Why do hackers hack?

Experts say there’s a new attack every 39 seconds. But what motivates hackers and how can businesses make sure they’re not next?

By Emma Sheppard


January 2023

A new year and hacking is already dominating the headlines. Royal Mail confirmed a cyberattack on 10 January, which left it unable to dispatch items abroad; highly confidential documents from 14 schools were leaked online; the owner of KFC and Pizza Hut was forced to close 300 UK stores after a ransomware attack; and T-Mobile in the US admitted a hacker accessed the personal data of 37 million customers. It’s the eighth time the company has been hacked in the past six years.

Uncovering the bad actors behind such nefarious events is often hard to do. In the Royal Mail’s case, a member of the LockBit hacking group came forward to accept the credit. It’s fast becoming one of the most prolific ransomware gangs in the world. Experts say their “Ransomware as a Service” model hit more than 850 victims in 2022, mainly in the US, UK and Europe.  

As the use of technology has grown in recent years, so too has the number of individuals looking to exploit its weaknesses (and those of the people that rely on it). Every 39 seconds there’s a new attack somewhere on the web, with 300,000 new pieces of malware created every day. But who are the shadowy figures behind the keyboards? How do they find weaknesses to exploit? And why do they hack at all? 

Mostly for the money

While some hackers do it for fame, because they’re disgruntled ex-employees or because they view hacking as sport, the majority of cyber criminals do it for the money. Verizon’s 2022 Data Breach Investigations Report found that 86% of the data breaches they analysed were financially motivated. That may mean holding systems or files hostage until a ransom is paid (known as ransomware), stealing personal customer data to carry out identity theft directly, or selling information on the dark web for others to use. Ransomware attacks increased by nearly 500% between 2020 and 2021, with the average ransom payment climbing to more than US$200,000. Cybersecurity Ventures believes the estimated cost of cybercrime will grow by 15% year on year to reach $10.5 trillion by 2025. That would make it the third largest economy in the world, after the US and China. 

Small businesses are on the target list

It’s often the big businesses that make the headlines but attacks on UK SMEs are on the rise. Research in 2022 found half of small and medium sized businesses have suffered a cyber attack, and 54% of those have suffered a financial loss. Most of these incidents were ransomware and phishing, both of which tend to target employees. Manipulating employees to divulge sensitive information is the easiest method of gaining access to a computer system, and the rise in remote working during the pandemic gave criminals new vulnerabilities to exploit. Yet despite the threat that SMEs face and the cost of a breach, which can stretch into thousands of pounds, only a quarter of SME leaders see cybersecurity as a top priority.  

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up here

Once you’ve been hacked, you’re likely to be hacked again

As was the case with T-Mobile, once an organisation has experienced a cyber attack, the chances of it being targeted again are high. In many cases, the details will appear on the dark web for others to take advantage of. Almost two thirds (63%) of organisational internal data breaches are a result of compromised usernames and predictable passwords, such as ‘12345’ or ‘QWERTY’. Microsoft found that 73% of people online use duplicate passwords across various platforms, leaving themselves exposed to a possible data breach. Companies should educate their employees about good security practices such as how to identify phishing emails, using two-factor authentication, and requiring the use of a VPN and password manager.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

The biggest risk is complacency

Ultimately, prevention is always better than cure. When the Information Commissioner’s Office fined Interserve £4.4m last year (the fourth biggest fine in its history), for example, it warned that complacency within a company was an even bigger risk to businesses than hackers from outside the organisation. Interserve’s system had failed to stop a phishing email that an employee downloaded, while a subsequent anti-virus alert was not properly investigated. That enabled hackers to steal the personal and financial information of up to 113,000 employees. The good news is, privacy and security go hand in hand. If your employees understand the importance of privacy, they’ll act to protect the data within your organisation. By building a culture of continuous privacy compliance, your staff will go from being your greatest security risk to your greatest asset.

More to watch and read