Welcome to the latest edition of our quarterly Fraud and Cyber Newsletter.
As cyber threats grow in scale, complexity and impact, businesses are facing mounting pressure to strengthen their digital resilience, governance frameworks and legal preparedness. This edition brings together expert analysis on recent incidents, legal developments and strategic lessons to help businesses navigate the evolving risk landscape.
In our first article, we look at the M&S cyber attack, linked to the notorious Scattered Spider group, which underscores the systemic risks posed by third-party contractors and the growing sophistication of social engineering tactics. Such an attack, and others like it, brings an urgent call to action for businesses to reassess vendor access, staff training, insurance coverage and incident response planning.
In Farley v Paymaster, the Court of Appeal has clarified key principles around compensation for data misuse, reinforcing the importance of robust data management and setting a precedent for future group actions. Meanwhile, the Jaguar Land Rover cyber attack reveals the devastating operational and economic consequences of cyber incidents, particularly across complex supply chains, with lessons for risk mapping and resilience planning.
We also explore the first successful recovery under an Unexplained Wealth Order with the sale of Hope Springs House, a landmark moment for the Serious Fraud Office and a signal that proceeds of crime, however well hidden, can be reclaimed.
In the regulatory space, the ICO’s £2.31 million fine against 23andMe highlights the critical importance of layered security controls for sensitive personal data, while our analysis of the Cyber Security and Resilience Bill and ransomware consultation reveals how the UK is responding to the growing threat landscape with stronger legislative tools and reporting requirements.
Finally, we revisit insights from our July Tech newsletter, examining the evolution of ransomware and the strategic steps organisations must take to bridge the gap between technology, people and policy.
If you have any suggestions or requests for future editions of the Trowers Fraud and Cyber Insight, please get in touch with one of the team.
Click the links below to view our latest insights:
M&S Cyber attack - a cautionary tale
The M&S cyber attack linked to the notorious Scattered Spider group led to the rare arrest of four suspects in the UK and provides crucial lessons for businesses. The attackers exploited a third-party contractor using social engineering to gain access and deploy ransomware, rather than attacking M&S directly, highlighting the systemic risk companies face even with strong internal defences. The article sets out strategic lessons learned across key themes including third-party risk management, social engineering threats, cyber insurance limits, transparency in communications, and regulatory momentum, emphasising that businesses must review vendor access, implement ongoing staff training, reassess insurance coverage, and maintain regularly tested incident response plans.
Farley v Paymaster EWCA Civ 1117
The Court of Appeal's significant ruling on compensation claims relating to the misuse of personal data in Farley v Paymaster establishes important principles for UK data protection law. In August 2019, Equiniti incorrectly posted over 750 highly sensitive pension statements containing personal information of Sussex Police officers to outdated addresses, prompting 474 officers to bring a group action. The Court of Appeal overturned the High Court's decision to strike out the majority of the claims, clarifying that evidence of disclosure to a third party is not required for a viable data protection claim and that there is no threshold of seriousness that claims must meet, though fears must be objectively well-founded rather than purely hypothetical. The decision puts claimants on a surer footing and will have implications for how group actions are brought and managed in the future, whilst underscoring the importance of robust data management systems for organisations.
Cyber Attacks: more than just data
The catastrophic operational impact of cyber attacks extends far beyond personal data breaches, as demonstrated by the Jaguar Land Rover (JLR) cyber attack at the end of August 2025. JLR took the decision to shut down many of its IT operational systems whilst the attack was in progress to contain potential damage, resulting in production being halted in its main UK plants with daily production of around 1,000 vehicles grinding to a halt, translating into losses estimated at around £50 million per week. The ripple effect throughout JLR's significant network of suppliers, many of which are small to medium sized businesses supporting 104,000 jobs through the UK supply chain, has been devastating, with workers asked to apply for universal credit and increasing calls for government support as many face potential insolvency. Key takeaways for businesses include mapping supply chain risks, considering cyber risk profiles, implementing robust cybersecurity measures, and regularly stress testing incident response plans.
The Sale of Hope Springs House: A Turning Point for Unexplained Wealth Orders?
A significant milestone has been reached with the sale of Hope Springs House, marking the first successful Unexplained Wealth Order (UWO) recovery by the Serious Fraud Office, with over £1.1 million recovered for the public purse. The order was made against Claire Schools, ex-wife of Timothy Schools, a former solicitor convicted in 2022 for orchestrating a £146 million fraud, who was unable to provide a legitimate explanation for the source of funds used to purchase and renovate the property. Whilst the recovery is a positive outcome, the symbolic importance is clear: it shows that associates and family members of fraudsters are not beyond reach and that UWOs, introduced under the Criminal Finances Act 2017, are being used to recover proceeds of crime that might otherwise remain hidden, serving as another useful tool and hopefully a deterrent.
DNA testing firm, 23andMe, fined £2.31m by the ICO for data breach
DNA testing firm 23andMe has been hit with a £2.31 million fine by the Information Commissioner's Office following a 2023 data breach that compromised sensitive data of thousands of individuals. The company was targeted by a credential stuffing attack where hackers accessed 14,000 accounts and downloaded information relating to around 6.9 million people, including particularly sensitive data such as race, ethnicity, health reports, family trees and raw genetic data. The ICO found serious security failings including the lack of multi-factor authentication, no requirement for sophisticated usernames and passwords, no additional verification when downloading genetic data, and an inadequate response that saw the company dismiss initial warning signs as a hoax before fully investigating six months after the initial attack. The decision highlights key takeaways for organisations handling sensitive personal data, including the importance of password complexity, mandatory multi-factor authentication, layering security requirements based on data sensitivity, and preparing for and responding quickly to attacks.
The cyber risk outlook (and what to do about it)
As part of our July edition of our monthly Tech newsletter, we explored how ransomware has emerged as the "biggest development in cybercrime" in the last decade according to the NCSC, with attacks increasing in both frequency and sophistication through the exploitation of technical and organisational vulnerabilities, using Generative AI and social engineering to make phishing communications seem more believable and real. The evolution of ransomware "as a service" has lowered barriers to entry, with hackers becoming more targeted on organisations' key risk areas—logistics and manufacturing face systems being taken offline, whilst healthcare and professional services see more data exfiltration, with triple extortion now becoming commonplace. Organisations should take a closer look at how internal risk is managed, ensure staff are well-trained in identifying and reporting suspicions, and conduct regular Incident Response Plan testing to bridge the gap between technology, people, policies and procedures.
Modernising cybersecurity law - The UK's response to evolving digital threats
Also as part of the July edition of our monthly Tech newsletter, we looked at how recent high-profile attacks have prompted swift government action, with the Cyber Security and Resilience Bill laid out on 1 April 2025 to put the UK on a closer footing with the EU's NIS2. The Bill is expected to expand regulatory remit to protect more digital services and supply chains, put regulators on a strong footing with necessary resources and powers, and mandate increased incident reporting including ransomware demands. In January 2025, the Home Office also opened a public consultation on a proposed framework for responding to ransomware attacks, including a targeted ban on ransomware payments by public sector bodies and Critical National Infrastructure operators, and mandatory incident reporting for all suspected ransomware attacks.
