The past 12 months have seen a number of high-profile cyber incidents across the retail sector around the world, with billions lost. Retail Systems associate editor Rory Bathgate provides a retrospective look at some of these events and speaks to experts to see what lessons retailers have learned.
It’s been over a year since ransomware operators launched a series of highly damaging attacks against some of the UK’s largest retailers, and the sector is still on high alert against the very real threat of destructive cyber attacks.
Marks and Spencer, Jaguar Land Rover (JLR), Co-op, and Harrods were among the biggest victims from last year, each experiencing severe cyber attacks that greatly impacted their revenue and daily operations. Further afield, Japanese beermaker Asahi was hit by a major ransomware attack that almost led to a national shortage of beer.
But despite the high-profile nature of the incidents in the UK, the government’s Cyber Security Breaches Survey 2025/2026 found that organisations in the retail sector are less likely to experience breaches than businesses in general, with just 12 per cent having experienced cybercrime in the period the survey covered.
What’s clear, however, is that ransomware gangs haven’t tempered their ambitions in the twelve months since. When attacks do happen, they can be especially devastating for retailers, who may struggle to place orders, shift stock, or even complete actions as simple as operating their tills.
The lessons 2025 teaches us
One of the most notable examples of cyber attacks on retailers in recent memory can be found in the case of Marks and Spencer (M&S).
The UK retailer’s internal systems were first breached in February 2025, but it wasn’t until Easter weekend that hackers from the group Scattered Spider – also known as ShinyHunters – deployed DragonForce ransomware throughout the company’s virtual network.
M&S made the decision to shut down some of its core systems to contain the attack, greatly limiting its online and in-store operations. Self-checkouts, digital supply chain tools, and even the retailer’s online shop were impacted by the attack, effectively shutting down many of M&S’s vital operations.
Archie Norman, chairman of M&S, stood by the decision. In oral evidence on 8 July 2025, he told the UK Parliament Business and Trade Sub-Committee that other retailers took the same route: “I think you will find that Co-op did the same, and probably more radically than we did.
“Once you have closed them down, however, bringing them back up in a safe form is very difficult.”
Indeed, Rob Elsey, group chief digital & information officer at Co-op Group, said the retailer’s cybersecurity teams spotted malicious activity “within literally minutes”. Because its systems were segregated, this initial access did not spread throughout its corporate systems until days later.
Co-op’s defences flagged software within its network attempting to establish contact with a threat actor’s command and control (C2) infrastructure and blocked it. C2 servers are used by hackers to issue orders to malicious payloads and receive exfiltrated data, so blocking the connection was a key step in preventing a further escalation of the campaign.
This secondary attack had spread to several core systems – with the block in place, Elsey explained, Co-op had to rebuild approximately 40 pieces of key equipment to rid the company of the ransomware. During this time, it was forced to run some processes manually.
Dominic Kendal Ward, group secretary and general counsel at Co-op Group, explained that Co-op’s “key vulnerabilities are when we go back to those paper-based systems,” such as in its depots, adding that if its payment systems had been forced to go analogue then different approaches would have to have been found.
Whether or not to take down systems that are affected by a breach can be a difficult decision for retailers. On the one hand, doing so can contain the damage, particularly in cases where ransomware is actively spreading through systems and encrypting them beyond recovery.
On the other hand, the cost of shutting systems down can run even higher than that of the cyber attacks. A cybersecurity expert with experience in critical national infrastructure pointed Retail Systems to the example of the 2021 ransomware attack on Colonial Pipeline. Although the attack primarily targeted the company’s billing systems, they said, it made the decision to shut down its full pipeline operations, resulting in several million dollars of losses.
Nick Folland, general counsel at M&S, told the Committee: “In terms of lessons learned […] something that we would say to others is: make sure that you can run your business on pen and paper, because that is what you need to be able to do for a period of time while all of your systems are down – you having taken them down yourself for protection.”
Norman said that “anybody who has suffered an event like ours would be foolish not to say that there are a thousand things they would like to have done differently,” but pushed back on suggestions that M&S unwittingly left itself open to attack.
“We have 50,000 people working on our systems – colleagues in the stores; contractors working for us, some may be outsourced, some may be in India – so the attack surface is enormous and the attacker, potentially, has only to be lucky once, with one of those 50,000,” he said.
“The right thing to do if you are in our business is to assume that the perimeter is permeable.”
On the defender side, experts tell Retail Systems that retailers face an ever-complicating list of IT environments to monitor for potential attacks. Neil Gibb, chief executive of Blackbox Pentesters, says “the attack surface has grown massively, more cloud services, more exposed applications, more internet-facing infrastructure”.
To pay or not to pay?
Whenever a company is breached by ransomware, it has an immediate choice to make: should it pay to retrieve its data? Traditionally, ransomware strains simply encrypted all data on a corporate environment and left a note on infected computers with instructions on how to transfer money to the perpetrators.
But this approach was less effective against organisations with resilient backup strategies, who could simply restore data in the state it was prior to the infection.
In response to this, recent years have seen the so-called ‘double extortion’ method become popular among ransomware groups. In this approach, hackers try to incentivise victims to pay by also exfiltrating some of their data and threatening to leak it on the dark web if they don’t receive the ransom.
Ultimately, paying comes down to organisational policy and risk appetite.
Professor Anja Shortland is a Professor of Political Economy at King’s College London, a former consultant to the World Bank, and the author of the book We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware. Throughout her career, her research has looked at the economics of how legal entities transact with criminal enterprises, including piracy, hostage negotiations, and ransomware.
She tells Retail Systems that when ransomware first became a notable threat, many ransomware gangs worked hard on establishing themselves as legitimate organisations including renting office space, hiring formal workforces, and even establishing HR departments. This “paradox” was essential, she explains, as it helped attackers to send the message that “we have a reputation, we value that reputation, and to some extent we will not go back on our word because we'd rather our customers paid without hesitation”.
In turn, she adds, victims and insurers were historically quite willing to pay for decryption keys “that save you weeks’ worth of rebuild time”. But in the years since the economics have shifted.
“So when the insurance industries created their protocols about how to resolve that kind of incident, the best advice that they could give their customers was to keep it really quiet, put a privacy lawyer in charge of anything, say nothing, don't report anything, pay as fast as possible, and then do all the things that you need to do from a regulator's point of view if you really must disclose that it happened in the first place,” she explains.
“That has changed. Insurance companies have reacted and say, ‘okay well as an industry, it's not good for us if this business model works really smoothly for the attackers’. So there is now more of [an attitude of] do we really need it? And what exactly is it that we're getting? Do they have data that we can't get from a backup anywhere in the organisation? Is there really nothing we can do? And then it's still up to the insured to make the decision.”
Last year’s attacks weren’t characterised by of the affected retailers publicly paying the ransom, but ransomware payments are an integral part of why attackers target large organisations in the first place.
Indeed Archie Norman, chairman of M&S, told the Committee that his firm decided early on that nobody would directly interact with Scattered Spider.
“We felt that the right thing was to leave this to the professionals who have experience in the matter,” he told the committee.
However, he did not answer a direct question on whether M&S paid a ransom. He instead described it as a “business decision,” with organisations weighing up what they are actually getting for a payment “once your systems are compromised and you are going to have to rebuild anyway”.
“Maybe they have exfiltrated data that you do not want them to publish, maybe there is something there, but in our case, the damage had substantially been done,” he added.
Of course even if victims choose to pay, it comes with no guarantee that systems will actually be restored.
Co-op’s Kendal Ward said that his organisation had not only declined to pay the ransom, but also never engaged in communications with the hackers.
“We did not pay a ransom, and nor did we contemplate or at any point discuss paying a ransom,” he told the Committee.
The same cannot be said for all retailers.
In June 2025, Sophos published its latest State of Ransomware report, which drew on responses from 3,400 IT and cybersecurity leaders. It found that 49 per cent of victims paid the ransom to get their data back. This was a drop from 2024, in which 56 per cent said they paid. At the same time, the median ransomware demand dropped by more than a third to $1.32 million.
But in its subsequent report, published in November 2025 and centred on the retail sector, Sophos found that 58 per cent of retailers hit by ransomware in 2025 chose to pay the ransom. Attackers were also found to be asking more of retailers specifically, with the median ransom demand levelled at them having risen to $2 million, double that of 2024.
The data appears to show ransomware gangs zeroing in on the retail sector as rich with potential targets, and raising their prices accordingly.
The official advice of the UK National Cyber Security Centre (NCSC) is for victim organisations to take their time on the decision and not feel pressured into making payments. The NCSC also notes that proper backups are an alternative route to restoring systems, that payments should be properly documented, and that making a payment does not fulfil regulatory obligations.
The UK government is also pushing ahead with plans to ban public sector organisations and operators of critical national infrastructure from paying ransomware operators for decryption keys. But as this will not apply to the private sector, businesses will still have the option to pay if that fits within their crisis plans. Without further transparency, this practice will continue. Facing more intense attacks, retailers will also experience mounting pressure to decide whether they will pay.
Modern attack methodology
If you keep ransomware out altogether, or recover from attacks on your own, you don’t have to pay attackers for a decryption key. But while retailers are improving their defences and resilience, including preparing comprehensive business continuity plans (BCPs) for when breaches are successful, they are up against a constantly changing threat landscape.
“Ransomware isn’t going away anytime soon, it’s still showing up in a huge proportion of breaches,” says Gibb. “What is changing is how attackers are getting paid. The increase in organisations refusing to pay (now 69 per cent [according to Verizon’s cross-sector Data Breach Investigations Report]) suggests businesses are getting better at recovery, stronger backups, improved response planning and more pressure from regulators and law enforcement not to engage.
“That said, attackers aren’t slowing down. If anything, they’re becoming more aggressive. We’re seeing faster execution once inside, plus more layered extortion tactics to try and force payment. So, it’s less about ransomware declining and more about it adapting in response to tougher victims.”
One of the recurring attack vectors in 2025 saw attackers gain access to critical systems via weaknesses in third-party supply organisations. Spencer Young, senior vice president international at Delinea, argues that the retail industry has responded “phenomenally well” to the attacks and that it’s led to a significant shift for internal cybersecurity practices.
“I think they've done that because they've realised that those attacks that took place last year all had a common denominator, being that no one broke in – they logged in and the access they obtained came from stolen and misused credentials,” he says.
Young’s argument is that social engineering, account takeover, and poor identity verification present the primary risk to retailers. It’s a view shared by Madelein van der Hout, senior industry analyst for cybersecurity and risk at Forrester, who says that retail staff are prime targets for such attack vectors.
She explains that unlike corporate staff, retail workforces are expansive and constantly changing, which makes it very hard for employers to ensure they are all up-to-date on cybersecurity training. They may also be required to use personal devices such as phones to access their corporate systems, she adds, which “increases the attack surface and forces policies to be more permissive than, for instance, in a corporate environment”.
Working for a retailer also comes with different expectations around external interactions, van der Hout says.
“Retail environments are built around fast service and they are built around saying yes,” she says. “And that is the opposite of how good decisions around security are made. Store staff, help desk, customer service agents, they're under quite some pressure to resolve those problems very quickly for customers and for colleagues and someone from the head office can then quite easily disrupt or bypass.”
Attackers lean heavily into creating this urgency – and it’s a tactic that works precisely because it exploits behaviour that would otherwise be a virtue, as Professor Shortland, explains
“The system itself will only be as secure as the kind lady on the switchboard who hands out passwords, because she's collegial and friendly and wants to help out,” she says. “I mean, you don't want to breed that out of people either. They're really preying on our best instincts.”
Indeed, while cutting edge attacks are a concern it is in the employee layer that many attacks start, either due to poor password management or the susceptibility of employees to social engineering.
In the case of Co-op, for example, hackers impersonated an employee and reset their password by answering security questions. From there, they were able to access internal IT systems.
It is exactly this kind of low-tech entry point – social engineering rather than sophisticated code – that Young says defined the attacks over the past 18 months.
He adds that third-party access via retail supply chains was a “common theme” throughout 2025 and that this is already well-understood. In response, he says, retailers have invested more heavily in supply chain observability and implemented two key principles: zero trust and least privilege.
Zero trust means continuously verifying every user within an environment, even those who appear legitimate. Least privilege goes a step further, ensuring that each user or system is granted only the minimum level of access needed to perform their role – limiting the damage any single compromised account can do. In Elsey’s evidence to the Committee, he stated that Co-op’s threat detection systems flagged anomalous activity from a compromised employee account, and this is what helped cybersecurity teams at the organisation to contain the breach.
The long tail of supply chain attacks
The knock-on impact of a ransomware attack on the retail supply chain can be severe, particularly if retailers are unable to fulfil orders with suppliers or are unable to properly store perishables during outages caused by a cyber attack.
JLR is a prime example, with the ultimate cost of last year’s cyber attack against the automobile manufacturer standing at £1.6 to £2.1 billion, according to October 2025 analysis by the not-for-profit Cyber Monitoring Centre. This makes it “the single most financially damaging cyber event ever to hit the UK,” researchers noted, adding that the cost includes the massive knock-on impacts to the more than 50,000 businesses affected across JLR’s supply chain.
Young says there’s “no question” that business continuity and the impact of cyber attacks on the supply chain have become more expensive and damaging than ransomware attacks themselves.
Van der Hout tells Retail Systems that this is backed up by data showing outages can cost many times as much as ransomware demands for large and small businesses alike.
“Downtime, especially in manufacturing, can be devastating, there are businesses that unfortunately go out of business because of it,” van der Hout explains.
In his evidence, Norman said that much of the disruption M&S experienced came from its decision to shut down its own systems to limit the fallout from the attack.
“So there was some impact, but we closed down the systems as part of the defence, which is the right thing to do,” he said.
In November 2025, the retailer revealed the cyber attack had cost it an estimated £136 million, with statutory profit before tax down 99 per cent for the first half of its 2026 fiscal year, and it experienced an overall dip of 28.8 per cent in statutory profit before tax before its full-year results.
Its third-party suppliers were also heavily impacted. Greencore, a firm which produces sandwiches and other meal deal foods for M&S, was forced to take orders on pen and paper during the height of the attack, with output ramped up by a fifth to ensure M&S didn’t go without.
"With the challenges of the system we don't have intricate forecasting that we would have previously had, so we're just making sure that they've got everything they need and some more," Greencore chief executive Dalton Philips told the BBC in May 2025.
Simulating attacks
For all the technical and economic aspects involved in defending against and responding to cyber attacks, threat campaigns of this kind also put immense pressure on legal and PR teams at targeted retailers. Experiencing some of this stress in a controlled environment can help prepare retailers for emergencies.
While conducting research for this article, Retail Systems had the opportunity to take part in a simulated ‘war room’ exercise, which split participants from throughout the retail and cybersecurity industries into ‘red’ and ‘blue’ teams to represent attackers and defenders.
The exercise also highlighted some of the key threats that retailers face in the cyber space, including social engineering, lateral movement, and supply chain attacks. It assigned ‘blue team’ defenders the role of cyber professionals at a national supermarket, engaged in the launch of a new AI supply chain tool and ‘red team’ attackers the role of a state-sponsored hacking group.
Attendees in senior cybersecurity roles stressed that attack patterns can vary widely depending on whether the attackers are looking to extract payment from the victims or simply to cause as much damage as possible. The latter category of attack tends to be associated with state-sponsored hacking groups.
Simulations help cyber teams and other stakeholders including C-suite executives to better understand avenues of attack and to form BCPs that will actually help their organisation to continue operating in the event of a cyber attack.
For example, in the simulation the blue team emphasised the importance of laying the groundwork with an external PR firm at the outset of any incident, as well as referring to existing BCPs to ensure reactive measures match pre-agreed measures.
Of course, simulating attacks is not the be-all and end-all of cyber preparation. Indeed, M&S itself had run cyber attack simulations just prior to the attack. But Norman told the Committee that this couldn’t provide the full psychological preparation: “The simulation and the red team attacks were as nothing compared with what happens and the intensity of it,” he said.
Co-op’s Elsey agreed that the reality of a cyber attack is far worse than simulations, but said his organisation’s preparation helped: “There are pressures in the moment on the individuals and teams involved. On the record, I want to say how appreciative I have been of my own teams and their ability to respond in what is an incredibly tough situation.
“These are husbands and wives and mums and dads, and they are required to put in an awful lot of time, and it is a very high-pressure environment because their decisions count in the moment. There are always learnings from a real experience versus those simulated ones, but the simulated ones are incredibly helpful.”
What the exercise made equally clear is that the threat landscape itself is shifting – and that future simulations may need to contend with attack vectors that didn't exist when last year's incidents began.
The future attack surface
It was no accident that the war-gaming exercise was focused on a retailer rolling out a new agentic AI tool. As AI becomes more widely adopted, it could produce as much risk as productivity unless it is properly governed, tracked, and contained.
If improperly deployed and configured, AI models could open retailers up to novel attack vectors such as prompt injection, in which malicious inputs to AI tools cause them to override built-in safeguards to produce harmful outputs. While this can be used for reputationally damaging incidents, for example if a customer assistance chatbot were to produce harmful content, it’s more concerning as a potential backdoor that can be exploited to weaken a victim’s defences from the inside.
AI agents multiply this problem several times over, ranging from semi-autonomous to fully autonomous tools designed to be deployed at scale.
Delinea’s Young says that in some businesses, human workers will soon be outnumbered by AI agents. He gives the example of a major UK retailer with whom Delinea works, which has estimated that it will soon have “45 to 50 agents to every one human,” each in need of its own governance controls and authentication.
Without comprehensive and auditable identity controls for each agent, they could introduce errors or be manipulated to propagate malicious code through enterprise systems, all without any oversight from cyber teams.
All of this is before you get to how humans can use AI for attacks.
Professor Shortland says that AI will play a significant role in the next evolution of ransomware, primarily in lowering the bar to entry for would-be hackers. But she points to the apprehension of two teens who in 2026 were convicted for hacks targeting Transport for London (TfL), as an example of the kind of attackers that will benefit the most from using AI to launch ransomware attacks.
This could have unexpected consequences for the industry as a whole, she says, undermining the ‘professional’ reputation that state-sponsored ransomware gangs have built over the past decade.
“In a slightly more fragmented landscape, you have kids who are just having a go with malware they might not really understand,” explains Professor Shortland. “So I think we're going to see quite a lot more things just going wrong at the encryption stage, just bricking up and you don't know who to contact, there isn’t the way of matching up a decryption key with a victim.
“That's a lot more problematic. Things will just inexplicably go wrong.”
At the same time, Professor Shortland says that more attacks in the vein of Scattered Spider – which is made up largely of teens and young adults based in the UK and US, including the aforementioned TfL hackers – would make life easier for the UK’s National Crime Agency as it could directly arrest the hackers involved.
It is evident that the ransomware landscape is becoming even more complex and as ransomware attacks decrease in volume, they are simply increasing in intensity and innovation. Ransomware groups have had a taste of the destruction they can cause, forcing national retailers to run on pen and paper and inflicting severe damages. Ransomware groups also know that attacks on retailers put immense pressure on their leadership and staff alike.
Van der Hout has no doubt that attacks on the retail sector will increase in scale and intensity in the coming years.
“The retail industry is like a high reward environment for attackers,” she says, adding that retailers hold a great deal of personal data in the form of payment information and customer loyalty data.
What is also clear is that training exercises and attack simulations are not enough to psychologically prepare staff for the reality of a ransomware attack. The chief takeaway from 2025 for retailers may simply be: ‘this is how bad things can get’.
In his evidence, Norman referenced a quote by Field Marshal Helmuth von Moltke the Elder that is often shorted to “no plan survives first contact with the enemy”. The full quote, though less punchy, says that though humans cannot see beyond the first battle, the "tactical result of an engagement forms the base for new strategic decisions”. Retailers that take last year’s attacks as a worst-case scenario from which to build their response strategies can do the best they can to avoid becoming historical examples themselves.








Recent Stories