Press release date: 05/12/2025

Many UK organisations take pride in great service and strong operations. Yet recent data breaches show that the biggest weakness is often not technology. It is the moment a member of staff is fooled by a fake email or a convincing phone call. These incidents were not caused by complex system failures. They were the result of human error, and they were entirely avoidable.

A British construction group was fined £4.4 million by the Information Commissioner’s Office (ICO) after a phishing email led to a major cyber attack that exposed the data of more than 100,000 employees. The warning signs were not acted on, attackers moved through the company’s systems and sensitive information was stolen.

A law firm Merseyside was fined £60,000 after criminals accessed systems through an old administrator account that did not have multi factor authentication. The attackers were able to extract 32 GB of highly sensitive client data, which later appeared on the dark web. The ICO required enabling MFA, removing or securing legacy accounts, better monitoring and penetration testing.

A small law firm in London suffered a ransomware attack in which almost 1,000,000 files were encrypted and thousands of court bundles were stolen. The ICO fined them £98,000 as well as enforcing improved encryption for backups, better patch management and stronger incident response.

In a high profile case in 2025, hackers stole and began to release sensitive information about children form the Kido nursery chain. The hackers stole data after breaching software called Famly used by the chain. The case is still being reviewed by the ICO.

Data protection training is a legal requirement for every UK organisation. When staff or partners are not trained, the risk quickly passes back to the business. Industry analysis shows that up to 88 percent of data breaches can be prevented through staff education, yet many organisations still underestimate its impact. If the companies affected by these incidents had invested in regular training, one hour of focused learning might have prevented long-term reputational harm.

Cyber security tools remain vital, but technology cannot replace a well trained team. Staff make countless decisions each day that can either protect or expose the business. Organisations that prioritise awareness and responsibility build stronger, safer workplaces.

As UK organisations reflect on the lessons from these breaches, a clear message emerges. Strengthen your systems and improve your policies, but begin with your people. A well-trained workforce, supported by an equally well-trained supply chain, is one of the strongest forms of protection any organisation can have.