UK’s essential services under constant cyberattacks as bosses fear for public data
Britain’s critical infrastructure is getting hacked at an alarming scale, and the people running it are increasingly unsure they can protect the public’s data.
Most organizations underpinning Britain’s essential services – including hospitals, transport networks, banks, energy providers, and water utilities – were hit by a cyberattack last year.
Of 600 critical national infrastructure (CNI) leaders surveyed for a report published by security firm Bridewell, 93% said they had dealt with a cyber incident in the past year.
These organizations hold vast troves of sensitive data – from medical records to financial details and travel histories – yet nearly 40% said they were not confident in their ability to protect it, including understanding what they hold and how it is secured.
The gaps are basic. More than 30% lack confidence in third-party due diligence, and 28% are unsure about record-keeping. Both are critical to safeguarding personal data.
New laws, including the Cyber Security and Resilience Bill introduced in 2025, will require organizations to report cyberattacks. But adoption of existing standards remains uneven.
Only around half said they follow national cyber frameworks such as Cyber Essentials, while just a third have adopted the EU’s NIS2 directive.
Real-world disruption
The impact is already visible. The report found that 50% of organizations suffered IT outages, while 34% experienced operational disruption, indicating that cyberattacks are not only frequent but also capable of affecting essential services.
Recent incidents underline the risk. A cyberattack on Transport for London exposed Oyster and contactless data affecting around 10 million people, while disrupting internal systems.
In healthcare, a ransomware attack on an NHS supplier led to hundreds of cancelled operations and appointments in a week, including cancer treatments and transplants. The situation forced hospitals back to manual systems, prompting warnings that “death by cyberattack” is no longer hypothetical.
There are signs of a response, however. Around 36% of CNI security bosses said incidents had led to increased cybersecurity budgets.
Cloudy with a chance of attack
Cloud infrastructure is expanding the threat. Cloud systems account for around 25% of attacks, the most exposed environment, followed by software at 18%.
“It’s not how they’re getting in, but once they get in, they are looking at how they make the most meaningful impact,” noted Bridewell CTO Martin Riley at a briefing event following the release of the report.
Strong password generator
“Many organizations are scattered across Microsoft, AWS, Google… and the challenge is how do I understand how I need to be able to protect that scaling attack surface that exists?”
As systems become more connected, attack vectors are growing. Even so, the report indicates the biggest weakness is still human.
Phishing and business email compromise dominate, with organizations facing an average of 11 phishing attacks per year, compared with eight malware incidents and seven denial-of-service incidents.
A quarter of attacks stem from “insider risk.” But rather than industrial or geopolitical espionage, they're often simple mistakes, such as exposing systems or sending sensitive data to the wrong person.
AI “accelerating the data problem”
According to the report, Artificial intelligence is compounding the challenge, with 40% of CNI leaders now seeing AI as a key security risk.
Bridewell describes AI as “accelerating the data problem,” making sensitive information easier to access and expose while opening new attack paths.
“If an attacker gets into an organization and gets access to those AI systems, they can use that very quickly to gain sensitive information… it can speed up what can be found and what can be done from that attacker’s perspective,” said Bridewell CEO Anthony Young.
“We’re starting to see more data passed into shadow AI than we ever have… and being able to grapple with that from a compliance perspective is really difficult,” added the security firm’s COO, Sam Thornton.
Yet, while CNI organizations hold vast amounts of sensitive data, experts stop short of saying that the public is inherently more at risk, pointing to the Scattered Spider attacks on retailers last year and the Vegas casino breaches as examples of commercial sector companies that had been hit by the same threat actors.
“I don’t… think it’s fair to say you’re more at risk with a CNI organization than a private organization… but private organizations are probably a little bit quicker to market to either take on new technology or improve cyber maturity,” Thornton added.
Unlock more exclusive Cybernews content on YouTube.
