Date: 15 May 2025
UK Retailers are experiencing the full wrath of cyber crime to the greatest degree. It started with Marks and Spencer on the Easter Weekend. Customers were left high and dry without being able to access their “Click and Collect” orders. Online payments became inaccessible and store shelves were fast clearing up.
A few days later, Co Op reported that it had shut down some of its IT systems in light of a cyber incident. Interestingly, the hackers themselves, wrote a long rant to the BBC about how Co Op’s decision to take computer services offline meant they never suffered a ransomware attack. “They yanked their own plug - tanking sales, burning logistics, and torching shareholder value," the criminals, apparently, said to the BBC.
Co Op staff were able to avert the attack while it was in motion and this is perhaps why it appears to be recovering faster than Marks & Spencer which is still reeling under the aftermath of the cyber attack. Co Op reported that payment systems are functioning, and stock availability—both in stores and online—is expected to improve in the next 3-4 days.
Similarly, there was an attempt on May 1 to attack Harrods. However, the retail giant too said its IT team managed to secure the network and the company only had to restrict internet access at its stores.
Separately, French fashion house Dior, a subsidiary of LVMH, disclosed on Wednesday, May 14, that a cyber attack resulted in the theft of customer data. The company stated that an "unauthorised third party accessed certain customer data," assuring that no financial information was compromised. The stolen data reportedly included clients' names, email addresses, postal addresses, and telephone numbers.
So Who’s Out to Get UK Retailers?
Allegedly, the same hacker group has claimed responsibility for the Marks and Spencer, Co Op and Harrods cyber attacks. Experts are suggesting that the hackers are linked to the Scattered Spider Collective and are using DragonForce ransomware to unleash mayhem in the United Kingdom’s retail space.
Scattered Spider (also known as Octo Tempest) reportedly focuses on one sector at a time and is expected to continue targeting retail for the near future. In 2023, the group made headlines when it attacked Casino and Hotel giants, MGM and Caesars.
The cybercrime group Scattered Spider is thought to have members within "the Com," an informal online community known for cyberattacks and violent activities that have frequently garnered media attention.
The BBC reports that the hackers involved claimed affiliation with DragonForce. DragonForce is a cybercrime service that provides malicious software and a platform for others to conduct attacks and extortions.
The Impact of UK Retail Cyber Attacks
- Marks and Spencer has been forced to pause online orders. The retailer has lost 16% in share value since the attack, wiping off £1.3bn off its market value. For an understanding of the full extent of the impact, download our Marks and Spencer Cyber Attack Timeline.
2. Co Op proactively shut off its IT systems mitigating much of the damage that could ensue. However, this action disrupted the company's logistics and ordering systems, leading to widespread product shortages, particularly in remote areas like the Isle of Skye and the Western Isles.
Deliveries were reported to be 20% below normal levels, and some stores experienced empty shelves, especially for fresh produce and essential items. Co Op said it was in the “recovery phase” and “working closely with our suppliers to restock our stores” after bringing its stock ordering system back online. Co-op stated it has restored the system and is in the "recovery phase," collaborating with suppliers to replenish store stock.
Hackers have also, allegedly, shown proof of customer and employee data stolen from Co Op.
Harrods has stated that there is no evidence of customer data compromise and has not requested any action from customers. The company's swift response has been commended by cybersecurity experts, highlighting the importance of proactive measures in mitigating potential threats
Download our M&S Cyber Attack Timeline to Know how the incident impacted the retailer and how they responded.
What’s Next for the Global Retail Sector?
Google has now warned the global business community that the hackers using DragonForce to target retailers in the UK are now shifting their focus to the USA. "The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider," John Hultquist, Chief Analyst at Google Threat Intelligence Group, told BleepingComputer.
"These actors are aggressive, creative, and particularly effective at circumventing mature security programs. They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets," Hultquist said.
Following the major cyber attacks targeting UK retailers, the UK National Cyber Security Centre (NCSC) has issued cybersecurity guidance for UK organisations. The NCSC has also warned that these attacks should serve as a "wake-up call," emphasising that any organisation could be the next target.
Reiterating the significance of robust Cyber Incident Response practices, the NCSC’s National Resilience Director, Jonathon Ellison, and Chief Technology Officer, Ollie Whitehouse wrote in their joint blog, “Preparation and resilience does not mean just having good defences to keep out attackers. No matter how good your defences are, sometimes the attacker will be successful. It also means detecting threat actors when they are using your employees’ legitimate access (or are on your network, or in your cloud services) whilst being able to contain attackers to prevent damage, and to respond and recover when an attack has got through your defences.”
The NCSC has highlighted the below recommendations for all organisations to better manage rampant cyber incidents:
- Deploy multi-factor authentication (2-step verification) across all systems.
- Monitor for unauthorised account use, such as risky logins flagged by Microsoft Entra ID Protection.
- Regularly check if Domain, Enterprise, and Cloud Admin accounts have legitimate access.
- Review helpdesk password reset procedures, especially for privileged accounts.
- Ensure SOCs can detect logins from unusual sources like residential VPNs using source enrichment.
- Be ready to consume and act on threat intelligence quickly and effectively.
Final Word
This recent spate of cyber attacks on major UK retailers, including France’s Dior, serves as a reminder that no organisation is immune to cyber threats. These events, coupled with the timely and robust guidance from the NCSC, clearly demonstrate that Cyber Incident Response is no longer a technical afterthought—it’s a critical business priority.
The speed and efficiency with which Harrods responded to its cyber incident highlights the value of being well-prepared and rehearsed. At Cyber Management Alliance, we specialise in helping organisations achieve this very level of cyber resilience.
Through our NCSC Assured Cyber Incident Response Training, expert-led Cyber Tabletop Exercises, and strategic Cybersecurity Consultancy, we equip businesses like yours with the tools, knowledge and confidence to respond swiftly and effectively when it matters most. Don’t wait for a breach to expose your vulnerabilities—take control of your cyber defences today. Call us now!
