UK Ransomware Disclosures, Methodology
This page documents how Firevault sources, verifies, and publishes the UK Ransomware Tracker. It exists so that journalists, academics, and reference editors can evaluate the dataset's reliability before citing it.
Inclusion criteria
An incident is added to the tracker when all three of the following are satisfied:
- The affected organisation has a UK presence (registered office, operating subsidiary, or critical UK service).
- The incident is confirmed by the affected organisation, the Information Commissioner's Office, or two independent UK press sources.
- The incident involves either ransomware-driven encryption or unauthorised exfiltration of personal or operational data.
Primary sources
Sources are checked in the following order of precedence. Where higher-precedence sources contradict lower ones, the higher source is used and the discrepancy is recorded in the description field.
- Information Commissioner's Office (ICO) breach register and decision notices.
- NCSC advisories and joint advisories with international partners.
- Direct disclosures by the affected organisation (regulatory filings, press releases, customer notifications).
- Verified UK press reporting from established outlets (BBC, Reuters, FT, The Register, Computer Weekly, ITV, Sky News).
- Threat-intelligence vendor reports where the underlying evidence is reproducible.
Verification
Each incident requires at least one source from categories 1-3 above, or two independent sources from category 4. Leak-site listings alone are not sufficient for inclusion; they are tracked internally pending corroboration. Records counts are reproduced as disclosed; where a range is published, the lower bound is used.
Update cadence
The dataset is reviewed continuously and re-published quarterly. Records are revised when new authoritative information becomes available; the updated_at field reflects the most recent material change.
Limitations
The tracker captures publicly disclosed incidents only. UK organisations are not required to publicly disclose every ransomware event; the true incidence is therefore higher than the tracker shows. The dataset should be read as a lower bound on UK ransomware activity and a representative sample of disclosed incidents, not as a complete census.
Corrections & contact
Corrections, additions, and methodology questions are welcome at research@fire-vault.com. Material corrections are logged with the date of revision.
Licence
The dataset is published under Creative Commons Attribution 4.0 International (CC BY 4.0). Reuse is permitted with attribution to Firevault UK Ransomware Tracker and a link to fire-vault.com/research/uk-ransomware-tracker.