Cyberattacks 2025: Millions of UK users exposed in year of hacks — here’s what it means for your data
If 2024 was the year when artificial intelligence dominated the headlines, then 2025 has been the year of the cyberattack. From luxury fashion houses to high-street retailers and car manufacturers, businesses across the UK and beyond have found themselves under siege from hackers.
The scale, frequency and audacity of these attacks raise urgent questions about how well user data is being protected – and what risks lie ahead for millions of consumers.
The biggest breaches of 2025
Perhaps the most high-profile attack came this summer when Jaguar Land Rover (JLR) was forced to halt global production after hackers crippled its IT systems. The incident left thousands of workers temporarily stood down, dealerships unable to service vehicles, and suppliers facing cash-flow crises. Investigations later confirmed that “some data” had been affected, with regulators notified. While JLR has yet to specify if customer records were included, the disruption underscored how dependent modern manufacturers are on interconnected digital infrastructure – and how vulnerable that leaves them.
In retail, Kering, the French parent company of Gucci, Balenciaga and Alexander McQueen, admitted in June that hackers had stolen personal data linked to as many as 7.4 million email addresses. Shiny Hunters, the cybercriminal group claiming responsibility, released a sample of records showing not just names and contact details but also the total amount customers had spent. Some victims were flagged as spending upwards of $80,000, raising fears that high-net-worth individuals could be targeted for further fraud or scams.
Luxury brands weren’t the only ones hit. Marks & Spencer, Harrods and the Co-op all confirmed incidents earlier this year, forcing online and in-store operations offline. Even when financial details weren’t compromised, personal identifiers such as email addresses, order histories and loyalty scheme records were exposed – highly valuable information for criminals running phishing campaigns.
And it wasn’t confined to retail. The financial services sector also reported breaches, with mid-sized lenders and fintech platforms warning customers about attempts to access online accounts. Each case might appear isolated, but taken together they point to an alarming trend: cyberattacks are now routine, not rare.
What hackers want – and why user data is so valuable
For most attackers, the motivation is financial. Groups like Shiny Hunters typically steal large datasets and then ransom them back to the company, demanding payment in cryptocurrency. If the ransom isn’t paid, the data may be sold on the dark web, where criminals trade in email addresses, phone numbers and behavioural data.
Even without bank details, this information is potent. With a customer’s contact details and knowledge of their shopping or spending habits, criminals can craft convincing phishing emails or texts. High-spending customers are particularly attractive targets, as the Kering case illustrated. A fraudster who knows you spent £10,000 in a single transaction has a better chance of tricking you with a fake refund email than one casting a generic net.
The other motivation is disruption. In the case of Jaguar Land Rover, the attack brought production lines to a standstill. For hackers, this can be a way of demonstrating power, inflicting reputational harm, or forcing a company into paying a ransom simply to get back online.
Why 2025 has been so bad
Several factors explain the surge in successful cyberattacks this year.
First, the volume of personal data being collected and stored has grown exponentially. Retailers, carmakers and banks all rely on vast CRM systems to understand customer behaviour, personalise offers and drive sales. That makes them rich hunting grounds.
Second, geopolitical tensions have created an environment where hostile state-linked actors are more active. UK cyber experts have repeatedly warned that international conflicts are spilling into cyberspace, with attacks on infrastructure and businesses used as tools of leverage.
Third, despite improvements in security, many organisations remain under-resourced or over-confident. Too often, investment goes into protecting the most obvious assets – like payment card numbers – while overlooking other valuable datasets such as loyalty programme histories or purchasing records. As cyber lawyers point out, under UK GDPR the principle of “data minimisation” requires firms to only store what they truly need. Too many continue to hoard data indefinitely, increasing the scale of potential breaches.
What it means for UK consumers
For individuals, the lesson of 2025 is sobering: assume your personal data has already been compromised at some point. With so many large-scale breaches, it is statistically likely that your email address, phone number or purchase history is in circulation.
That doesn’t mean panic is necessary, but it does mean vigilance is. Consumers should:
• Be sceptical of unexpected messages, especially those claiming to be from luxury brands, banks or retailers.
• Use strong, unique passwords across accounts, and enable two-factor authentication wherever possible.
• Monitor financial and loyalty accounts for unusual activity. Even if criminals don’t have your card number, they may attempt to exploit rewards programmes or request refunds.
• Act quickly if notified of a breach – change passwords, review recent transactions and follow any advice provided by the company.
Perhaps most importantly, don’t dismiss non-financial data as harmless. A breached email address linked to your shopping history can be weaponised in highly targeted scams.
The road ahead
Regulators are already circling. The Information Commissioner’s Office (ICO) has been notified of several incidents and will expect companies to demonstrate that they had appropriate security and response measures in place. Meanwhile, policymakers are considering whether tougher disclosure rules are needed to ensure the public understands the scale of attacks.
For businesses, the wake-up call is clear. Data is both an asset and a liability. Investing in cybersecurity, minimising unnecessary data storage and being transparent when breaches occur are not optional extras – they are essential for protecting reputation and customer trust.
As for consumers, the spate of attacks in 2025 is a reminder of the double-edged nature of our digital lives. Convenience and personalisation come at the cost of handing over more personal data than ever before. The challenge now is to ensure that the systems designed to protect that data can keep pace with those trying to steal it.
Because if 2025 has shown us anything, it’s that cybercriminals are no longer at the gates – they are already inside.
What to do if you think your data has been breached
Top five steps UK consumers can take if their data has been breached
Change your passwords immediately
Update any login credentials connected to the affected service. Use a strong, unique password and activate two-factor authentication if available.
Monitor your accounts
Keep a close eye on bank statements, online accounts, and loyalty schemes for any unusual activity. Criminals may target store credits, refunds, or loyalty points as much as cash.
Be alert to phishing attempts
Fraudsters often use stolen data to send convincing fake emails or texts. Don’t click on suspicious links or share more personal details without verifying the source.
Check if your email is on the dark web
Services like Have I Been Pwned allow you to check if your email address has been involved in previous breaches. This can help you understand your exposure.
Report and protect
If you believe your financial details are being misused, contact your bank immediately. Report suspected identity theft to Action Fraud, the UK’s national fraud reporting centre.
Remember: Even if only “non-financial” data such as your name, address or purchase history is compromised, it can still be exploited in scams. Treat every breach notification seriously.