Breach of the Month Club: March 2025 Edition

Welcome back to Breach of the Month Club — the only club where membership is involuntary, reputational damage is part of the welcome pack, and no one is shocked you're here.

March 2025 has been a buffet of breaches. High-profile names, lots of finger-pointing, and the usual chorus of "We're taking this very seriously." So grab a cuppa, and let’s see which organisations tripped over their own security policies this month.

💸 Lloyds Banking Group: Paper Trail of Pain

Let’s kick things off with a classic: human error. Lloyds Banking Group, one of the UK's largest financial institutions, managed to send confidential bank statements to the wrong customer via post. Not digital. Not encrypted. Just envelopes, stamps, and misdirected financial doom.

One of the statements included details of a client with over £5 million invested. The recipient of this confidential treasure trove did the right thing and reported it—though they weren’t exactly impressed by Lloyds' response. The bank offered £300 in compensation and issued the standard statement: "We've reviewed and updated our processes." Sure.

While mistakes happen, this wasn't just a rogue letter. This was a systemic issue in how statements were reviewed, signed off, and sent. For a bank with billions under management, it feels like a 101 fail. The Information Commissioner’s Office (ICO) was notified, and Lloyds has since promised a full procedural review.

Breach Type: Data Disclosure (Postal Error)

Takeaway: If your process relies on perfect human execution without checks, it’s not a secure process—it’s wishful thinking.

🚗 Jaguar Land Rover: The Wheels Came Off

Luxury car manufacturer Jaguar Land Rover hit the headlines after 350GB of internal data was allegedly stolen by the ransomware gang Hellfire. The group claimed they accessed the company’s systems via compromised JIRA credentials. Let that sink in: a billion-pound enterprise brought to its knees through a project management platform login.

According to reports, the gang infiltrated development, manufacturing, and supplier systems. The stolen data included engineering blueprints, supplier contracts, and sensitive internal communications. At the time of writing, Jaguar Land Rover has not confirmed the breach publicly, but internal communications suggest they’re scrambling behind the scenes.

Cyber security experts were quick to point out that compromised credentials are one of the most common initial access methods, and that MFA (multi-factor authentication) could have mitigated or stopped the intrusion entirely. The real question: why wasn’t it enforced in the first place?

Breach Type: Ransomware / Data Exfiltration

Takeaway: Your security posture is only as strong as your weakest login screen. And for a company building autonomous vehicles, that’s a spectacularly ironic failure.

🏛 Reform UK: GDPR? Never Heard of It

Nigel Farage’s Reform UK party found itself in legal hot water after failing to respond to over 50 Subject Access Requests (SARs) — a direct breach of GDPR. The Good Law Project, unsurprisingly unimpressed, has taken them to court.

The SARs came from individuals concerned about how their personal data was being used and stored by the party. Instead of responding within the 30-day legal requirement, Reform UK... did nothing. Radio silence. That might work for political messaging, but it doesn’t fly with the ICO.

This isn’t just a data protection issue. It’s a credibility issue. Political parties collect vast amounts of data, often from emotionally and ideologically charged interactions. Failing to meet basic legal obligations doesn't just risk fines — it damages public trust.

Breach Type: GDPR Non-Compliance (Failure to Respond to DSARs)

Takeaway: If you're asking the public to trust you with power, maybe start by responding to your email.

🌿 23andMe: Genetic Meltdown

It began with a breach in late 2023, but the fallout only crescendoed in March 2025. 23andMe confirmed that attackers had accessed nearly 7 million user profiles, targeting genetic data tied to Jewish and Chinese ancestries. And then the lawsuits began.

After agreeing to a $30 million settlement in the US, 23andMe filed for bankruptcy. CEO Anne Wojcicki resigned, and the company’s future hangs in limbo. The data included not just user profiles, but also familial connections and raw genetic data — arguably some of the most sensitive personal information imaginable.

The cause? Credential stuffing. Attackers used previously leaked passwords to log into 23andMe accounts. From there, they exploited the DNA Relatives feature to scrape millions of linked profiles.

Breach Type: Account Compromise / Targeted Data Harvesting

Takeaway: If your business model is based on collecting humanity's source code, maybe spend a bit more on securing user logins.

🏪 Morrisons: Supermarket Sweep (of Chaos)

UK supermarket giant Morrisons blamed poor sales growth on a cyberattack against one of its third-party tech providers, Blue Yonder. The attack disrupted inventory, demand forecasting, and stock level visibility. Which, for a supermarket, is like losing your sense of smell.

Although Morrisons itself wasn’t directly breached, the fallout was severe. Reports suggest the company is now accelerating job cuts and increasing cost-saving targets to counteract the impact.

The real lesson here is about supply chain risk. Morrisons had apparently not built enough redundancy into their forecasting or inventory tools. When Blue Yonder went down, they were left blind.

Breach Type: Third-Party Supply Chain Disruption

Takeaway: Just because the breach wasn't in your house doesn’t mean it won’t burn it down.

🗳️ ICRIR: Name Drop, Literally

The Independent Commission for Reconciliation and Information Recovery (ICRIR) had a red-faced moment after emailing a list of 25 individual names to the wrong person. The data was meant for internal use only. One click later, it was sitting in someone else's inbox.

To their credit, ICRIR owned the mistake quickly and informed the ICO. But for a body set up to handle highly sensitive information linked to historical conflict, even a small breach carries enormous weight.

It’s a timely reminder that even the most secure systems can’t compensate for everyday human errors, especially around email.

Breach Type: Accidental Disclosure (Misaddressed Email)

Takeaway: You can't reconcile with the past if you're still copy-pasting email addresses like it's 1999.

📊 Bonus Stat: Half of UK Firms Hit by Third-Party Breaches

According to a study by Imprivata and the Ponemon Institute, 51% of UK organisations suffered a breach or cyberattack via third-party network access in the last year. That’s higher than the global average, and most of it comes down to poor visibility and controls over vendor access.

Most businesses still operate on a trust model when dealing with suppliers: "Here's access to our systems, please don’t be evil." Turns out, hope isn’t a strategy.

Takeaway: If you’re not vetting, monitoring, and restricting third-party access, you’re gambling. And the house always wins.

Final Thoughts

The March 2025 edition of the Breach of the Month Club has made one thing very clear: size doesn't equal security. From finance to politics to the car industry, big names continue to get caught with their digital trousers down.

So, what can the rest of us learn?

• Train your staff.

• Patch your systems.

• Vet your suppliers.

• Don’t ignore the law.

• And maybe, just maybe, stop assuming it won’t happen to you.

Because if these guys can’t get it right with all their resources, what’s your excuse?

Until next time, keep your data tight and your headlines out of this column.

Sources