More than 42 million people in UK have had their financial data hacked

International law firm RPC says the huge spike in data breaches, up from 2.2 million in 2019/20, is partly due to a greater number of ransomware attacks.

These can potentially involve significant quantities of data being copied at the same time as encrypting the target’s data.

Having taken financial and other information from the target’s system, the criminal gang will threaten to sell this data, or leak it on the dark web, should the target refuse to pay the ransom, says RPC.

Richard Breavington, partner at RPC, which published the analysis, said these attacks have become “very lucrative for cybercriminals”.

Criminal gangs have found that blackmail threats over encryption alone are becoming less effective as businesses get better at backing up their systems, he explained, but hackers have honed their tactics and added this additional form of blackmail.

The figure of 42.2 million may include people that had their financial data compromised more than once in completely different and unrelated data breaches, RPC said.

“The surprisingly high number of people whose financial data was impacted in the last year shows how cyber attacks have become endemic,” said Mr Breavington.

“Hackers are continually refining their methods, employing ever more complex techniques to extort money in whatever way they can. Some businesses, fearing the potential reputational costs, not to mention other consequences, decide that they will take the last ditch approach of paying the ransom demands.

“As a result, these attacks have become very lucrative for cybercriminals.”

RPC says the financial cost to businesses posed by ransomware attacks can be dramatic. This includes not just the cost of the interruption to the business, but the various legal and regulatory ramifications of large amounts of personal data being taken.

Several large data breaches occurred in the past year, including one involving an airline, which saw nine million customers impacted. In the attack, believed to be one of the largest in the UK, hackers stole data including names, email addresses, travel details and credit card details.

RPC says the figures show how important it is for businesses to take precautions when processing and storing personal data relating to customers and employees. In addition to investing in robust IT security software, businesses should be careful as to where they hold sensitive data and how these files and folders are organised.

Mr Breavington said: “Before carrying out an attack, hackers are increasingly carrying out reconnaissance to scope out protections that are in place, as well as data held by the company. Businesses should not be making their jobs easier by signposting this information.”

The National Cyber Security Centre (NCSC) has previously warned that ransomware has now become the “most significant cyber threat facing the UK”.

“Over the past few years, we’ve seen ransomware evolve from a tactic used by splinter groups and individuals to the sophisticated, coordinated and highly profitable global operation it is today,” it says.