Darren Warren asked for five thousand pounds for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is the story of how 14 million people en
I spent time with Mauven this week working through the Unit 42 Global Incident Response Report 2026. Seven hundred and fifty incident response engagements. Fifty-plus countries. Real cases. The headline statistic, 89% of investigations involving identity as a material factor, is striking. But it's not the number that should concern you most. It's what that number tells us about where organisations are spending their security budgets versus where attackers are actually operating. They are not in
Malware sat on 5,390 Currys tills for nine months. Nobody noticed. That is not a sophisticated nation-state attack. That is a basic monitoring failure. The ICO called the missing controls "basic, commonplace security measures." In plain English: this was avoidable. If you run a small or medium-sized business and you process payment data, hold customer records, or manage staff information, this week's practical guide gives you four specific controls to implement. No expensive tooling. No consulta
The ICO's General Counsel called the Currys Court of Appeal ruling "a significant victory." And in strict legal terms, she is right. Lord Justice Warby's judgment closes a dangerous loophole and clarifies that personal data must be assessed from the controller's perspective. But while the lawyers celebrate, roughly 14 million people are sitting with expired limitation periods and no compensation route. The legal system confirmed DSG was in the wrong at the precise moment most victims could no lo
Last week, researchers proved something that should make every small business owner put down their coffee. Your Wi-Fi guest network, the one you set up so visitors don't touch your business systems, doesn't actually protect you. A new attack called AirSnitch lets anyone already on your network spy on every device connected to the same physical router, regardless of which network name they joined, regardless of whether you're running WPA2 or WPA3. Every single router tested failed. Here's what it
In September 2024, a UK tribunal concluded that 5.6 million stolen card records might not constitute personal data. The argument was structural, not frivolous. Hackers who cannot identify individuals from card numbers alone are not, the Upper Tribunal suggested, processing personal data. The Court of Appeal corrected that in February 2026. Lord Justice Warby's ruling establishes a clean and reusable test: you assess whether data is personal from the controller's perspective, not the attacker's.
Darren Warren asked for five thousand pounds in compensation for the distress of having his data stolen from Currys' tills. The High Court struck most of his claim out. Meanwhile, specialist law firms ran "Were you affected by the Currys breach?" campaigns, then quietly closed their books without any settlement. The Court of Appeal confirmed in February 2026 that DSG absolutely had a duty to protect that data. By then, most claimants' limitation periods had expired. This is a case study in how 1
In early 2026, the FBI served Microsoft with a search warrant. Microsoft handed over the BitLocker encryption keys for three laptops. No hack. No breach. No compromised passwords. Just a warrant, and Microsoft's compliance. Here is what nobody in UK small business is talking about: those same default settings that allowed this are almost certainly running on your devices right now. And the legal mechanism that made it possible, the US CLOUD Act, reaches across the Atlantic directly into your Mic
France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data. The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations. Noel Bradford, with 40-odd years of watching the UK IT e
An Amazon driver just delivered the most useful security lesson of 2026 and he charged absolutely nothing for it. While trying to drop off a parcel, he couldn't find a safe place, so he thought laterally, worked out the code to a locked shed, left the parcel inside, and then wrote a note explaining exactly how he got in. He documented the breach. He filed the report. He even ticked the compliance checkbox. Your IT company just got shown up by a bloke in a high-vis jacket. The question is: are yo
Switzerland's military commissioned a 20-page risk assessment of Palantir's software. The findings were blunt: data held by Palantir could be accessed by the American government, leaks could not be technically prevented, and the Army would become dependent on Palantir specialists. The recommendation was unambiguous: consider alternatives. Neutral Switzerland quietly walked away. The United Kingdom looked at the same company and gave them more than £900 million in contracts across the NHS, Minist
Every UK business using Microsoft 365, Google Workspace, or any US cloud service has an unassessed CLOUD Act exposure. This guide gives you a step-by-step process to map it: list your vendors, identify your crown jewels, check who controls the encryption keys, fold the findings into your DPIAs, and build a realistic exit plan. No consultancy fees, no jargon, no panic. One afternoon with your IT lead and a spreadsheet. By Friday you will know exactly where your business sits and what, if anything
You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ag
The US CLOUD Act gives American courts the power to compel any US technology company to hand over your data, regardless of whether it sits in a London data centre or a bunker in Wyoming. UK GDPR Article 48 says foreign court orders do not make that transfer lawful. No UK court has tested this conflict. No ICO enforcement action has targeted it. The NCSC does not mention it by name. Corrine Jefferson, our resident intelligence analyst, dissects the legal contradiction sitting quietly in the middl
Switzerland looked at Palantir and said no. The UK leaned in. That should worry you. Your business runs on the same US owned platforms that governments argue about. Email, files, chat, identity, backups. The CLOUD Act means a provider can face legal demands for data, even when the servers sit outside the US. UK hosting does not always mean UK control. This teaser sets up the real question: if access rules changed tomorrow, could you prove who can touch your data, and how you would know? Could yo
That TP-Link router you bought because it was £40 cheaper than the alternatives? Two days ago, the state of Texas sued the manufacturer for allegedly handing the Chinese Communist Party access to Americans' devices. A US federal ban is on the table. Sixteen thousand routers worldwide have already been conscripted into a Chinese state-sponsored attack network. And the UK? Doing absolutely nothing. This isn't paranoia. This is documented, court-filed, backed-by-three-US-federal-departments reality
I used to work in US government intelligence. I now live in London. Those two facts make me uniquely uncomfortable about Palantir's expanding presence across the British state. In December 2024, Switzerland's military concluded that data held by Palantir could be accessed by the American government and that leaks "cannot be technically prevented." Their recommendation was unambiguous: find alternatives. The UK's response to the same evidence has been to award Palantir more than £900 million in c
Three hundred and ninety-three days. That's how long Chinese state hackers camped inside defence networks before anyone bloody noticed. Over a year. Reading emails. Mapping systems. Making themselves at home while everyone assumed the firewall was doing its job. Google just published the receipts, and the uncomfortable truth is this: manufacturing is the most targeted sector on ransomware leak sites. Not banks. Not hospitals. Factories. Your VPN appliance is the front door nobody's watching, and
I have watched this exact disaster unfold five times in 40 years. Personal computers in the eighties. BYOD in the 2010s. Cloud migrations that nobody secured. SaaS tools that HR adopted without telling IT. And now AI agents that can read your email, execute commands on your machine, and send data anywhere, installed by employees who thought they were being productive. OpenClaw is not the problem. OpenClaw is the symptom. The problem is that every time a shiny new technology appears, businesses a
The Data (Use and Access) Act just went live on 5 February, and if you're only hearing about it now, you're not alone. The commencement regulations were published two days before the provisions kicked in. That's the government's idea of adequate notice. Guest contributor Kathryn Renaud cuts through the panic with something actually useful: four repeatable workflows for DSARs, complaints, cookies, and automated decisions that any UK SMB can build this week with tools they already own. No expensiv
