Retail Cyberattacks: M&S, Co-op, and Harrods Expose Rising Threats in the UK

In April and May 2025, the UK retail sector faced a series of significant cyberattacks, with major retailers Marks & Spencer (M&S), the Co-operative Group (Co-op), and Harrods among the affected. These incidents disrupted operations, compromised customer data, and highlighted vulnerabilities in cybersecurity measures.

Timeline of Events

April 21, 2025: M&S customers began reporting issues with contactless payments and click-and-collect services.

April 25, 2025: M&S suspended all online orders and removed over 200 job listings from its website.

April 30, 2025: Co-op disclosed a cyberattack that affected its back-office and call center operations.

May 1, 2025: Harrods confirmed it had been targeted by a cyberattack, prompting the retailer to restrict internet access at its sites.

Impact on Retailers

Marks & Spencer (M&S)

M&S, the UK's largest clothing retailer, experienced a substantial cyberattack that disrupted its IT systems over the Easter weekend. The breach, attributed to the ransomware group Scattered Spider, led to the shutdown of major digital services and caused widespread in-store disruptions, including contactless payment failures and click-and-collect issues.

The attackers reportedly stole the Windows domain's NTDS.dit file, which contains password hashes for Windows accounts. Using these credentials, they deployed the DragonForce ransomware to encrypt the company's servers.

The attack has caused estimated weekly losses of £40 million—£25 million from online clothing sales and £15 million due to food supply chain disruptions.

The breach comes at a critical time as M&S was experiencing a financial recovery, with recent profits up 17%. M&S executives, led by CEO Stuart Machin, responded with round-the-clock crisis meetings and brought in cybersecurity firms like Microsoft and CrowdStrike. Despite efforts, the company remains unable to process online orders, and internal systems like stock forecasting and staff VPN access remain impaired. The attack has highlighted enduring weaknesses in M&S’s IT infrastructure, prompting calls for a long-overdue tech overhaul.

Co-operative Group (Co-op)

Co-op confirmed that hackers accessed and extracted data from one of its systems, affecting a significant number of current and past members. The compromised data included personal information such as names and contact details but did not include passwords, bank or credit card details, or transaction histories.

The attack involved tactics associated with Scattered Spider, where hackers conducted a social engineering attack that allowed them to reset an employee's password, leading to unauthorized access and data theft. The attackers reportedly stole the NTDS.dit file and deployed DragonForce ransomware to encrypt the company's servers.

The company stated that all its stores, online operations, and funeral homes were trading as usual and it was working to reduce disruption.

Harrods

Harrods, the iconic luxury department store, confirmed it was targeted in a cyberattack, becoming the third major UK retailer to report cyberattacks in a week. In response, Harrods restricted internet access at its sites as a precautionary measure.

The company stated that all its stores, including the Knightsbridge flagship, H beauty stores, and airport locations, remained open, and customers could continue to shop via harrods.com.

Suspected Threat Actors: Scattered Spider

The cyberattacks on M&S and Co-op have been linked to the hacking group Scattered Spider, also known as Octo Tempest. This group is composed primarily of teenagers and young adults from the UK and US. They are known for using sophisticated social engineering tactics, such as phishing and impersonation, to gain unauthorized access to systems.

In both the M&S and Co-op incidents, attackers stole the NTDS.dit file and used the credentials to deploy DragonForce ransomware.

Responses from Companies and Authorities

• M&S has enlisted Microsoft and CrowdStrike to investigate and respond to the attack, notified the UK's National Cyber Security Centre (NCSC), and is working with law enforcement.

• Co-op is collaborating with the National Crime Agency and the NCSC, implementing additional security measures.

• Harrods has limited internet access at its locations and continues to monitor the situation.

The UK government has urged all businesses to prioritize cybersecurity. Cabinet Office Minister Pat McFadden described the attacks as a "wake-up call" and called for cybersecurity to be treated as an "absolute priority."

Financial and Operational Consequences

Marks & Spencer

• Estimated weekly losses of £40 million

• £700 million wiped off the company's stock market value

Co-op

• Financial impact not publicly quantified

• Increased concerns over customer trust and regulatory scrutiny

Harrods

• Full extent of financial damage unknown

• Attack highlights vulnerabilities even among elite retailers

Conclusion

The recent cyberattacks on M&S, Co-op, and Harrods underscore the escalating threat of cybercrime in the retail sector. These incidents disrupted operations, compromised customer data, and caused major financial and reputational damage.

The involvement of groups like Scattered Spider, known for advanced social engineering, and the use of DragonForce ransomware highlight the urgent need for robust cybersecurity measures. As the UK government and businesses respond, it is increasingly clear that cybersecurity must be a top priority in today’s digital economy.

Additionally, the ransomware-as-a-service model used in these attacks demonstrates how even less-skilled actors can launch devastating cyber campaigns with powerful tools now readily available on the dark web.

Timeline of Events (Continued)

May 2, 2025
The UK's National Cyber Security Centre (NCSC) confirms it is providing assistance to M&S, Co-op, and Harrods in response to the cyberattacks.

May 3, 2025
Harrods confirms that the cyberattack was contained early, with no customer data accessed. Operations across all stores and online platforms remain uninterrupted.

May 5, 2025
Reports emerge that hackers linked to the Scattered Spider network infiltrated the IT systems of Co-op and M&S by deceiving help desk workers into resetting passwords, a tactic involving impersonation and SIM swapping.

May 6, 2025
The NCSC releases updated guidance for businesses on defending against social engineering attacks, emphasizing stronger verification protocols for helpdesks and phishing-resistant multi-factor authentication (MFA).

May 7, 2025
M&S formally discloses that customer data—including names, email addresses, birthdates, and previous order history—was accessed during the breach. Passwords and card details were not compromised.

May 10, 2025
The NCSC and the National Crime Agency (NCA) publicly identify Scattered Spider as the primary suspect in the retail cyberattacks.

May 12, 2025
Co-op announces recovery is progressing, with delivery operations returning to near-normal levels after initial supply disruptions.

May 14, 2025
Google warns that the same group behind the UK retail attacks is now targeting U.S. retailers using similar social engineering tactics.

May 18, 2025
Victoria’s Secret experiences a cyberattack believed to be linked to Scattered Spider. The incident disrupts U.S. website operations and delays online order fulfillment and customer support services. Internal systems, including employee access and email, are also affected.

May 20, 2025
Reports surface that multiple U.S. retail companies, including supermarket brands operated by Ahold Delhaize USA (such as Stop & Shop, Food Lion, Giant Food, Hannaford), have been targeted by Scattered Spider. The FBI begins issuing cyber intelligence briefings to major retailers.

May 21, 2025
The UK Parliament’s Joint Committee on National Security Strategy warns that cyberattacks on major retailers are now threatening national supply chains, calling for critical infrastructure-level cybersecurity standards for large retail operators.

May 27, 2025
Cybersecurity researchers report that DragonForce ransomware was used in a new campaign against a managed service provider (MSP), distributing it to multiple downstream client systems—confirming DragonForce’s expansion beyond the retail sector.

May 30, 2025
Industry groups confirm that British retailers are conducting internal reviews of vendor access, IT helpdesk policies, and insurance coverage, with some moving toward adopting ISO 27001 and Cyber Essentials Plus certifications to strengthen resilience.

June 5, 2025
United Natural Foods Inc. (UNFI), a major U.S. food distributor, is hit by ransomware, disrupting logistics and causing delivery issues at retailers like Whole Foods.

June 13, 2025
Victoria’s Secret confirms the cyberattack caused approximately $20 million in Q2 financial impact. The company extends return periods and customer support timelines as part of its recovery plan.

June 18, 2025
U.S. federal agencies issue a warning regarding ongoing exploitation of vulnerabilities in SimpleHelp remote access software by ransomware groups including DragonForce.

June 19, 2025
Threat intelligence reports reveal that Scattered Spider has begun targeting the insurance sector. Companies including Aflac, Erie Indemnity, and Philadelphia Insurance are hit within days of each other.

June 24, 2025
It is confirmed that personal data—including social security numbers and health information—was accessed in the insurance sector breaches. These attacks were conducted without ransomware deployment, suggesting a shift in tactics toward data theft and extortion.

Last updated: June 27, 2025