A Portsmouth-based business has shared its experience of falling victim to a cyber attack, hoping to raise awareness among other small and medium-sized enterprises (SMEs) and charities. While high-profile cyber attacks on large corporations often dominate headlines, the voices of smaller organisations, who may be equally or even more vulnerable, are rarely heard. A loss of millions of pounds will make headline news but a loss of thousands of pounds doesn’t. Even a loss of a few thousand pounds can have a devastating impact on a small or medium enterprise (SME).
“Business owners need to realise: this will happen to them at some point,” the company’s director told us.
The business reached out to the Digital Resilience Programme at Shaping Portsmouth to tell their story. We are keeping both the company and the director anonymous in this article. Although they acted
appropriately throughout, we understand there is still stigma and misunderstanding surrounding cyber attacks, and we want to avoid unfairly impacting their reputation.
The story was shared in detail with Lisa Gibbs, who leads the Digital Resilience programme.
The Attack
On a Saturday evening in May 2024, a cyber criminal attempted to call the mobile phone of the director and sent him messages via WhatsApp. The messages said the company data had been stolen and would be published online unless the director sent him money.
“It was shocking. He never even asked for a specific amount. He just wanted me to call and negotiate,” the director recalled. The attacker’s messages were vague but threatening, filled with scare tactics intended to pressure the director into responding.
Swift Response
Instead of engaging with the attacker, the director immediately contacted their retained IT support and the insurance company for their cyber insurance policy. The insurance company assigned specialist forensic IT personnel to work with the company’s team.
The forensic experts swiftly secured the network, removed the intruder, and identified that four computers had been accessed. Data related to around 80 current and former employees had been stolen. While the exact entry point wasn’t determined, a phishing email is believed to be the likely cause.
Involving Authorities
The company promptly reported the breach to the police and the Information Commissioner’s Office (ICO) within the required 72-hour window. Unfortunately, the attacker couldn’t be traced. The phone numbers used were spoofed; manipulated to appear as though the calls and messages were coming from the director’s own colleagues.
Minimising the Damage
Despite the company’s efforts, the stolen data was published on a dark web website. The forensic team worked to get the site taken down, a process that took time.
The director personally met with affected employees, informing them of the breach and offering identity monitoring services. “Telling the team their personal information had been stolen was incredibly difficult,” he said. “But I think they appreciated how we handled it. Some of them took up the monitoring service.”
The Financial and Emotional Toll
While no money was directly stolen and no identity theft has been reported so far, the attack brought significant financial and emotional costs. IT support, legal advice, and the identity monitoring services amounted to nearly £200,000. The costs were fortunately covered by the cyber insurance policy. However, the business expects their future premium to rise, as result of the claim. The director told us, “Thankfully, we had cyber insurance. Without it, this incident would have caused a significant financial loss and disruption to the business.”
Time was also a major cost. The director and his team devoted weeks of effort to managing the incident, from initial response through to final sign-off from the ICO, which only came through in May 2025.
Lessons Learned
With the incident now behind them, the business has carried out a cyber security review and continues to assess potential improvements. The director remains realistic, if not pessimistic, about the future:
“I don’t think we were targeted. I think it was just one of thousands of phishing emails sent out. He probably has multiple victims at any one time. It could have been worse. If he’d encrypted our data and demanded a ransom, the whole incident would have been much more serious. Honestly, I think this will happen again. Cyber attacks seem to be happening much more frequently and the security measures available seem to struggle to keep up with the new attack methods being used.”
A Call to Action
This story is a sobering reminder that cyber attacks are not a matter of if, but when. SMEs and charities must take the threat seriously, ensure they have appropriate security and insurance in place, and prepare their teams for how to respond.
As Lisa Gibbs from the Digital Resilience programme put it: “Cyber resilience isn’t just about prevention, it’s about readiness, responding and recovering. We’re grateful to this business for bravely sharing their experience, which will undoubtedly help others be better prepared.”