Data centres under attack — what Iran’s strikes mean for UK businesses & how to respond
We explore the implications of the attacks for UK businesses and outline the practical measures that can help to mitigate similar disruption.
Data centres under attack — what Iran’s strikes mean for UK businesses & how to respond
AuthorsLaura Keane
5 min read
The disruption caused by recent data centre attacks in the Middle East has underscored just how critical cloud infrastructure has become to global commerce.
In March 2026, Iranian drone strikes on commercial data centres operated by US cloud providers — including key Amazon Web Services (AWS) facilities — in the UAE and Bahrain marked the first time that private-sector cloud infrastructure has been deliberately targeted in a live geopolitical conflict. The resulting service outages triggered disruption across payments, banking, enterprise systems and consumer-facing services, with knock‑on effects felt well beyond the Middle East.
Here, Laura Keane from our data protection team explores the implications for UK businesses and outlines the practical measures that can help to mitigate similar disruption.
Data centres as critical commercial infrastructure
Data centres now underpin almost every element of modern commerce: payments, logistics, HR systems, customer data storage, AI-enabled services and real-time analytics.
Iran’s attack caused structural damage and power failures at multiple AWS facilities, leaving dozens of cloud services unavailable and triggering widespread outages across banking systems, payment platforms, delivery services and ride‑hailing apps. Millions of people were temporarily unable to make digital payments, access wages or use everyday services such as mobile banking.
While many services were eventually restored through rapid migration to alternative regions, the incident exposed how failures in implementing robust business continuity measures can lead to significant economic loss.
The commercial reality of cloud-based disruption
UK businesses have seen repeatedly how cloud outages translate directly into lost revenue, supply chain breakdown and reputational harm.
In April 2025, the Co‑op reported losing approximately £206m in revenue following a cyber-attack on its IT systems. During the incident, stores across the UK temporarily lost the ability to process card payments, forcing many customers to abandon purchases, with staff later confirming that the disruption was nationwide.
More starkly, the cyber-attack suffered by Jaguar Land Rover in August 2025 caused widespread production shutdowns and is estimated to have cost the business around £50m per week during peak disruption, with broader impacts across its supply chain and the UK economy.
The NCSC warning to UK businesses
The National Cyber Security Centre (NCSC) has recently warned UK organisations of heightened indirect cyber risk linked to the Middle East conflict. While it’s said that there’s no confirmed increase in direct Iranian cyber-attacks against UK targets, it’s emphasised the risk of “collateral impacts”, particularly for organisations with operations, suppliers or infrastructure in the region. The NCSC’s assessment is deliberately measured, likely reflecting the UK’s limited direct involvement in the conflict.
By contrast, guidance issued by the US Cybersecurity and Infrastructure Security Agency (CISA) adopts a more cautious tone. In response, CISA has urged organisations to strengthen their IT systems, warning that a surge in cybersecurity attacks is likely during the conflict and could significantly disrupt many front-line services. It’s also encouraged organisations to review and strengthen their disaster recovery and multi-region resilience strategies so that they’re better placed to withstand and recover from an attack. This firmer stance is unsurprising given the US’ greater exposure to the conflict and the number of US cloud providers operating and maintaining data centres in the region.
Taken together, these developments show that UK organisations can still face heightened indirect cyber risk, even if they’re not the primary target. For that reason, it’s sensible for UK organisations to take account of CISA’s more robust guidance.
Practical lessons for UK businesses
For UK organisations — particularly those reliant on cloud services, payment platforms or international supply chains — the Iranian data centre attacks reinforce several priorities:
- Diversification of critical services: over‑reliance on a single cloud provider or region increases systemic risk.
- Business continuity planning is essential and organisations should future-proof against potential loss of all types of digital services.
- Supplier due diligence should be taken seriously from the outset and organisations should focus on supply chain resilience and recovery in the event of a cyber-attack.
- Incident response planning should consider data protection obligations alongside operational and business continuity considerations.
Looking ahead
In an increasingly interconnected digital economy, having strong data protection governance and cyber resilience is now a commercial necessity as well as a regulatory obligation. For UK companies, the question is no longer whether such disruption is possible but whether they’re prepared for it.
Talk to us
Our specialist data protection team offers expert-led, practical training for covering the Data Protection Act 2018, UK GDPR and the Data (Use and Access) Act 2025, with a strong focus on governance, accountability and real‑world risk.
This is complemented by our established cybersecurity expertise, enabling us to support you end‑to‑end, from prevention and preparedness to incident response and regulatory engagement.
If you need support with understanding your data protection obligations or require advice or guidance on anything discussed above, talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form.
Talk to us
Loading form...
Related insights
Deepfakes & AI fraud — what retailers need to know about the new digital battlefield
We explore why retailers are particularly affected by deepfakes and the implications around data protection, IP, advertising compliance and more.
Implementing AI at work — your legal obligations
We explore how AI is transforming data protection, the risks that organisations now face and what effective compliance looks like today.
Reddit’s £14.47m ICO fine — what UK businesses need to do as child protection enforcement ramps up
We break down what the ICO found and outline three key steps that UK businesses should take now.
Am I a data controller? GDPR for social media users explained
We look at the UK GDPR and the Data Protection Act 2018 and outline how the GDPR can apply to both organisations and individuals as data controllers.
The Digital Omnibus — proposed key changes to EU data protection obligations
We break down the key proposed reforms in the Digital Omnibus Package and outline what businesses should do to prepare.
Data Protection FAQs
Find answers to our most frequently asked questions about data protection and privacy from our lawyers.
2026 horizon scan — key legal & regulatory changes ahead
We explore the key developments that in-house lawyers should have on their radar and what they mean for your organisation in the year ahead.
Jaguar Land Rover cyber‑attack — protecting your workforce during digital disruption
We explain the impact of the cyber-attack on JLR's workforce and outline what to do to protect your business and minimise the impact if an incident occurs.
Cyber-attacks — 8 essential steps to strengthen your response before it’s too late
We outline eight key steps to put your organisation in the strongest position for a prompt and effective response to any cyber-attack.
Data (Use and Access) Act 2025 — how opt-in rules are changing for charities
We explore how charities will need to manage their marketing activities and supporter consent once the secondary legislation takes effect.
Capita’s £14m data breach fine — a wake-up call for UK organisations
We explore how weak cybersecurity and slow responses can trigger major data breaches and resulting ICO fines.
The EU Data Act — a new era for data governance in Europe
The EU Data Act is a regulation designed to reshape the European data economy by establishing harmonised rules for data access, sharing and portability.
DUA — how to prepare for the UK’s new data privacy regime
Designed to amend the UK’s existing data privacy regime, the DUA Act will affect the UK GDPR, PECR and the Data Protection Act 2018.
M&S, Co-op & Harrods cyber-attacks — key cybersecurity lessons for retailers
We delve further into cyber attacks on three major retailers and outline five key steps to take in any cyber-attack preparedness and response plan.
Apple & Meta handed first EU Commission non-compliance decisions under the Digital Marketing Act
The EU Commission handed out fines of €500m and €200m to Apple and Meta respectively. We outline each fine and the legality of 'consent or pay' models.
Data Protection Day — DUA and other legal developments coming in 2025
Prevention is always better than cure. Assess your compliance with data protection law and the changes that could lie ahead in the year to come.
Transgender athlete participation — navigating data protection laws when collecting sensitive personal data
Athletes might be asked to provide highly sensitive forms of personal data when competing. Here's eight steps to comply with data protection legislation.
Spotify Wrapped — 5 top tips for companies to ensure data privacy in viral marketing campaigns
We explore the evolution of Spotify Wrapped and present five top tips for companies looking to use personal data for viral marketing campaigns.
AI and GDPR — key compliance considerations when buying and using AI tools
The EU Artificial Intelligence Act is here and brings a number of considerations as to how businesses manage personal data, GDPR compliance and privacy policies.
AI at Paris 2024 — how the Olympic Games set the gold standard for sports technology
The use of AI and technology in sporting events is ever-growing — and the Paris 2024 Olympic Games were no exception.
Biometrics — TEN key steps for businesses to comply with data protection rules
Data protection specialist outlines the ten key steps that any organisation should follow when using biometrics.
Data Protection Day 2024 — How your business can keep up with evolving regulations
Organisations must regularly assess and prioritise their data protection practices to remain compliant with legislation.
Data protection – what’s in a dog’s name?
A previous ICO (Information Commissioners Office) case highlighted that a dog’s name could lead to an individual’s...
Meta fined by Data Protection Commission for breaches
Meta has received a significant fine from the Data Protection Commission in Ireland for breaches of GDPR regulations.