The Backup Is the Target: How Hackers Are Sabotaging Your Last Line of Defense

Hackers are increasingly setting their sights on backups — not on systems or servers, but specifically on the very data companies safeguard “for a rainy day” to restore operations after an attack. A new study by Apricorn reveals alarming figures: one in five data breaches in the United Kingdom is directly linked to the compromise of backups. This signals that intruders have learned to penetrate deeper and with greater precision — targeting the very foundation on which businesses rely for recovery in the wake of cyberattacks.

Traditionally, backups were seen as a form of insurance — a secure, reliable copy of critical data that could be restored after any catastrophe. But the landscape has shifted. Whereas companies once focused their defenses on active IT infrastructure — workstations, clouds, routers — attackers are now striking at passive repositories. In some cases, backups themselves have become the primary target, deliberately sabotaged to cripple recovery altogether.

According to Apricorn, 18% of companies identified backup breaches as the chief cause of their incidents. This represents not only direct losses but also a strategic disruption of business continuity: the inability to resume operations without complete reinstallation or negotiations with extortionists. Particularly concerning is that 13% of respondents admitted their recovery infrastructure was too fragile to restore data quickly. Nearly one-third of organizations that attempted recovery from backups failed to fully restore their data: some information was lost, or the process collapsed due to poorly designed procedures.

The case of Danish cloud provider CloudNordic, attacked in 2023, is illustrative. Hackers not only disabled the main servers but also encrypted every backup. The result: the entire customer database was irretrievably lost, and the company’s operations ground to a halt. Despite having antivirus tools, firewalls, and a multi-tiered backup strategy, previously compromised servers became the attackers’ entry point. This underscores a crucial truth: backups are effective only when they are not merely present but regularly tested, physically isolated, and architected to remain “invisible” to the primary network.

Yet Apricorn’s report also highlights encouraging trends. The proportion of companies that successfully restored their infrastructure from backups rose to 58%, compared with 50% a year earlier. An increasing number of organizations are adopting automated backup mechanisms: 44% now store data both in central repositories and in personal storage, up from 30% last year. Overall, 85% of companies have implemented at least one element of automation.

According to John Fielding, Apricorn’s Managing Director for EMEA, incident management must encompass not only preparation for attacks but readiness for full recovery. In his view, only regularly tested, fully scaled, and rigorously protected backups can serve as a true safeguard — rather than a mere illusion of security.

Against the backdrop of increasingly sophisticated attacks, one truth is clear: it is not enough simply to have a backup. It must be beyond the attacker’s control, duplicated, hardened, and swiftly deployable in isolation. Otherwise, companies risk not only losing their data — but losing forever the chance to reclaim it.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy