UKH

https://www.bbc.co.uk/news/business-59027423

It's been 36 hours.  I wonder how much of their network is now locked under encyption.

Travelex were down for weeks when the same thing happened.

Are companies complacent or is it really hard to prevent?

Bit of both. Whilst it might be hard to prevent it is less difficult to create roll back or recreate options but it is expensive and time consuming. It might take a significant period of time to asses the extent of the disruption before you invoke whatever DR plan you might have (it’s a lot more tricky than if your data centre has disappeared, for instance). 
The above is assuming this is more than just “An attempt was made to interfere with our systems which has caused problems with the search function on the site”

Every little helps .

Not sure what you mean here.  I'd have thought all their network traffic was encrypted as a matter of course - most websites are routinely after google decided to flag anything not behind https in terms that look scary (thanks google, another £100 a year out my pocket for no good reason)), and Tesco's would have been anyway.

Or do you mean they were subject to a ransom attack?

If it was a DDoS (and most are) then a concerted attack is quite hard to prevent.  Mind you, setting up a good one us equally tricky - you need to surreptitiously infiltrate a lot of unsuspecting carriers to do the attack on your behalf.  Just doing it from a small bunch of servers is easy for routers/firewalls to detect and block.  Not that I've ever been inclined to try such a thing - although I did work with an Austrian guy who did do this sort of thing as a hobby.  Went by the handle "Alf".  Probably dead now.  Funny story involving him, the company he worked for, the NYT and Microsoft.  Probably for another time - I fear I'm starting to ramble...

I work partly in cyber security. A system that processes  card payments has to comply to with PCI-DSS which is pretty stringent. But the weakest link is the people who are supposed to be designing, building, supporting and securing these systems. They are paid well but hardly at the level that attracts the absolute best and most talented. So when your up against the very best, which is what some of these groups are (only some, the vast majority just exploit absolute stupidity with commonly available tools) then you're gonna lose at some point.