62 Annual Report 2025
action against the Group in relation to the cyber‐attack. The company also reported the cyber‐ attack
to the FCA as well as the police and Welsh Government, for their information.
Technical experts in the fields of data and system recovery were quickly engaged to support us with
the reinstatement of our systems and processes whilst regularly keeping our Board, auditors and
colleagues updated on progress. By January 2024, we had reinstated the majority of our systems and
had taken the opportunity to ‘recover forward’ where possible. We received the advice and support
of solicitors with expertise in this area of law to ensure that we continued to meet our legal and
regulatory obligations.
We worked alongside our expert partners to confirm the precise combinations of data exfiltrated from
our systems in the attack to identify any combinations of data relating to an individual which could
present a high risk. Following that exercise and subject to the advice of our solicitors, in January 2025
the Group notified any individuals deemed to be at “high risk” in line with our obligations under the
UK GDPR. To date, the Group has not received any claim from any individual who was so notified.