Cyber_Bytes - Issue 81

Welcome to Issue 81 of Cyber_Bytes, our regular round-up of key developments in cyber, tech and evolving risks.

High Court extends injunction following ransomware data leak in ZAB v Persons Unknown

The High Court has continued an injunction against persons unknown following a ransomware incident involving the theft and publication of confidential information. 

In ZAB v Persons Unknown, the Court considered a ransomware incident in which confidential information (including personal data) was exfiltrated and later published online.

The Court extended restrictions preventing the attackers (and others with notice of the order) from using, disclosing or publishing the stolen information, and maintained anonymity protections for the claimant.

There can be significant practical limitations in relation to an order of this type against persons unknown.  This reflects, not least, the very limited prospects that such an Order could ever be enforced against the ransomware perpetrators and/or or secure removal of material published on a dark web leak site.  However, in some situations an injunction of this type can have some potential utility. 

The decision is a useful reminder that the courts are, in principle, prepared to grant targeted injunctive relief in response to ransomware-related publication of stolen data, and the legal process involved in obtaining this type of injunction. 

The judgment in ZAB v Persons Unknown is available here:

UK Government launches Cyber Resilience Pledge

The UK Government has launched a new Cyber Resilience Pledge aimed at encouraging organisations to strengthen their approach to cyber governance and resilience. Announced at CYBERUK, the initiative is directed primarily at medium and large organisations and sets out a series of commitments intended to raise baseline cyber security across the economy.

The pledge emphasises board-level accountability for cyber risk, close engagement NCSC guidance, and improved oversight of supply chain resilience. Although voluntary, the initiative reflects a continued focus in UK Government messaging: cyber security is increasingly framed as a core organisational risk rather than a standalone technical function.

The focus on supply chains is particularly notable given the continued number of incidents linked to third-party providers and outsourced services. Many organisations already have controls in place, but levels of assurance, testing and accountability vary significantly.

The broader message is that cyber resilience should be part of day‑to‑day governance, influencing procurement decisions, supplier oversight and operational planning. The pledge offers opportunity for organisations to assess whether their existing structures genuinely support consistent, accountable and well‑tested resilience practices.

Further detail on the Cyber Resilience Pledge is available here.

ISO fines South Staffordshire Water following cyber incident

The ICO has fined South Staffordshire Plc and South Staffordshire Water Plc £963,900 following a cyber-attack that resulted in the personal data of more than 630,000 individuals being accessed and subsequently published online.

According to the ICO, the perpetrator behind the attack maintained access to systems for an extended period, with shortcomings identified in monitoring, patch management and access controls. The decision reinforces a familiar theme: regulatory scrutiny increasingly focuses not only on whether security measures existed, but whether they were effective in practice.

Although the incident affected an organisation operating critical infrastructure, the broader lessons apply across sectors. Visibility over systems, timely remediation of vulnerabilities and effective access governance remain persistent areas of regulatory attention.

The decision highlights a growing regulatory expectation that organisations should be capable of detecting and containing threats before they escalate. It is a reminder to revisit monitoring, access governance and vulnerability management to ensure that controls operate effectively in practice.

The ICO’s announcement is available here.

UK Cyber Security Breaches Survey 2026 highlights resilience gap

The UK Government's Department of Science and Technology published its Cyber Security Breaches Survey 2026, which presents a mixed picture of organisational resilience. Awareness of cyber risk remains relatively high, but the implementation of practical resilience measures continues to vary significantly across organisations.

Phishing remains the most reported attack type, reflecting the continued effectiveness of familiar tactics. Larger organisations generally report more mature governance structures and control environments, whilst smaller businesses continue to face challenges in areas such as incident response planning, cyber exercises and supply chain assurance.

A notable theme is the persistent gap between awareness and preparedness. Recognising cyber risk as an important issue does not necessarily translate into tested escalation processes, clear decision-making structures or effective response capability when incidents occur.

The survey serves as a prompt to validate assumptions, strengthen response capability and ensure that routine threats can be contained before they develop into operational disruptions.

The full Cyber Security Breaches Survey 2026 is available here. 

ISO signals more practical approach ahead of UK data law reforms

The ICO has issued updated guidance ahead of the upcoming changes to the UK’s data protection framework.

The ICO’s messaging reflects movement away from highly prescriptive compliance requirements and towards a more flexible, risk-based approach to accountability. While the underlying data protection principles remain largely unchanged, the reforms are intended to give organisations greater discretion over how compliance is managed and evidenced.

The reforms affect several operational areas, including subject access requests, complaints handling and international data transfers. Organisations may need to revisit whether existing processes are scalable and well documented, and whether internal roles and escalation routes are clear.

The ICO has stressed that the changes should not be interpreted as lowering data protection standards. In practice, organisations will still need to demonstrate effective oversight of personal data risks and the controls in place.

For many businesses, the practical impact is unlikely to require wholesale redesign of compliance frameworks. Instead, the focus will be on ensuring existing governance, documentation and decision-making processes remain fit for purpose under the updated regime.

The ICO’s guidance on preparing for the reforms is available here.