After Marks & Spencer, The Co-op, and Harrods were recently hit by major cyber hacks in succession, some experts are describing the incidents as a likely coordinated attack on the UK retail sector. Retail Systems news editor Alexandra Leonards takes a deep dive into what happened, exploring where the companies could have done better and why the industry must shift its approach to cyber resilience.

A recent cyber crisis impacting the systems of three of Britain’s most celebrated retail names all started with a highly sophisticated ransomware attack on Marks & Spencer (M&S) at the end of April. The breach, thought to have been carried out by teen hacking gang Scattered Spider, has since led to weeks of chaos at the department store chain. The company experienced major disruption to its Click & Collect service and contactless payments, which led the retailer to completely pause e-commerce orders, block remote workers from accessing internal systems, and instruct hundreds of distribution centre agency staff to stay at home.

Days later, Co-op was also hit by a cyber incident, with the company pre-emptively withdrawing access to some of its systems. While initially it seemed that the impact of the incident was minimal due to the company’s precautionary actions, it later found that the hackers were able to access and extract customer data from one of its systems. Earlier this week, it was also reported that Co-op had to circumvent food and drink shortages in remote communities by diverting supplies to stores in more isolated places after reports that some locations on the Scottish islands had empty shelves as a result of the hack.

With Harrods becoming the third victim last week, it has forced the industry to pay attention. Criminals are demonstrating they are beyond fluke attacks, instead they are using increasingly sophisticated methods which can breach the networks of even the most well-known and respected brands in the sector.

On Tuesday, BleepingComputer reported that the hackers were able to infiltrate the systems at M&S and Co-op by impersonating employees and targeting their IT help desks. According to the publication, they convinced staff to reset the passwords of the impersonated staff to gain access.

Groups like Scattered Spider are well known for being particularly aggressive in their approach, Toby Lewis, head of threat analysis at global cybersecurity firm Darktrace tells Retail Systems.

“It’s a spread-out group which makes it very difficult to track, and as native English speakers, the group is known for using powerful social engineering tactics to infiltrate organisations, exploiting human trust, and manipulating individuals, especially IT desks, through phishing attacks,” he says.

The kind of forceful and sophisticated approach used by groups like Scattered Spider is compounded by a widening attack surface, which is driven by an expanding retail digital footprint, spanning everything from growing online offerings and remote working to third-party services and AI-powered systems.

Hackers exploit this heightened system complexity, using a range of tactics, including social engineering; exploiting vulnerabilities in devices and corporate infrastructure; and brute-force attacks.

A co-ordinated attack?

Dr Aditya Sood, vice president of security and AI strategy at Unified Secure Access Service Edge (SASE) as a Service provider Aryaka tells Retail Systems that the near-simultaneous incidents at M&S, Co-op, and Harrods “strongly suggest” a co-ordinated campaign targeting the UK retail sector.

“While attribution is not confirmed, the timing and scale, ranging from service disruptions to customer data breaches, point to organised threat actors exploiting systemic vulnerabilities,” he explains.

Cody Barrow, former US National Security Agency cyber chief and current chief executive of threat intelligence platform EclecticIQ agrees that the timing and targeting of three major UK retailers within just two weeks is a strong indicator of a coordinated cyber campaign rather than a series of unrelated incidents.

“Evidence points to the involvement of the Scattered Spider hacking collective, which is believed to be using DragonForce ransomware, exploiting a common vulnerability in the retail supply chain,” continues Barrow. “This pattern represents a significant evolution in cybercriminal behaviour, from opportunistic one-off attacks to more strategic targeting of entire industry sectors.”

Dr Jason Nurse, reader in cybersecurity at the University of Kent says that it is unclear at this stage whether the attack was coordinated.

“One possibility may be that these three organisations use similar systems and therefore the threat actor has sought to utilise the same attack on all three organisations,” he tells Retail Systems. “By targeting them simultaneously, this would enable the attack in such a way that they may not be able to learn from the experience of the other businesses.”

Darktrace’s Toby Lewis says that regardless of whether these attacks were connected or incidental, it reinforces that all organisations, no matter their size, should take precautionary measures and carefully examine their own supply chains for any potential entry points.

Galeal Zino, chief executive of zero-trust software provider NetFoundry, says that while it may never be known whether the three attacks are “collaboration or coincidence”, there is a more useful lesson to be learned from this spate of incidents.

“Attackers have always shared information and tools,” adds Zino. “The latest attacks should serve as motivation for defenders to collaborate in the same manner – or else they will continue to be at a disadvantage.”

Why is it taking so long for M&S to recover?

M&S, the first and arguably worst impacted of the three retailers, is continuing to grapple with the effect of the cyber breach weeks after it first had issues. This has resulted in the company pausing online orders for the past two weeks.

“It can take a long time to be sure that the threat actors are expelled from the network and understand how they gained access in the first place,” says Patrick Burgess, cyber expert at BCS, The Chartered Institute for IT. “Until this is completed, rebuilding cannot start, which can take considerable time in itself.”

Ultimately, if the issue isn’t dealt with correctly, and without the root cause identified, there’s nothing stopping the attackers carrying out the same or similar breach after the company recovers.

“This is the reason it can take so long to recover,” explains Burgess. “Cyber experts will be working at the moment to understand what happened and ensure the threat actors are expelled from the network.”

Only once this is complete and additional safeguards are in place can rebuilding start.

“Backups and contingency plans will have been in place but it these can only come into effect once it is fully understood what has happened,” he continues. “Threat actors aim to do the most damage and will have tried to target these contingencies as well to make it harder to recover.”

Their aim is to leave companies with no option other than to pay the ransomware fee, meaning that extended recovery periods are more and more typical for sophisticated attacks in the increasingly complex retail environment.

When asked whether this length of time is to be expected of an organisation such as M&S, Dr Aditya Sood says: “Not inevitable, but understandable. For a retailer with deep digital dependencies and complex supply chains, full-service restoration can take days.”

He says that a multi-day disruption is sadly realistic if critical systems, such as payment platforms, inventory management, and remote work infrastructure, are highly interdependent.

“A total shutdown often occurs to isolate the spread of infection and preserve forensic evidence,” explains Dr Sood.

If the attack compromises authentication, payment, or inventory systems at the core, isolation becomes critical to contain risk.

Moreover, modern ransomware specifically targets backup infrastructure, which can often render contingency systems ineffective. A complete shutdown allows for the organisation to launch a proper investigation and controlled restoration without risk of reinfection.

While a lengthy recovery period is common, Dr Sood explains that the prolonged downtime at M&S could suggest “potential weaknesses” in incident response readiness and system recovery orchestration.

Dr Jason Nurse says that the harms experienced depend on the type of organisation, the extent to which they have been breached, the support they have, and how prepared they are.

“In this case, the initial compromise reportedly occurred months before the ransomware was deployed, allowing attackers to deeply entrench themselves within the system,” explains Cody Barrow. “This type of stealthy infiltration means that the recovery process must be thorough and deliberate to ensure full remediation and prevent reinfection.”

Paying the ransom

Official guidance and best practice are strongly against the payment of ransoms, however, it isn’t unheard of.

“Payments fund cybercriminals, allowing them to profile, and even to expand their operations; there is no guarantee that data will be decrypted, and it arguably exposes the organisation to further attacks,” warns Dr Nurse. “Research has shown that less and less organisations are paying ransom demands and this is definitely a good thing.”

According to data published by blockchain analysis company Chainanalysis, there was a 35 per cent year-over-year decrease in ransomware payments in 2024.

“At this point it is unknown if they have paid the ransomware fee, this does happen, but it would always be the absolute last option,” says Patrick Burgess, explaining that this is not a quick fix for attacks, instead saying that rebuilding from backups is always preferable.

How could they have approached the attacks better?

Improved network segmentation, immutable backups, offline failover systems, and crisis communication playbooks could have reduced downtime and public disruption for the three retailers, claims Dr Aditya Sood.

“Regular ransomware simulation drills would also speed up coordinated recovery,” he continues.

The reputational impact of the cyber-attacks is already clear, with data from media analysis company CARMA demonstrating that in the first few days of the M&S incident, 84.6 per cent of news carried a negative sentiment. This, the company says, was driven by concerns about disruption, security, and leadership visibility.

Michael Simpson, senior business development manager for retail at the business says that while the retailer acted swiftly by involving law enforcement, the data shows that the brand came across as more “reactive than proactive” in its communications in the aftermath of the attack.

“The absence of a visible spokesperson and direct customer-facing leadership in media coverage may have amplified concerns about preparedness and impacted trust,” he explains, adding that clear, authoritative messaging is key when core services like Click & Collect are affected.

Similarly, news output covering the incident at Harrods was 80.1 per cent negative.

“Harrods has acted quickly to contain the threat and publicly reassure customers; a crucial first step in any crisis response,” says Simpson. “But what we’re seeing in our data here is just how fast these incidents scale reputationally, especially for globally recognised and luxury brands such as Harrods.

“In today’s fast-paced, digital environment, where sentiment spreads much faster than facts, it’s vital that communications strategies are as resilient as their security systems.”

According to further data from CARMA, Co-op seemed to fair better in its approach, with 69.3 per cent of news carrying negative sentiment a few days after the incident was first publicised.

News outlets such as the BBC noted that Co-op has taken proactive steps to protect data and strengthen its defences, a theme that Simpson says helped to temper negative sentiment and may explain the muted backlash in comparison to other affected retailers.

“The Co-op appears to have taken a proactive public stance in response to the attack, by acknowledging the issue early on and communicating that protective steps to protect the data were underway,” explains Simpson. “This kind of transparency is essential in building and maintaining trust.”

Aryaka’s Dr Sood says that fundamental strategies that may have been missing include adopting segmented architectures, which make it easier to contain threats; maintaining offline business continuity systems; and conducting regular incident response drills.

“Enhanced supplier vetting, real-time monitoring, and AI-driven threat detection could have also enabled faster containment, reducing the scope and duration of the disruption,” he continues.

EclecticIQ’s Cody Barrow agrees that there are measures that could have helped reduce the impact, or possibly even prevented these breaches.

“Stronger protection of Active Directory and consistent use of multi-factor authentication would have made it significantly harder for the attackers to steal credentials and gain access,” he says. “Additionally, enhanced supply chain security assessments and improved defences against social engineering tactics – commonly used by groups like Scattered Spider – could have closed some of the vulnerabilities that were exploited.”

Implementing network segmentation and air-gapped backup systems would have also limited the lateral spread of the ransomware and potentially allowed for faster, more secure recovery, he explains.

“There’s always room to improve, and hindsight will help all three organisations understand what more could have been done,” says Toby Lewis. “But from what we know so far, this appears to be a case of well-organised adversaries exploiting sophisticated access routes.”

He continues: “What’s most important now is the industry learning the right lessons: better visibility over supply chains, regular threat hunting beyond just known signatures, and resilience planning that assumes attackers will get in. The organisations affected aren’t necessarily at fault, but the way we collectively evolve from this will define how well we handle the next incident.”

NetFoundry’s Galeal Zino says that he is seeing retailers taking steps to move towards secure-by-design architectures.

“Speed will be important,” he explains. “For example, AI accelerates attacks, whereas it will take longer for retailers to use AI for defence.

“Current AI is probabilistic, not deterministic - and it is easier to use probabilistic tools for attack than defence.”

A wake-up call for retail

Dr Sood says that these cyber-attacks should be a “significant wake-up call” for the broader retail industry, prompting a necessary shift in perspective.

“Retailers recognise cybersecurity as a core business risk, not just an IT issue, but they need to balance the need to invest in better security with numerous other cost pressures,” he tells Retail Systems. “Mid-sized and smaller retailers in particular may struggle to allocate resources.”

This will trigger more demand for scalable, managed security services and shared threat intelligence platforms, he suggests.

He adds that looking ahead, the retailers should invest in real-time threat monitoring, resilient offline backups, and automated rapid incident response.

“Regular red-teaming, third-party risk assessments, and chief executive-led cyber resilience drills will also be essential to harden their defences and minimise future disruptions,” continues Dr Sood. “While impactful cyberattacks may never be entirely preventable in a hyperconnected world, the retail industry can significantly reduce risk and operational impact.”

Regular tabletop exercises, incident response planning and supply chain risk assessments should also become the norm, he continues.

Dr Nurse says that while cyber-attacks are, unfortunately, inevitable, the success of such attacks is dependent on the cybersecurity of the organisation, its resilience, preparedness, and response strategies.

“A strong strategy can reduce the likelihood of attacks and the impacts if they occur,” he explains.

Zino says that security investments can be challenging but secure-by-design approaches, similar to DevOps and shift left, can lower the overall costs and help compensate for the shortages in cybersecurity staffing, which have “historically undermined efforts to strengthen security.”

Barrow explains that the key industry shift must be away from a prevention-only mindset and towards one that accepts breaches are inevitable and prioritises containment, recovery, and continuity planning. He says that ultimately these high-profile incidents mark a turning point for the retail industry, forcing organisations to re-evaluate the balance between cost-saving and operational resilience.

“The sector faces a clear choice: either significantly enhance its cybersecurity capabilities or accept the risk of routine and potentially devastating business disruptions,” continues the cyber expert.

Of course, the business case for investment has become clearer as M&S reportedly faces millions of pounds in daily losses and market value reduction.

Barrow says that while cost pressures such as higher National Insurance contributions may pose challenges, forward-looking retailers are likely to explore collaborative defences and shared security services to help distribute the financial burden while enhancing overall protection.

“These incidents will likely be encouraging organisations of all sizes to review their own systems and response plans,” says Toby Lewis. “Security can no longer be seen as a cost centre or an IT issue – it’s a core part of operational resilience.”

As well as implementing robust technical defences, it’s essential that security teams understand how today’s attackers are exploiting trust between employers and employees, and the systems or relationships they rely on.

“This human element makes incident management particularly challenging – it’s no longer just a technical issue, but one rooted in human interaction,” continues Lewis. “What matters now is not just prevention, but speed and resilience; the ability to detect, respond to, and recover from attacks quickly and confidently.”

The recent attacks should serve as a stark reminder for retailers across the sector that they are a key target for hackers due to the large volume of data they hold and the high cost of operational downtime incidents like these trigger. While it may not be them this time, cyber-attacks are inevitable, which means that sooner or later they will be next.

As M&S, Co-op, and Harrods begin to recover and rebuild customer trust over the coming days and weeks, they and their industry counterparts must invest heavily in their cyber capabilities, particularly in areas such as supply chain oversight, endpoint detection, business continuity planning, and staff training.

While this may be a challenge for retailers as they face rising operational costs, the wider costs of inaction – both financial and reputational – are much higher. Criminals show no signs of slowing in their ambition to infiltrate the IT systems of the country’s household names, so retailers must ensure they are able to meet them with the right force to protect their assets and customer data in an increasingly complex threat landscape.

---