top of page
Search

A Two Week Cyber Onslaught Shakes the Retail Sector

  • Writer: Karl DiMascio
    Karl DiMascio
  • May 15
  • 17 min read

Introduction

 

In the first weeks of May 2025, a series of sophisticated cyberattacks struck at the heart of the UK retail industry. High-street icon Marks & Spencer, supermarket giant Co-op, and luxury mainstay Harrods were all targeted in rapid succession. Websites crashed, customer data was exfiltrated, and operational systems were forced offline. Within days, it became clear that this wasn’t coincidence, it was a coordinated offensive.

 

This piece is both a fact-based examination of what occurred and a personal reflection on what it all means. Drawing from official statements, incident reports, government commentary, and industry intelligence, it aims to do more than just report the breaches. It attempts to make sense of them, and to explore why these events mark a pivotal turning point for the retail sector and its approach to cybersecurity.

 

Because this wasn’t just about three companies, it was about an entire sector being shown, in real time, just how vulnerable it truly is.

 

What we’re witnessing is not simply a string of attacks. It’s a strategic shift in cybercriminal focus, an erosion of assumed defences, and a growing sense that the digital battleground has expanded well beyond banks and critical infrastructure into mainstream consumer commerce.

 

As you'll read, the methods used were precise, the damage measurable, and the message unmistakable: Retail is now in the crosshairs.

 

A Two-Week Siege on Retail Giants

 

The turmoil began at Marks & Spencer (M&S), a household-name retailer with 1,400 stores worldwide. Over the Easter weekend in April, customers noticed something was wrong, online orders stalled and even in-store services like contactless payments and Click & Collect started failing. By April 25, M&S was forced to pause all online orders entirely. What initially sounded like a technical outage soon emerged as a full-blown “cyber incident” that crippled the company’s digital operations for weeks. M&S’s 1,000+ brick-and-mortar shops remained open, but the inability to sell via its website was devastating, analysts estimated the profit hit at £30+ million, with losses mounting by ~£15 million per week as spring shoppers were unable to buy new-season clothes online. The company’s stock price plummeted 15% in the days following the attack.

 

As M&S scrambled to respond, another giant was hit. On April 22 (around the same time as the M&S breach), the Co-operative Group, commonly known as Co-op, a UK supermarket chain with over 3,700 stores, detected attempted intrusions in its network. Co-op promptly shut down parts of its IT systems as a defensive measure, causing some disruption to back-office and call centre services. Initially, Co-op downplayed the event, with a spokesperson describing it as “attempts to gain unauthorized access” that were proactively contained with only a “small impact” on operations. Stores, e-commerce, and even Co-op’s funeral home services continued to run normally at first. But within days, it became clear this was no minor hack, Co-op’s internal investigation revealed the attackers had breached the network and stolen data from one of its core systems.

 

Then, on May 1, Harrods, the world-famous luxury department store in London, confirmed it had also been “targeted in a cyberattack,” making it the third major UK retailer caught in the crossfire. In a statement, Harrods reported recent “attempts to gain unauthorised access” to its systems, which triggered the company to immediately restrict internet access across its facilities as a safeguard. Remarkably, Harrods managed to keep all of its physical stores (including the Knightsbridge flagship and airport locations) open for shoppers, and its website remained operational for customers.

 

The company assured patrons that there was no need to behave differently or change any credentials at that point. Still, the image of such a venerable retailer having to cordon off its IT networks signalled the depth of the threat. As one report noted, three of Britain’s most prominent retail chains suffered cyberattacks in the space of a week, a coordinated onslaught virtually unprecedented in the sector.

Ransomware, Data Theft & New Tactics on Display

 

Behind these incidents lies a disturbing common thread: ransomware coupled with aggressive data theft, enabled by highly deceptive social engineering tactics. It soon emerged that the M&S and Co-op breaches were perpetrated by the same loose collective of threat actors, employing techniques honed on previous high-profile victims. Investigators attributed the attacks to affiliates of the DragonForce ransomware operation, working in tandem with a notorious hacking crew dubbed “Scattered Spider” (also tracked as Octo Tempest by Microsoft).

 

At M&S, the hackers infiltrated the network and deployed ransomware that encrypted dozens of servers and virtual machines running the retailer’s online infrastructure. In fact, they hit M&S’s VMware ESXi servers, the kind of target that can bring an enterprise to its knees, scrambling critical systems and effectively blacking out the company’s online storefront. Simultaneously, the attackers exfiltrated sensitive customer data before locking the systems. M&S later confirmed that the breach, which began on April 22, allowed intruders to steal personal information belonging to customers. The “sophisticated nature” of the attack was repeatedly emphasized by the company.

 

Co-op experienced a similar multi-pronged assault. According to insiders, the breach at Co-op also began with social engineering: the attackers tricked their way into resetting a Co-op employee’s password, granting a foothold into the network. Once inside, they grabbed a copy of the Windows Active Directory database (NTDS.dit), which contains hashed passwords for the company’s user accounts. From there, they likely attempted to move laterally and deploy ransomware. Fortunately for Co-op, their IT team’s rapid defensive actions limited the damage, the hackers were prevented from encrypting systems and causing widespread disruption. However, the data theft had already occurred: Co-op eventually admitted that “hackers were able to access and extract data from one of our systems,” affecting a “significant number” of current and past members. In fact, the criminals claim to have stolen data on 20 million people who had signed up for Co-op’s membership rewards program. (For context, Co-op has about 6.2 million active members in the UK, so that figure likely includes historical records or multiple datasets.) The stolen information includes names and contact details, thankfully no plaintext passwords or payment card numbers were exposed in Co-op’s case, according to the company.

 

The assault on Harrods, while apparently thwarted before data was known to be stolen, followed the same playbook. Harrods’ statement pointed to attempted intrusions that prompted an immediate lockdown of network access. Cybersecurity experts note that the decision to cut off internet access, effectively isolating Harrods’ systems, is a telltale sign of incident response to a ransomware threat. It suggests the attackers were detected in the act of trying to “infiltrate [the] network,” possibly triggering alarms that led Harrods to slam the digital doors shut. The quick reaction likely prevented the worst, but it underscores how ubiquitous and brazen these attacks have become.

 

So who exactly is behind this retail rampage? The crew in question, Scattered Spider/Octo Tempest, is a “fluid collective” of mostly young, English-speaking hackers known for creative social engineering and aggressive tactics. They specialize in impersonating IT staff, for instance, calling a company’s real IT helpdesk while posing as an employee in order to get that employee’s password reset. They’ve also been known to use SIM swapping and MFA fatigue (repeatedly bombing a target’s phone with login prompts) to defeat multi-factor authentication.

 

These methods were infamously used to breach casino giant MGM Resorts in 2023, among other victims, and now we see them repurposed against retail. Once inside a network, Scattered Spider actors act as ransomware affiliates for hire, they’ll steal data and deploy a ransomware payload (in this case, the DragonForce encryptor) on behalf of ransomware-as-a-service groups. The spoils are then shared: the affiliate hackers typically keep 70–80% of any ransom paid, with the remainder going to the ransomware operator. DragonForce itself is a relatively new RaaS outfit (emerged in late 2023) but is “gearing up to be one of the more prominent” ransomware brands, recently advertising its services to other cybercriminals. In short, the attacks on M&S, Co-op and Harrods were not random or isolated, they were part of a coordinated extortion campaign, executed by a savvy adversary leveraging the latest tools of the cybercrime trade.

 

 


 

Voices from the Front Lines: Stakeholder Reactions

 

Facing this unprecedented threat, retail executives, cybersecurity experts, and government agencies have all spoken out, their statements offering a window into both the chaos of the moment and the lessons being learned.

 

Retail leadership moved quickly to address customers and shareholders. At M&S, CEO Stuart Machin took the unusual step of posting an open letter on the company’s official Facebook page to frankly acknowledge the breach. “As we continue to manage the current cyber incident, we have written to customers today to let them know that unfortunately, some personal customer information has been taken,” Machin wrote, confirming the data theft. He was careful to reassure the public: “Importantly, there is no evidence that the information has been shared and it does not include usable card or payment details, or account passwords, so there is no need for customers to take any action”. In other words, the attackers got away with contact information and some personal data, but not the crown jewels of payment info, a silver lining Machin was keen to highlight. Nevertheless, M&S did prompt all online account holders to reset their passwords at next login, as a precaution. The company also warned customers to be on the lookout for phishing attempts pretending to be M&S communications in the aftermath of the breach.

 

Co-op’s leadership initially maintained a calmer public stance, but had to backtrack as the severity became clear. In the first press statement, a Co-op spokesperson acknowledged “attempts to gain unauthorized access to some of our systems” and lauded the “proactive steps” taken to keep systems safe, implying the situation was contained. Internally, however, Co-op management was sounding alarms. An internal memo from Co-op’s Chief Digital and Information Officer, Rob Elsey, (later obtained by journalists) told employees that VPN access had been disabled and urged extreme vigilance with company communications. “When running a Microsoft Teams call, please ensure all attendees are as expected and that users are on camera,” Elsey cautioned, warning staff not to post sensitive information in Teams chats. These instructions were a clear reaction to the attackers’ tactics, recall that the hackers had actually messaged Co-op executives via Microsoft Teams during their extortion attempts. By May 5, Co-op came clean publicly: ongoing forensics confirmed that member data had indeed been stolen. “The accessed data included information relating to a significant number of our current and past members,” the company admitted, specifying that names and contact details were taken (but, as with M&S, no passwords or card numbers). Co-op’s tone had shifted from reassurance to apology and transparency, as it began the laborious process of notifying millions of people that their info may have been compromised.

 

Harrods, for its part, communicated sparingly, likely hoping to project confidence that its incident was contained. In a statement shared with press, a Harrods representative confirmed only that “threat actors recently attempted to hack into their systems,” prompting immediate action to protect systems. “Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today,” the Harrods statement read. The luxury retailer emphasized that all stores remained open for business and customers could continue shopping online as normal. “We are not asking our customers to do anything differently at this point,” Harrods noted, attempting to reassure shoppers and preserve its reputation. Notably absent were any details on whether the hackers succeeded in breaching internal data or systems, a silence that suggests either Harrods truly foiled the attack in time, or is choosing to tightly control the messaging until investigations conclude.

 

On the government and law enforcement side, the response was swift and stern. The UK’s National Cyber Security Centre (NCSC), which is part of the GCHQ intelligence agency, took the unusual step of issuing a public advisory in the wake of these breaches. NCSC CEO Dr. Richard Horne addressed the situation directly: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public,” Horne stated, adding that “These incidents should act as a wake-up call to all organisations.”. He urged business leaders across industries to follow NCSC guidance to ensure they have strong measures in place to prevent such attacks and to be ready to respond and recover effectively. The NCSC confirmed it was actively working with the affected retailers to understand the attacks and help mitigate the damage.

 

Meanwhile, the UK’s National Crime Agency (NCA) and Metropolitan Police launched investigations into the breaches (the Met Police formally acknowledged it was looking into the M&S attack). The incidents even drew scrutiny from lawmakers: Parliament’s Business and Trade Committee sent letters to the CEOs of M&S and Co-op demanding to know whether they received adequate support from government agencies like NCSC and NCA during the crisis. This level of parliamentary interest signals that regulators are keenly observing how the retail sector handles cyber threats, and whether new policies might be needed to bolster defences.

 

Cybersecurity experts and industry analysts have also weighed in, often in stark terms. Google’s Threat Intelligence team went public with a warning that the same hackers hitting UK retailers were now turning their sights to the United States. “The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to [the group] Scattered Spider,” said John Hultquist, a prominent analyst at Google, on May 14. He noted that this threat actor has “a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the [retail] sector in the near term. US retailers should take note.”. In other words, the spree seen in Britain could be just the beginning of a broader crime wave against retailers worldwide. Other security researchers have underscored the sophistication and audacity of the group’s methods. “These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets,” Hultquist told BleepingComputer in an interview. The fact that young hackers, some reportedly as young as 16, could wreak such havoc on established companies has been a sobering thought for many observers. It’s also a reminder that cyber defence is as much about people as technology: highly trained social engineers can talk their way past millions of dollars of security tech if employees aren’t prepared to spot the con.

 

 

Disruption, Fallout, and the New Risks to Retail

 

Beyond the immediate firefighting and PR damage control, these breaches have concrete impacts on operations and underline new risks that retail businesses must now reckon with. One obvious consequence is operational disruption: modern retailers depend on IT systems for everything from online sales to in-store inventory and payment processing. When those systems go down, even partially, the effects are tangible on the shop floor. M&S’s ordeal is a prime example. With its online ordering system offline for three weeks, the company not only lost e-commerce revenue but also struggled with secondary effects, logistics and supply chain hiccups that left some physical stores with empty shelves. Shoppers at certain M&S food halls encountered signs reading “Please bear with us while we fix some technical issues affecting product availability.”. Essentially, the ransomware attack forced M&S to take some internal systems offline (to contain the breach), which in turn disrupted how products were replenished in stores. Meal deal items and other perishables went out of stock in some locations because the normal ordering and stocking processes were paralyzed. Even M&S’s hiring processes took a hit, the company had to pull down all its job postings during the incident, since the career portal was impacted, posting a message: “Sorry you can’t search or apply for roles right now, we’re working hard to be back online as soon as possible.”. These anecdotes illustrate that a cyberattack’s blast radius can extend far beyond IT into core business functions, grinding sales and operations to a halt in unexpected ways.

 

At Co-op, the disruption was less visibly severe (stores stayed open and stocked), but behind the scenes the company had to rebuild critical systems in the aftermath. Co-op embarked on a full rebuild of all its Windows domain controllers, essentially the nerve centre of its internal network, and enlisted Microsoft’s elite DART incident response team to help lock down its Azure cloud environment. The forensics and remediation effort also involved outside consultants (KPMG was brought in for additional support on AWS systems). These are costly, resource-intensive measures, undertaken while Co-op simultaneously had to handle customer communications and regulatory duties (like notifying the UK data protection authority and impacted individuals). In short, even though Co-op didn’t have to close stores or lose sales in the short run, the long-term cleanup and recovery will be an extensive (and expensive) project. It’s a reminder that cyber breaches incur heavy “hidden” costs, incident response, security audits, infrastructure overhauls, legal fees, and so on, that might not be immediately apparent to the public.

 

Another major fallout is the exposure of customer data and the attendant risk to consumer trust. Between M&S and Co-op alone, the personal details of millions of shoppers have potentially been compromised. M&S disclosed that a wide range of data was stolen: full names, email addresses, home addresses, phone numbers, dates of birth, and even customers’ past order histories were among the exposed information. (Payment card details were also taken in the M&S breach, but in a “masked” format that hides most of the digits, making them not directly usable.) Likewise, Co-op confirmed names and contact info of members were stolen. While it’s somewhat reassuring that no cleartext financial info or passwords leaked in these cases, the data that did get out is rich enough for criminals to exploit. Fraudsters could, for instance, launch highly convincing phishing campaigns targeting M&S or Co-op customers by referencing details from their order history or loyalty accounts. The companies have warned customers to be on guard for exactly this scenario.

 

The erosion of consumer trust is a serious concern: retail is a sector built on customer loyalty and brand reputation. If shoppers worry that buying from a certain store might lead to their personal data being posted on the dark web, they could easily take their business elsewhere. It’s a nightmare scenario for retail executives, one that adds pressure to not only resolve the current incident but to visibly strengthen security afterward. As one industry observer noted, these breaches might spur retailers to treat personal data with the same care as credit card data, which has long been protected by strict PCI standards, because the reputational stakes are now just as high.

 

The recent hacks have also highlighted potential regulatory gaps and oversight challenges. Historically, retailers have not been regulated as heavily on cybersecurity as, say, banks or healthcare organizations. That might be poised to change. In the UK, the flurry of attacks led to calls for greater government involvement, exemplified by Parliament summoning retail CEOs for explanations. It’s possible that regulators will look at whether retail should be considered part of a nation’s critical infrastructure (after all, food and clothing supply disruptions can have wide societal impact). If so, big retailers might be subjected to tighter security requirements or mandatory breach reporting rules beyond what general data protection law (GDPR) already covers. On the other hand, the situation also underlines the importance of public–private cooperation rather than just punishment. The NCSC’s role in actively assisting the retailers shows a collaborative approach: government agencies providing expertise and warnings (like the NCSC’s official guidance issued to all UK retailers in April as the attacks unfolded). In the United States, one could envision CISA (Cybersecurity and Infrastructure Security Agency) stepping up alerts to the retail sector, especially since threat intelligence suggests American retailers are now in the crosshairs. We may see initiatives like information-sharing networks tailored for retail cyber threats, or government-backed emergency response teams ready to help retailers under attack.

 

 

The Future of Cybersecurity in Retail: Adapt or Fall Behind

 

Taken together, these incidents paint a clear picture: retail is now firmly on the front lines of cybersecurity, and the status quo will not suffice. Several themes emerge that are likely to shape the future of cyber defence in the retail sector:

 

  • Rise of Sophisticated, Sector-Focused Attacks: The Spring 2025 attacks demonstrate an unnerving level of focus and sophistication. No longer are retailers only worried about opportunistic credit card skimmers or low-level hackers defacing websites. They are up against well-resourced ransomware crews who can coordinate simultaneous attacks and lie in wait for the perfect time to strike (like a holiday weekend). These adversaries use advanced techniques, from infiltrating virtualization infrastructure to deft social engineering, that can defeat even mature security programs. The fact that a loosely knit group of teenage hackers could penetrate Fortune-500-sized retailers is a wake-up call that technical prowess alone isn’t enough; security strategies must assume a clever human adversary will try to trick employees and abuse any system vulnerabilities.

 

Going forward, retailers will need to invest in intensive security awareness training, regular phishing simulations, and perhaps deploy more robust identity verification processes for IT support interactions (to counter the help-desk impersonation trick).

 

  • Supply Chain and Operational Resilience: We’ve seen how attacks can disrupt supply chains and store operations in a flash. This means retailers must double down on resilience planning. Business continuity and disaster recovery plans should account for scenarios like “What if our online ordering system is ransomed?” or “How do we keep stores stocked if our network goes down?” Some companies might start segmenting networks more strictly, so that a breach in the customer-facing website doesn’t cascade into warehouse or point-of-sale systems. Others might explore analogue fail-safes; for example, having a manual process to authorize payments or track inventory if computers fail. The key is ensuring that a single cyber incident can’t bring the entire retail operation to a standstill.

 

On the supply chain front, expect retailers to scrutinize their technology vendors and partners too. A vulnerability in a third-party provider (like a payment processor or a cloud service) could easily become the attackers’ entry point. Hence, third-party risk management will be a growing priority, conducting security audits of suppliers, requiring them to meet certain standards, and preparing contingencies if a critical vendor is hit.

 

  • Regulatory Pressure and Compliance: It’s likely that regulators won’t sit idle after these high-profile breaches. Retailers should anticipate more stringent compliance requirements around cybersecurity. This could take the form of updated data protection rules (ensuring that personal data like home addresses and order histories are encrypted or pseudonymized in databases) or even sector-specific regulations. For instance, authorities might classify large retailers as “essential services” under laws similar to the EU’s NIS (Network and Information Systems) Directive, which would mandate robust security controls and incident reporting. At the very least, enforcement of existing laws will be on the radar, the UK Information Commissioner’s Office (ICO) and other data protection regulators will be investigating these breaches, and heavy fines could follow if security negligence is found. This creates an incentive for retail boards to treat cybersecurity as a compliance issue at the highest level, not just an IT issue. We may see more retailers appointing dedicated Chief Information Security Officers (CISOs) and increasing their cybersecurity budgets as a proactive measure.

 

  • Public–Private Collaboration and Threat Intelligence Sharing: One hopeful theme in this saga is the degree of collaboration that emerged. The victimized retailers benefited from expert help, M&S and Co-op working with Microsoft’s incident response team and law enforcement, NCSC providing guidance, and even intelligence from private firms like Google alerting others of the threat. This model of sharing information quickly (such as indicators of compromise, or tactics of the attackers) can significantly blunt the impact of a campaign. For example, once it was known that the attackers were impersonating help desks, other companies could immediately warn their IT staff to be on high alert for unusual requests.

 

Future cybersecurity in retail will likely involve more participation in information-sharing groups (ISACs), closer ties between companies and national cyber agencies, and maybe collective defence initiatives. In an encouraging sign, some of the Scattered Spider hackers have been caught, a number of members associated with earlier attacks were arrested in the US, UK, and Spain. But as those arrests show, the perpetrators span multiple countries, so only a coordinated international law enforcement effort can truly disrupt these networks. Retailers, for their part, may push for more government help in combating cybercrime, be it stronger policing of underground forums or diplomatic pressure on countries that harbour ransomware gangs.

 

  • Cultural Shift, Security as Customer Protection: Finally, we may see a cultural shift in retail leadership toward viewing cybersecurity as integral to customer service. Protecting customers’ data is protecting customers, period. Just as retailers invest heavily in store security (CCTV cameras, alarms) to make shoppers feel safe, they will need to visibly invest in cyber safeguards to make online shoppers and loyalty program members feel safe. This could manifest in offering identity theft protection or credit monitoring to affected customers after a breach, or advertising the security measures they take (much like some e-commerce sites boast of encryption and fraud detection as a selling point). Over time, a strong security reputation could become a competitive advantage in retail, a differentiator that customers consciously consider when choosing where to shop.

 

 

Conclusion

 

The recent retail breaches are more than just a rash of bad news headlines, they represent a pivotal moment for the industry. If there is a silver lining, it’s that such crises often spur positive change. The attacks on M&S, Co-op, Harrods and others have exposed weaknesses but also taught invaluable lessons. They’ve shown that cyber threats can strike anywhere, from the supermarket to the luxury boutique, and that preparedness can make the difference between a contained incident and a corporate catastrophe. The future of cybersecurity in retail will be defined by those who heed these warnings.

 

Retailers must innovate not only in how they sell, but in how they secure. Those that proactively shore up their defences, train their people, and collaborate with the broader security community will be far better positioned in the turbulent times ahead. For those that don’t, these two weeks in 2025 may be remembered as just the opening salvo of an even more chaotic chapter.

 

The message from these events is clear: adapt, invest, and unite, or risk seeing your company’s name added to the growing list of breached and battered retailers.

 

Karl DiMascio

15th May, 2025

bottom of page