Cyber attack 2022

22nd April 2026

Cyber attacks are an increasingly common reality in today’s digital world, affecting organisations of all sizes across the private and public sectors, including businesses, governments and individuals. We strongly condemn the actions of criminals who seek to target organisations and individuals in this manner.

On 23rd December 2022, we were the victim of a sophisticated criminal cyber attack. As soon as our cyber security controls detected the incident, we took immediate action to protect our systems and our customers. This included shutting down our IT systems, notifying the relevant regulatory and law enforcement authorities, and engaging leading independent cyber security specialists to investigate and manage the incident.

Given the nature of the attack, it was not possible to determine with certainty whose data, or which specific data, may have been accessed. In those circumstances, our overriding priority was to protect and reassure our customers. On that basis, and out of an abundance of caution, we took the proactive and responsible step of contacting potentially affected customers directly. This was done to ensure transparency and provide early guidance on steps they could take to help prevent the misuse of their personal information. In addition, and as an extra precaution, we partnered with Experian to offer complimentary access to specialist tools, support and monitoring services, giving customers additional assistance and peace of mind.

On 12th April 2024, the ICO concluded their investigation into the attack and decided that no further action was required.

Group legal proceedings are now ongoing in both Scotland and England in relation to the incident. While we regret that this criminal attack occurred, our position is that we were not at fault and that we are not liable for the actions of those responsible. The mere fact that an organisation suffers a data breach does not, in itself, mean that it has failed to meet its obligations under the UK GDPR and the Data Protection Act 2018, nor does it mean that compensation is automatically payable to an individual. We therefore intend to defend these proceedings and fully demonstrate our position through the courts.

We remain firmly committed to maintaining and strengthening our cyber security framework in line with technological developments and evolving threats. Protecting our customers’ information continues to be a priority, and we will continue to invest in robust security measures and ongoing improvements.

We will continue to be transparent and upfront in addressing this matter and we’d like to thank our customers for their patience and understanding.

To help protect your own data, the following steps are considered to be best practice:

  • Never give out personal details over the phone unless you are sure who you are speaking to.
  • Use strong unique passwords. A strong password is long and random, and it is a good idea to use numbers, upper case letters, lower case letters and symbols. To help you remember the password, consider using three or more random unrelated words.
  • Check your bank statement regularly for any unusual payments that you do not recognise.
  • If you think you have been a victim of fraud you should:
    • (in Scotland) report it to Advice Direct Scotland on 0808 164 6000 or to Police Scotland on 101
    • (in the rest of the UK) report it to Action Fraud, the UK's national fraud and internet crime reporting centre, on 0300 123 2040.

Further helpful guidance is available at Cyber and Fraud Hub or The Cyber Helpline.