Anatomy of a Breach

Anatomy of a Breach: Manchester United — A Premier League Club Hit by Ransomware During the Season

> series: anatomy_of_a_breach —— part: 143 —— target: manchester_united_fc —— attack: ransomware —— ransom_paid: none —— matchday: unaffected<span class="cursor-blink">_</span>_

Hedgehog Security 30 November 2020 12 min read
ransomware manchester-united uk-breach football premier-league sports series
Breach #143

One of the world's most famous football clubs. Hit by ransomware. During the season.

On 20 November 2020, Manchester United Football Club confirmed it had been the target of a sophisticated cyber attack. The club's internal systems — including email, scouting databases, and operational platforms — were disrupted. The attack was widely reported as ransomware, though the club did not publicly confirm the specific malware involved. Manchester United engaged the NCSC, the ICO, and external cybersecurity firms to manage the incident.

Crucially, matchday operations at Old Trafford were not significantly disrupted — the club's critical operational systems ran on isolated networks that the ransomware did not reach. This network segmentation — separating matchday infrastructure from corporate IT — was a defensive success that prevented the attack from affecting the most visible and safety-critical aspect of the club's operations. Manchester United refused to pay any ransom and recovered its systems from backups over the following weeks.

Sports as a Target
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Brand value, media exposure, commercial pressure — the perfect extortion target.

High-Profile Targets
Manchester United — one of the world's most valuable and recognisable sports brands — demonstrated that sports organisations' brand value and media exposure make them attractive ransomware targets. The pressure to restore systems quickly (during an active Premier League season) creates urgency that attackers exploit. Our <a href="/penetration-testing">penetration testing</a> is available to sports organisations and high-profile brands.
Segmentation Saved Matchday
The fact that matchday operations were unaffected demonstrated the value of network segmentation — isolating critical operational systems from corporate IT. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates segmentation, ensuring that a compromise of one network zone cannot propagate to safety-critical or operationally-critical systems.
Refused to Pay
Manchester United's refusal to pay the ransom — recovering from backups instead — was the recommended approach and followed the example set by <a href="/blog/anatomy-of-a-breach-norsk-hydro">Norsk Hydro</a> (2019). <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response and recovery support that makes refusing to pay a viable option.
NCSC Engagement
Manchester United engaged the NCSC — the UK's national cybersecurity authority — in its incident response. For any UK organisation experiencing a significant cyber attack, the NCSC provides support and guidance. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> works alongside the NCSC and ICO during major incidents.
Lessons

Segmentation works. Backups work. Refusing to pay works.

Manchester United's handling of the attack demonstrated three defensive successes: network segmentation protected matchday operations, backups enabled recovery without paying, and engagement with the NCSC and ICO demonstrated responsible incident management. For UK organisations, the Manchester United case provides a model for what successful ransomware defence looks like — not preventing the initial compromise (which is increasingly difficult), but limiting the blast radius and recovering without capitulating.

Infrastructure testing validates segmentation and backup integrity. Cyber Essentials establishes baseline controls. SOC in a Box detects ransomware deployment before encryption completes. And UK Cyber Defence provides the incident response and crisis management that enables organisations to recover with integrity — like Manchester United did.

Ransomware Resilience

Manchester United's segmentation saved matchday. Would your critical operations survive ransomware?

<a href="/penetration-testing/infrastructure">Infrastructure testing</a> validates segmentation. <a href="/cyber-essentials">Cyber Essentials</a> establishes the baseline. <a href="https://www.socinabox.co.uk">SOC in a Box</a> detects ransomware. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> manages recovery.

Commission a Resilience Assessment Next: 2020 Year in Review
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 September 2025

Anatomy of a Breach: Jaguar Land Rover — Manufacturing Halted, Staff Sent Home, and Revenue Hit by Ransomware

Breach #201. In September 2025, UK car manufacturer Jaguar Land Rover (JLR) was hit by a cyber attack that severely disrupted production at its Halewood plant in Merseyside, forcing staff to stay home while the company responded. The incident, reportedly claimed by a group calling itself Scattered Lapsus$ Hunters, prevented car dealers from registering new JLR vehicles — during one of the busiest periods for new car registrations in the UK. JLR subsequently revealed that the attack had a significant financial impact on its revenue. The M&S and JLR attacks together constituted the most damaging year for UK corporate cybersecurity on record.

jaguar-land-rover jlr
13 min read
Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
All Posts Get in Touch