial risks.

How can organisations avoid this risk?

A year on from the cyber chaos of 2025, here is what businesses should take away from these incidents:

The organisations that bounced back fastest were not necessarily those that avoided disruption altogether. They were the ones with the governance, visibility and preparation in place to respond quickly and restore operations with confidence.

Compliance achieved at a point in time does not translate into operational resilience. Regulators and partners are increasingly asking not just whether controls exist, but whether they are operating consistently and whether evidence can be produced when needed.

If we want to protect the organisations that underpin our communities and economy, we need to move beyond accepting disruption as the new normal and start treating preparation and resilience as something that must be built before the incident, rather than reaction.

How can we help?

Hicomply helps organisations embed compliance into day-to-day operations, so evidence is ready when regulators, boards or partners ask for it. To see how continuous compliance works in practice, book a demo at www.hicomply.com/get-a-demo

Article by Lucy Murphy
Customer Success Manager

Lucy works closely with customers to help them get the most out of the Hicomply platform, from onboarding to audit success. She brings a user-focused mindset to everything she does, making her well-placed to write about day-to-day challenges, shortcuts, and success strategies. Her content is grounded in what real InfoSec and compliance teams need to know — and how to get there faster.

Expect helpful walkthroughs, product tips, and practical insights.

Read more about Lucy Murphy

Get Started With

Everything you need to know before you pursue ISO 27001 compliance.

View All
A compliance professional reviewing a SOC 2 report on a tablet during a vendor security assessment.
Blog
March 13, 2026

How to Verify SOC 2 Certification — What to Request and What to Look For

Two professionals reviewing SOC 2 audit data on a monitor during an auditor selection meeting
Blog
March 13, 2026

How to Choose a SOC 2 Auditor — Criteria, Red Flags & Selection Checklist

Blog
March 11, 2026

Long Road Back from Breach: Why Recovery is only the Beginning

Take Your Learning Further

Discover research, playbooks, checklists, and other resources on

compliance.

Explore
Hub
Decorative
Staying Compliant
No items found.
No items found.