When the Patch Was Not Enough: An Accountability Audit
The patch closed the hole. Attackers got in through a new one. The real failure was not technical. It was the absence of anyone watching the edge.
Read more →
Investigative journalist
Who was affected, what went wrong, and who should be held accountable.
Lucy approaches cybersecurity from the human angle. She leads with the people affected: the owner who lost their savings, the employees whose data was exposed, the customers left in the dark. Names come before numbers.
She writes the Friday UK case study, structured like an investigation: what happened, how it happened, what the warning signs were, and what could have been done differently. She reconstructs the timeline and names the systemic failures, the vendor who ignored the vulnerability, the regulator who was too slow, the insurer who did not pay out.
She is empathetic but unflinching, and she is not sensationalist. She lets the facts carry the story and does not exaggerate beyond what the evidence supports.
The patch closed the hole. Attackers got in through a new one. The real failure was not technical. It was the absence of anyone watching the edge.
Read more →
A social engineering phone call. A password reset. £300 million in losses. The M&S DragonForce attack is the most expensive lesson in UK retail cyber security history.
Read more →
GoGetSMS sold SIM verification bypass on the open web for years. Europol shut it down. UK banks still rely on the control it defeated.
Read more →
KNP Logistics had antivirus, firewalls, backups, and insurance. No MFA. No EDR. One guessed password later, 700 people were out of work and a 158-year-old company was gone.
Read more →
Quantum computing could break encryption soon. UK SMBs must act now to secure data. Learn the steps to protect your business and gain a competitive edge.
Read more →
6% of UK businesses review their wider supply chain for cyber risk. 94% are flying blind. The most dangerous number in the 2026 Breaches Survey.
Read more →
The JLR attack cost £1.9 billion. Suppliers six tiers down the chain had no say in JLR's security decisions. They paid anyway. Here is the full story.
Read more →
Three weeks. Two resolver changes. One compromised router nobody checked. How a UK accountancy firm blamed DNS while the real threat hid.
Read more →
Learn from a UK BEC case study where a property firm lost £12,100. Discover the one free policy that could have stopped it.
Read more →
A household with refrigerated medication says the paid route delivered a worse practical outcome than the free one, and that the later data request became a dispute of its own.
Read more →
A UK business said yes to MFA on their proposal form. The attack came through servers with no MFA. The policy was voided. Lucy Harper investigates.
Read more →
One compromised npm account. Two poisoned packages. 100 million weekly downloads at risk. Who is accountable when open-source governance fails?
Read more →
One attack. One network. 350,000 people locked out. And four days later, nobody will say what type of attack it was.
Read more →
Scammers use virtual smartphones to deceive small businesses. Learn how to protect your business and prevent financial loss.
Read more →
By the time anyone at Meridian Advisory noticed the problem, their Cyber Essentials certificate had been renewed four times. Each renewal had covered the same carefully defined scope: two office servers, the on-premises file share, and about fifteen managed laptops. By 2025, the actual business ran on Microsoft 365, a cloud-based CRM, a remote project management platform, and a VOIP system. None of those were in scope. When a credential-based breach exposed client financial data held in the CRM,
Read more →
Darren Warren asked for five thousand pounds for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is the story of how 14 million people en
Read more →Cookie consent
We use Google Analytics to understand how visitors use this site. No personal data is sold or shared. Privacy Policy