M&S and Co-op cyberattacks: How can retailers protect themselves?

Two of Britain's top retailers have been hit by cyberattacks over the past fortnight, prompting supply chain security fears and a warning that "any company can be a target."

On Wednesday, April 30, the Co-op announced that it had been forced to shut down call centre and back office operations. The chain is owned by its members and runs more than 2,300 food stores across Britain.

"We have recently experienced attempts to gain unauthorised access to some of our systems," a Co-op spokesperson said. "We have taken proactive steps to keep our systems safe."

Last week, Marks and Spencer suffered a more serious attack and is still recovering. At the time of writing, it is not taking home and clothing orders through its app and website, potentially costing it millions in sales and putting a major dent in its share price.

"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping," the chain said in a statement. "We are incredibly grateful to our customers, colleagues and partners for their understanding and support."

Supply chain SOS

Dr Harjinder Singh Lallie, Associate Professor at Warwick Manufacturing Group, The University of Warwick, said the attacks highlight the frightening fragility of the supply chains which prevent Britons from starving.

He warned: "The recent cyber attack on Marks & Spencer highlights the critical vulnerability of the UK’s food supply chain - an essential pillar of our national infrastructure. The food sector is under relentless cyber assault, and attacks like these can seriously disrupt access to basic necessities.

"The industry must urgently strengthen resilience, not just in preventing breaches, but also in developing robust response mechanisms. This includes real-time detection, rapid containment, and parallel operational systems to minimise disruption for customers. Cyber security must now be seen as central to national food security and public confidence.”

Panic on the high streets of Britain

The attacks show that large retailers face an acute risk of cyberattack due to the sheer size of their digital estates and the number of employees they employ.

Adam Casey, Director of Cybersecurity & CISO at Qodea, told Machine: “Large retailers have intricate IT infrastructures with numerous interconnected systems, resulting in a high number of potential entry points for attackers. At the same time, cybercriminals are leveraging AI to craft convincing phishing emails, develop smarter malware, and automate their operations – making attacks faster, more targeted, and harder to detect.

"Shutting down affected systems is a standard and crucial step in managing a significant cyber incident. Isolating compromised systems limits the attacker's ability to move laterally within the network and infect other critical infrastructure. This move also helps to contain the damage, as shutting down systems can prevent further data encryption, exfiltration, or corruption. Drawing operations to a halt also allows cybersecurity experts to safely analyse the affected systems, identify the root cause, and implement necessary fixes without the risk of further interference. 

"The best practice for mitigating cyberattacks like these involves putting robust security controls in place to prevent infiltration from the outset. That means having the right tools – like Endpoint Detection and Response (EDR) and SIEM platforms, ideally backed by User and Entity Behaviour Analytics (UEBA) to spot anything unusual early on. Regular and fast patching helps to close known vulnerabilities, while enforcing multi-factor authentication (MFA) for all cloud/critical systems, and remote access adds an extra layer of security.

"Of course, prevention alone isn't enough – you also need a clear strategy for when the worst does happen. That means enhancing Business Continuity and Disaster Recovery (BC/DR) capabilities. Organisations must have robust, isolated, and regularly tested backup systems that can restore critical data quickly and safely. A well-rehearsed Incident Response Plan is also key, ensuring that technical teams, leadership, and communications staff know exactly how to respond in the first critical hours of a cyber event."

Crouching Scattered Spider, hidden Dragonforce

A hacking collective called Scattered Spider has been blamed for the attack - although this has not been confirmed by M&S,

Bleeping Computer claimed the group, whose members include teenagers, breached the retailer as far back as February 2025. It reported that hackers accessed an NTDS.dit file - an Active Directory Services database file containing password hashes for the retailer's Windows accounts.

Cracking the hashes offline lets hackers access passwords, giving them the ability to penetrate defences and move laterally through the network.

BleepingComputer alleged Scattered Spider used the white-label DragonForce encryptor to lock down virtual machines on VMware ESXi hosts.

Dr. Darren Williams, CEO and Founder of BlackFog, said: "Although Marks & Spencer hasn’t yet commented on the nature of the attack, reports are linking the incident to the Scattered Spider group, a name that should raise concerns. Whilst they’ve been quiet for the last couple of years, this group has a track record of high-impact breaches, from major hits on Twilio and Okta in 2022, to MGM Resorts in 2023. 

"Scattered Spider is also known for its highly effective social engineering tactics, often targeting employees to gain initial access to enterprise networks. They’ve previously used BlackCat’s ransomware and have been linked more recently to newer variants like RansomHub and Qilin, showing their ability to evolve their methods.

 "If this group is behind the Marks and Spencer cyber attack, it’s a further warning that any company can be a target. The retailer has assured customers that personal data has not been compromised, however, the operational and financial consequences are significant.

 "We might not be able to stop these groups from launching attacks but it’s vital to have measures in place, not only to stop criminals from gaining a foothold but also to stop data exfiltration, which in most cases is their ultimate goal."

Retailers at risk: Which company is next?

The question that's being asked in boardrooms around Britain today is clear: is our brand next?

Unfortunately, the answer is: possibly.

James Hadley, Founder and Chief Innovation Officer at Immersive, added: "Data breaches like the one M&S experienced are not unique. While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities.  

"No matter how big or small, breaches have the potential to damage an organisation's bottom line, making frequent cyber drills essential to limiting their impact. As the threat landscape continues to evolve, offering realistic crisis simulations is necessary to instil confidence in business leaders and give them the proof they need to better understand their organisation's cyber capabilities and shortcomings. 

"In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, check-the-box awareness is no longer enough. Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses' most sensitive data remains secure."

Do you have a story or insights to share? Get in touch and let us know. 

Follow Machine on X, BlueSky and LinkedIn