A growing number of UK organizations report backup system attacks as the root cause of major data breaches.
According to Cybernews, new data shows that 18% of UK organizations affected by data breaches say the primary cause was an attack on their backup systems. These findings suggest a shift in cybercriminal tactics, away from active infrastructure and toward the last line of defense: company backups.
This comes as the broader cybersecurity picture remains bleak. According to the Business Digital Index, 63% of companies worldwide earned a D or worse for cybersecurity readiness, with 40% outright failing.
Backups are intended to be a safety net during a breach or system failure, but they are increasingly being exploited as a vulnerability. While companies continue investing in perimeter defenses and endpoint protection, their backup infrastructure is often less protected, inconsistently tested, or poorly segmented.
Thirteen percent of companies surveyed acknowledged that their backup systems were not strong enough to enable rapid recovery. Meanwhile, nearly a third of organizations that relied on backups during an incident couldn’t fully restore their data, citing “inadequate processes” as the reason.
A well-known example is CloudNordic, a Danish cloud provider hit in 2023. Hackers managed to encrypt all company disks, including multiple layers of backups, by exploiting dormant vulnerabilities in previously infected servers. The attack rendered most customer data irretrievable and brought operations to a standstill, despite the company having firewalls, antivirus software, and backup layers in place.
Jon Fielding, Managing Director for Apricorn EMEA, stated the necessity of treating recovery capabilities with the same urgency as prevention strategies: “We all know that breaches are almost inevitable, so being able to recover from a breach should be as high on the boardroom agenda as being able to prepare for one.”
While the risks are rising, the survey also found some encouraging trends:
Backups are increasingly valuable because they enable recovery after an attack. By compromising them, attackers can maximize disruption and increase ransom use.
Primary backups are typically stored on-site or on connected systems, while secondary backups are off-site or in a separate environment, often used as a fallback if primary systems are compromised.
Organizations should implement backup isolation (air-gapping), use encryption, conduct regular restoration tests, and limit access through role-based controls.
Automation helps reduce human error and improve consistency, but it must be paired with security measures like access controls, segmentation, and monitoring.
Indicators include infrequent testing, unclear recovery plans, overreliance on a single backup layer, and failure to simulate breach scenarios during audits.