Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →

UK Ransomware Disclosures, Methodology

This page documents how Firevault sources, verifies, and publishes the UK Ransomware Tracker. It exists so that journalists, academics, and reference editors can evaluate the dataset's reliability before citing it.

Inclusion criteria

An incident is added to the tracker when all three of the following are satisfied:

  • The affected organisation has a UK presence (registered office, operating subsidiary, or critical UK service).
  • The incident is confirmed by the affected organisation, the Information Commissioner's Office, or two independent UK press sources.
  • The incident involves either ransomware-driven encryption or unauthorised exfiltration of personal or operational data.

Primary sources

Sources are checked in the following order of precedence. Where higher-precedence sources contradict lower ones, the higher source is used and the discrepancy is recorded in the description field.

  1. Information Commissioner's Office (ICO) breach register and decision notices.
  2. NCSC advisories and joint advisories with international partners.
  3. Direct disclosures by the affected organisation (regulatory filings, press releases, customer notifications).
  4. Verified UK press reporting from established outlets (BBC, Reuters, FT, The Register, Computer Weekly, ITV, Sky News).
  5. Threat-intelligence vendor reports where the underlying evidence is reproducible.

Verification

Each incident requires at least one source from categories 1-3 above, or two independent sources from category 4. Leak-site listings alone are not sufficient for inclusion; they are tracked internally pending corroboration. Records counts are reproduced as disclosed; where a range is published, the lower bound is used.

Update cadence

The dataset is reviewed continuously and re-published quarterly. Records are revised when new authoritative information becomes available; the updated_at field reflects the most recent material change.

Limitations

The tracker captures publicly disclosed incidents only. UK organisations are not required to publicly disclose every ransomware event; the true incidence is therefore higher than the tracker shows. The dataset should be read as a lower bound on UK ransomware activity and a representative sample of disclosed incidents, not as a complete census.

Corrections & contact

Corrections, additions, and methodology questions are welcome at research@fire-vault.com. Material corrections are logged with the date of revision.

Licence

The dataset is published under Creative Commons Attribution 4.0 International (CC BY 4.0). Reuse is permitted with attribution to Firevault UK Ransomware Tracker and a link to fire-vault.com/research/uk-ransomware-tracker.