In recent weeks, UK retailers Marks & Spencer, Co-op, and Harrods have faced significant cyber attacks, raising concerns about the vulnerability of major businesses to sophisticated hacking tactics.
While it remains unclear whether the same group is behind these incidents, the attacks share similarities, including social engineering to gain initial access and exploitation of employee accounts. The UK National Cyber Security Centre (NCSC) is collaborating with the affected companies to investigate, but details remain sparse as retailers limit disclosures and attackers may exaggerate their impact.
The attacks began with Marks & Spencer, which confirmed a “cyber incident” on April 22, 2025, disrupting its online and phone orders and causing stock shortages in physical stores due to a disabled ordering system. Suspected tactics mirror those of the Scattered Spider collective, potentially using the DragonForce encryptor, though no data theft has been confirmed. Harrods reported an attempted attack but maintained its online operations, taking swift action to secure systems. Co-op, however, suffered a more severe breach, with attackers infiltrating its IT networks days before its public acknowledgment. The hackers, who accessed limited member data including names and contact details, are threatening to leak it unless paid, though no financial information or passwords were compromised, according to CEO Shirine Khoury-Haq.
Cybersecurity researcher Kevin Beaumont, a former Co-op employee, criticized the retailer for downplaying the breach and delaying communication with affected members. He noted the attackers’ use of Scattered Spider tactics, such as posing as IT staff to trick employees into revealing credentials or MFA codes, then accessing critical systems like the Active Directory ntds.dit file. Beaumont and the NCSC emphasize the need for robust defenses, including employee training to resist social engineering, enhanced detection of rogue account activity, and rapid containment strategies. With the attackers, reportedly linked to DragonForce, claiming more targets, UK businesses are urged to review past CISA reports on similar groups and strengthen their cybersecurity to mitigate these evolving threats.
