#1: £100M cyberattack on JLR: UK’s costliest breach hits Tata Group

The cyber-attack on Jaguar Land Rover (JLR) has been identified by analysts as the most expensive in UK history, with estimated costs exceeding £100 million. The breach, which targeted JLR’s parent company Tata Group, disrupted operations and exposed sensitive data, including internal documents and employee information, prompting a major investigation and response effort.

Experts believe the attack was carried out by the ALPHV/BlackCat ransomware group, known for targeting large corporations. The scale and impact of the breach have raised serious concerns about cybersecurity resilience in the UK’s automotive and manufacturing sectors, with calls for stronger protections and more robust incident response strategies.

#2: Capita fined £14M over data breach affecting 6.6 million people

Capita has been fined £14 million by the Information Commissioner’s Office (ICO) for a major data breach in March 2023 that exposed the personal information of 6.6 million people. The breach occurred after a malicious file was downloaded onto an employee’s device, which Capita failed to quarantine for 58 hours despite an immediate security alert.

This allowed hackers to infiltrate the network, gain administrator access, and exfiltrate nearly one terabyte of data, including sensitive information such as criminal records and financial data. The ICO found that Capita lacked adequate cybersecurity measures, including failure to prevent privilege escalation, poor response to alerts, and insufficient penetration testing.

The ICO initially proposed a £45 million fine but reduced it after Capita submitted mitigating factors, including post-attack improvements and support for affected individuals. Capita accepted liability and agreed to the final penalty without appeal. The investigation revealed systemic failures in Capita’s cybersecurity practices, such as understaffed security operations and siloed risk assessments.

The ICO emphasized that robust cybersecurity is essential for public trust and economic resilience, urging all organisations to proactively safeguard personal data and follow best practices outlined by the National Cyber Security Centre.

#3:  Government unveils AI sandbox plan to drive innovation and public trust

The UK government has unveiled a new blueprint for AI regulation aimed at accelerating innovation and boosting public trust. Announced by the Technology Secretary at the Times Tech Summit, the plan introduces “AI sandboxes”—controlled environments where regulations can be temporarily relaxed to test AI technologies safely in sectors like healthcare, transport, and professional services.

This initiative, part of the broader “Plan for Change,” seeks to streamline planning approvals, reduce NHS waiting times, and cut bureaucracy, potentially saving businesses nearly £6 billion annually by 2029. The AI Growth Lab will pilot responsible AI applications, helping unlock real-world benefits while maintaining safety and oversight.

More recent updates…

• The UK government’s AI tool, Consult, rapidly analysed over 50,000 public responses to a water sector review in just two hours—matching human accuracy and potentially saving 75,000 days of manual work annually—demonstrating how AI can significantly improve government efficiency and reduce taxpayer costs.
• The UK Upper Tribunal has ruled that Clearview AI Inc.’s scraping and processing of UK residents’ images for facial recognition services falls within the scope of UK data protection law, even though the company is based in the US and serves foreign law enforcement agencies.
• Ofcom has announced the final results of its spectrum auction for the 700 MHz and 3.6–3.8 GHz bands, awarding licences to EE, Hutchison 3G UK, Telefónica UK, and Vodafone following a multi-stage process that raised a total of £1.38 billion for HM Treasury. The auction enables these mobile operators to enhance mobile services and expand 5G coverage across the UK, with flexibility to trade spectrum holdings to optimise network performance.

…and in other news

• We originally reported on the new Online Safety Act in our September 2025 Technology & Digital Round-up. Since then, Ofcom has issued an update on its enforcement of the Online Safety Act, revealing it has launched five programmes and 21 investigations into 69 sites and apps, including action against platforms like 4chan and file-sharing services for failing to tackle child sexual abuse material (CSAM) and respond to legally binding information requests.
• The NCSC have published an article emphasizing that improving national cyber resilience requires organizations to enhance both observability—having full visibility across networks, systems, and services—and threat hunting—the proactive search for signs of cyber threats beyond automated detection. Without comprehensive observability, critical areas of digital infrastructure remain hidden, making it difficult to detect and investigate malicious activity, and limiting the effectiveness of threat hunting efforts.
• The Competition and Markets Authority (CMA) is consulting on proposed updates to its merger remedies guidance to improve transparency, efficiency, and predictability in the UK’s merger control regime. The changes aim to provide greater flexibility in accepting behavioural remedies, support pro-competitive efficiencies and customer benefits, and enhance engagement with businesses, all while maintaining the ability to reject ineffective remedies that could harm competition.
• The NCSC has introduced a new standard for post-quantum cryptography (PQC), outlining a phased roadmap to help UK organisations transition to quantum-resistant encryption by 2035, in response to the growing threat posed by future quantum computers that could break current cryptographic methods.
• The UK government has confirmed that digital ID checks under its new employment verification system will not be mandatory until individuals change jobs, aiming to reduce disruption and give people time to adapt to the new process.
• The UK’s Competition and Markets Authority (CMA) has officially designated Apple and Google as having strategic market status (SMS) in their respective mobile platforms—covering operating systems, app distribution, and browsers—due to their entrenched market power and critical role in the UK’s digital economy, enabling the CMA to consider targeted interventions to promote fair competition and innovation.

How we can support you

If you have queries about any of the points covered in this edition of the Technology & Digital round-up, or need further advice or assistance, please get in touch with Sally, Andrew, Nick, Paul, Luke or one of our Technology & Digital experts.

Want to watch a previous webinar? Visit our digital academy, home to a library of digital content including webinars, our bite-sized video nuggets and podcasts, including our 60 second videos on what is an NFT and what is a blockchain.

Want to learn more from our Technology & Digital experts and be the first to receive important updates, developments and events from the team? Then visit our #WMTechTalk page or sign up for our newsletter, the Technology & Digital round-up here.