Retail Cyberattacks: M&S, Co-op, and Harrods Expose Rising Threats in the UK

In April and May 2025, the UK retail sector faced a series of significant cyberattacks, with major retailers Marks & Spencer (M&S), the Co-operative Group (Co-op), and Harrods among the affected. These incidents disrupted operations, compromised customer data, and highlighted vulnerabilities in cybersecurity measures.

Timeline of Events

April 21, 2025: M&S customers began reporting issues with contactless payments and click-and-collect services.

April 25, 2025: M&S suspended all online orders and removed over 200 job listings from its website.

April 30, 2025: Co-op disclosed a cyberattack that affected its back-office and call center operations.

May 1, 2025: Harrods confirmed it had been targeted by a cyberattack, prompting the retailer to restrict internet access at its sites.

Impact on Retailers

Marks & Spencer (M&S)

M&S, the UK's largest clothing retailer, experienced a substantial cyberattack that disrupted its IT systems over the Easter weekend. The breach, attributed to the ransomware group Scattered Spider, led to the shutdown of major digital services and caused widespread in-store disruptions, including contactless payment failures and click-and-collect issues.

The attackers reportedly stole the Windows domain's NTDS.dit file, which contains password hashes for Windows accounts. Using these credentials, they deployed the DragonForce ransomware to encrypt the company's servers.

The attack has caused estimated weekly losses of £40 million—£25 million from online clothing sales and £15 million due to food supply chain disruptions.

The breach comes at a critical time as M&S was experiencing a financial recovery, with recent profits up 17%. M&S executives, led by CEO Stuart Machin, responded with round-the-clock crisis meetings and brought in cybersecurity firms like Microsoft and CrowdStrike. Despite efforts, the company remains unable to process online orders, and internal systems like stock forecasting and staff VPN access remain impaired. The attack has highlighted enduring weaknesses in M&S’s IT infrastructure, prompting calls for a long-overdue tech overhaul.

Co-operative Group (Co-op)

Co-op confirmed that hackers accessed and extracted data from one of its systems, affecting a significant number of current and past members. The compromised data included personal information such as names and contact details but did not include passwords, bank or credit card details, or transaction histories.

The attack involved tactics associated with Scattered Spider, where hackers conducted a social engineering attack that allowed them to reset an employee's password, leading to unauthorized access and data theft. The attackers reportedly stole the NTDS.dit file and deployed DragonForce ransomware to encrypt the company's servers.

The company stated that all its stores, online operations, and funeral homes were trading as usual and it was working to reduce disruption.

Harrods

Harrods, the iconic luxury department store, confirmed it was targeted in a cyberattack, becoming the third major UK retailer to report cyberattacks in a week. In response, Harrods restricted internet access at its sites as a precautionary measure.

The company stated that all its stores, including the Knightsbridge flagship, H beauty stores, and airport locations, remained open, and customers could continue to shop via harrods.com.

Suspected Threat Actors: Scattered Spider

The cyberattacks on M&S and Co-op have been linked to the hacking group Scattered Spider, also known as Octo Tempest. This group is composed primarily of teenagers and young adults from the UK and US. They are known for using sophisticated social engineering tactics, such as phishing and impersonation, to gain unauthorized access to systems.

In both the M&S and Co-op incidents, attackers stole the NTDS.dit file and used the credentials to deploy DragonForce ransomware.

Responses from Companies and Authorities

• M&S has enlisted Microsoft and CrowdStrike to investigate and respond to the attack, notified the UK's National Cyber Security Centre (NCSC), and is working with law enforcement.

• Co-op is collaborating with the National Crime Agency and the NCSC, implementing additional security measures.

• Harrods has limited internet access at its locations and continues to monitor the situation.

The UK government has urged all businesses to prioritize cybersecurity. Cabinet Office Minister Pat McFadden described the attacks as a "wake-up call" and called for cybersecurity to be treated as an "absolute priority."

Financial and Operational Consequences

Marks & Spencer

• Estimated weekly losses of £40 million

• £700 million wiped off the company's stock market value

Co-op

• Financial impact not publicly quantified

• Increased concerns over customer trust and regulatory scrutiny

Harrods

• Full extent of financial damage unknown

• Attack highlights vulnerabilities even among elite retailers

Conclusion

The recent cyberattacks on M&S, Co-op, and Harrods underscore the escalating threat of cybercrime in the retail sector. These incidents disrupted operations, compromised customer data, and caused major financial and reputational damage.

The involvement of groups like Scattered Spider, known for advanced social engineering, and the use of DragonForce ransomware highlight the urgent need for robust cybersecurity measures. As the UK government and businesses respond, it is increasingly clear that cybersecurity must be a top priority in today’s digital economy.

Additionally, the ransomware-as-a-service model used in these attacks demonstrates how even less-skilled actors can launch devastating cyber campaigns with powerful tools now readily available on the dark web.