Cyber_Bytes - Issue 76

Welcome to Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

RPC Cyber app: Breach counsel at your fingertips

As cyber-attacks and follow-on litigation continue to be a board-level issue for organisations worldwide, the RPCCyber_ App provides a one-stop-shop resource for cyber breach assistance and pre-breach preparedness. As well as information about RPC's cyber-related expertise, the app also contains guidance on prevention against common incidents and access to our ongoing cyber market insights.

RPCCyber_ can be downloaded for free from the Apple Store or Google Play Store.

Judgment Alert: Farley & Ors v Paymaster (1836) Ltd (t/a Equiniti) [2025] EWCA Civ 1117 (22 August 2025)

On 22 August 2025, the Court of Appeal handed down judgment in the case of Michael Farley v Paymaster (1836) Limited trading as Equiniti [2025] EWCA Civ 1117.

This is a potentially significant case for data subject litigation claims. It challenges existing case law regarding the need for claimants to demonstrate that a minimum threshold of seriousness has been met to claim compensation for breaches of the UK GDPR, and provides guidance on what constitutes “non-material damage” under Art 82, UK GDPR.

The administrator of the Sussex Police pension scheme sent annual benefit statements containing personal data to over 750 out-of-date residential addresses. As a result, claimants reported experiencing "anxiety, alarm, distress, and embarrassment", fearing their personal information may have been accessed by unknown third parties. The affected individuals sought compensation.

The Court of Appeal concluded that there is no minimum threshold of seriousness for a successful data subject claim under the UK GDPR. Allegations of “were not essential for such claims either. Loss recoverable in data subject claims “includes” but is not limited to distress and a successful claim can be made in respect of “annoyance or irritation caused by fear of third-party misuse”.

The Court of Appeal did clarify that losses based on distress or irritation would need to be “well-founded” and based on more than a “purely hypothetical risk”. However, overall, the judgment is beneficial for data subject claimants and provides some potential ammunition for claimants in data subject litigation.

Click here to read the judgment.

Jaguar Land Rover's cyber-attack: Automative supply chain to a halt 

As widely reported, Jaguar Land Rover (JLR), one of the UK’s largest automotive manufacturers, has recently been affected by a significant cyber incident. This has forced the company to suspend operations across multiple British factories for nearly three weeks. The incident, first discovered on 1 September, prompted JLR to deliberately shut down its IT systems to contain the breach.

The prolonged incident has caused severe economic repercussions across the supply chain. JLR is reportedly losing up to £50 million per week due to suspended production. Hundreds of suppliers, many operating under “just-in-time” manufacturing principles, have faced immediate disruption. Some companies have reconfigured production with reports of reduced or zero pay for workers while others have begun redundancies. The interconnected nature of the automotive sector means that a severe incident can destabilise the entire supply network, with smaller businesses and their workforces facing immediate threats. The scale of disruption has prompted calls for the UK Government's intervention, including furlough support for affected workers.

This incident has highlighted the financial toll on businesses targeted by a cyber-attack and their partners. The fragility and vulnerability of the automotive supply chains during this incident calls will inevitably be the subject of further consideration as the fallout from the incident continues. In addition, experts warn that such attacks could become more frequent and severe, especially amid global tensions. Government and industry collaboration is therefore important to tackle escalating threats of cyber-attacks.

You can read more here from Wired.

Innovation at speed: Are businesses still addressing Cyber Risks?

According to Unisys' report published last month, organisations are accelerating their adoption of Cloud-based and AI tools, with 78% planning to increase AI investment in the coming years. However, the report found that business leaders did not appear to be investing in cyber security measures at the same rate.

Despite the surge in new technologies, 85% of organisations admit their cyber strategies are “too reactive”, leaving them exposed to well-known threats. Many organisations are prioritising investment in new technologies such as AI over strengthening defences against established cyber threats, as well as emerging risks.

Unisys reports a disconnect in the assessment of risks and investment priorities within companies. 63% of the executives who responded to the study believe security protocols hinder data analysis, compared to 35% of IT leaders. Similar conclusions were drawn in respect of Cloud services as 68% of business executives see cloud security as an impediment to innovation versus 37% of IT leaders.

This divergence has a potential impact on the adoption of security measures.  For example, Unisys observed identity-based attacks being a major concern for IT professionals. However, fewer than half of organisations had prioritised identity-verification technologies as a security mechanism.

You can read more about Unisys' report here and here.

ICO launches consultation on UK GDPR recognised legitimate interest guidance

On 21 August 2025, the Information Commissioner's Office (ICO) launched a consultation on its draft guidance regarding "recognised legitimate interests" as a new lawful basis for processing personal data under The Data (Use and Access) Act 2025 (DUA).

A "recognised legitimate interests" is a specified purpose for handling personal data that is in the public interest, separate from the existing "legitimate interests" lawful basis set out in the UK GDPR. Under this new lawful basis, the processing must meet one of five pre-approved purposes that are the public interest:

• Disclosure to a controller that requires the personal data to carry out a public interest task or to exercise its official authority where the controller has requested that data
• Safeguarding national security, protecting public security and defence purposes
• Responding to an emergency defined in the Civil Contingencies Act 2004
• Detecting, investigating or preventing crime, or apprehending or prosecuting offenders
• Safeguarding vulnerable individuals

The ICO's guidance on "recognised legitimate interest" aims to inform and support large organisations and data protection officers in the application of amendments made by DUA by providing details on this new legal basis for processing, including the benefits of using it and how it differs from the existing "legitimate interests" lawful basis.  Its introduction will require organisations to review and update their data governance frameworks to the extent that they intend to rely on the new basis.

The ICO invites feedback to help finalise guidance and address queries through the consultation open until 30 October 2025.

You can access the survey here and the draft guidance here.

Cyber insurance tipped as commercial brokers’ biggest opportunity

Cyber insurance has emerged as the commercial insurance product with the greatest growth potential, according to a recent UK broker survey, securing 53.6% of the votes. Market reports indicate that cyber insurance premiums rose by approximately 68% in 2023, reflecting increased demand and evolving risks.

The frequency and severity of cyber incidents are driving demand, with the UK Government’s Cyber Security Breaches Survey 2023 reporting that 32% of businesses experienced a cyber breach or attack in the past year, with average costs exceeding £15,000 for medium and large firms. Brokers are expanding their cyber insurance offerings, and 75% identified cyber insurance as their biggest portfolio growth opportunity in 2024. 

These trends highlight the importance of proactive cyber risk management and specialist insurance advice. As the market matures, brokers are increasingly called upon to interpret complex policy wordings and exclusions. Meanwhile legal advisers play a crucial role in supporting regulatory compliance and incident response. Collaboration between brokers, insurers, and legal professionals will be essential to ensure clients are equipped to manage cyber risks and benefit from comprehensive insurance protection.

Click here to read more about cyber insurance market trends.

Ransomware Group Exploits Hybrid Cloud Gaps, Gains Full Azure Control in Enterprise Attacks 

Recent reporting by SecurityWeek details how sophisticated ransomware groups are targeting hybrid cloud environments, exploiting gaps between on-premises infrastructure and cloud platforms, such as Microsoft Azure. Attackers are leveraging compromised credentials, misconfigured identity management systems, and insufficient network segmentation to escalate privileges and gain full administrative control over Azure tenants. Once inside, threat actors can deploy ransomware, exfiltrate sensitive data, and disrupt critical business operations across both cloud and on-premises resources.

The risks associated with these attacks are significant for organisations relying on hybrid cloud models. Beyond immediate operational disruption and financial loss, compromised Azure environments can expose confidential client information, intellectual property, and regulated data to unauthorised access. The complexity of hybrid architectures can make it challenging to detect lateral movement and respond swiftly, increasing the likelihood of prolonged exposure and greater impact.

From a legal and regulatory perspective, such incidents may trigger mandatory breach notification requirements under the UK GDPR and other data protection regimes if personal data is affected. Organisations must also consider contractual obligations to clients and third parties.

Click here to read the full SecurityWeek article.