Cyber Incident Victim: Safestyle UK
Date:
Jan 2022
Location:
United Kingdom
Summary
Safestyle UK, a major double glazing company, experienced a ransomware attack suspected to involve Russian-linked actors, resulting in the theft of approximately 400,000 customer records including names, email addresses, and phone numbers. Attackers demanded £4 million in Bitcoin under threat of selling the data on the dark web, prompting the firm to take portions of its website and IT systems offline, which disrupted operations and led to customer complaints about unresolved delivery issues and communication failures. While financial data reportedly remained uncompromised, the breach exposed the company to potential regulatory fines, though authorities indicated leniency if criminal involvement was confirmed. The incident coincided with broader warnings from UK cybersecurity agencies about spillover risks from malicious cyber activity targeting Ukraine.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Safestyle UK, the United Kingdom's largest double glazing installation company, experienced a significant cyber incident around January 1, 2022, identified as a ransomware attack. Threat actors infiltrated the company's systems, exfiltrating sensitive customer data including names, email addresses, and phone numbers for approximately 400,000 individuals. The attackers demanded a £4 million ransom payment in Bitcoin, threatening to sell the stolen data on the dark web if their demands were not met. While financial information remained uncompromised, the breach prompted Safestyle UK to take immediate containment measures by partially shutting down its website and IT infrastructure. This operational disruption prevented customers from contacting the company through normal channels, leading to public complaints across social media platforms about unanswered calls and emails over multiple days. The Bradford-based firm initiated an investigation in collaboration with law enforcement agencies and regulatory bodies, publicly confirming it was addressing a "cyber-incident" without initially disclosing full details of the ransomware demand or data scope.
The incident occurred amid heightened cybersecurity warnings from the UK's National Cyber Security Centre (NCSC) regarding potential spillover effects from malicious cyber activity targeting Ukraine. Security experts suggested possible Russian connections to the attack group, though no definitive attribution was publicly confirmed. Operational impacts extended beyond customer communication breakdowns, with internal systems including email and telephony remaining non-functional for three to four days according to company sources. Safestyle UK faced potential regulatory penalties of up to £17.5 million from the Information Commissioner's Office for the data breach, though industry analysts indicated the regulator might show leniency given the criminal nature of the attack. Cybersecurity professionals highlighted the attack's alignment with pandemic-era trends of increased ransomware operations targeting retailers holding sensitive customer data, noting the particular challenges in tracing cryptocurrency ransom payments. The company's public response emphasized containment efforts and cooperation with authorities while maintaining operations continued despite system limitations.