Darren Warren asked for five thousand pounds for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out.

Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement.

The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired.

This is the story of how 14 million people ended up with nothing, and the practical lesson every small business owner needs to take from it.

A 30-person marketing agency in Manchester did everything right. £15,000 invested in proper security: new firewalls, enterprise endpoint protection, hardware authentication keys for every staff member, and even an external security audit that came back clean.

They were feeling quite good about themselves. Two months later?

Someone had been accessing their client files for weeks through their HP printer that still used admin/admin as credentials.

Total costs: £43,400 direct expenses, three lost clients, five renegotiated contracts, and ongoing competitive damage.

This is the complete story of how a £300 printer defeated a £15,000 security investment.

Real timeline. Real costs. Real lessons you need before this happens to you.

On 3 June 2024, the Qilin ransomware gang compromised Synnovis, a pathology provider serving NHS hospitals across southeast London. Blood testing collapsed. Over 10,000 appointments were cancelled. More than 1,700 operations were postponed. A patient died waiting for test results that never arrived. The attack succeeded because multi-factor authentication was not enabled. Here is the complete timeline of how a preventable security failure cascaded into catastrophic harm, the technical details of the attack vector, the devastating human and financial cost, and what every UK business must learn from this disaster. This is what happens when free security controls are ignored.

Manchester marketing agency, 28 staff, £2.4M revenue. CFO proposed cutting security training: "£12,000 annually for slides nobody watches." Board agreed. Six months later, junior account manager clicked phishing link in fake client brief. No training meant she didn't recognise warning signs. Credentials stolen, ransomware deployed, three weeks offline. Recovery costs: £190,000. ICO investigation: inadequate training documented.

They saved £12,000 and spent £190,000 learning what training actually prevented. This is a real case, anonymized details, taught me never to treat training as optional expense. Names changed. Mistakes real. Costs actual.