The UK Treasury Committee has warned that cyberattacks and power outages are pushing consumers and businesses back to cash, highlighting systemic vulnerabilities in digital payment infrastructure. A recent report suggests businesses may soon be legally required to accept cash, reversing a decade-long trend toward cashless transactions1. This shift underscores growing concerns about the resilience of electronic payment systems during crises.
TL;DR: Key Takeaways for Security Professionals
- 50% of UK businesses faced cash refusal in 2024 (LINK ATM data)2
- Post Office reported 300% spikes in cash withdrawals during payment outages
- Black Basta ransomware affiliates now exploit Microsoft Teams for initial access3
- Spain imposed €3,000 withdrawal limits after grid failures disabled digital payments
Infrastructure Vulnerabilities Exposed
The 2025 Spanish blackout demonstrated how power failures cascade into payment system collapses. ATMs and card terminals became unusable for 72 hours, forcing 78% of transactions back to cash4. Similar incidents occurred during the Free Telecom cyberattack in France, where a Cisco ASA firewall zero-day disrupted services for millions5.
Payment processors face three critical failure points: 1) Single points of failure in authorization networks, 2) Lack of offline transaction capabilities, and 3) Dependence on third-party APIs with inconsistent SLA enforcement. The M&S ransomware attack revealed how point-of-sale systems remain vulnerable to encryption locking6.
Cyber Threat Landscape Intensifies
Recent campaigns show threat actors specifically targeting financial infrastructure:
| Incident | TTPs | Impact |
|---|---|---|
| Italian State Database Breach | RomCom APT (Russia-linked) selling 2M citizen records | Identity fraud surge |
| Black Basta Ransomware | Teams phishing → Cobalt Strike → $5M demands | 48-hour payment processing outages |
These incidents validate concerns raised by Dame Meg Hillier of the UK Treasury Committee: “We must avoid sleepwalking into a cashless society”1.
Security Recommendations
For organizations maintaining payment systems:
- Implement offline transaction caching with cryptographic receipt signing
- Segment payment authorization networks from general corporate infrastructure
- Conduct tabletop exercises simulating 72-hour payment outages
The UK’s planned 350 banking hubs by 2030 may help, but technical controls remain essential7. As Spain’s experience shows, regulatory limits on cash withdrawals can backfire during crises.
Conclusion
The cash resurgence highlights fundamental security tradeoffs between convenience and resilience. While digital payments dominate daily transactions, recent events prove physical currency remains a critical fallback during infrastructure failures. Security teams should audit payment system dependencies and advocate for hybrid transaction models that preserve optionality.
References
- “Public told to hoard cash over cyberattacks and blackouts by MPs and government,” Daily Mail, 2025.
- “Treasury warned as cyber attacks and blackouts pushing people back to cash,” Express.co.uk, 2025.
- CISA Alert AA25-125A: Black Basta Ransomware, 2025.
- “Spain’s cash surge during blackout,” El Confidencial, 2025.
- “Free Telecom cyberattack analysis,” Security Affairs, 2025.
- “M&S cyberattack fallout,” Express, 2025.
- “Shops forced to accept cash again,” Birmingham Mail, 2025.
