Panic on the High Street: M&S, Harrods & Co-op cyberattacks
"The industry must urgently strengthen resilience and develop robust response mechanisms to prevent breaches."
Three of Britain's top retailers have been hit by cyberattacks over the past fortnight, prompting supply chain security fears and a warning that "any company can be a target."
The latest victim is Harrods, which announced it had "restricted internet access at our sites" following an attack of undisclosed severity.
There does not appear to be a link between the attacks at the time of writing, but I will update this piece with further news as it comes in, so stay tuned.
In a statement, Harrods said: "We recently experienced attempts to gain unauthorised access to some of our systems.
"Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.
"Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com."
On Wednesday, April 30, the Co-op announced that it had been forced to shut down call centre and back office operations. The chain is owned by its members and runs more than 2,300 food stores across Britain.
"We have recently experienced attempts to gain unauthorised access to some of our systems," a Co-op spokesperson said. "We have taken proactive steps to keep our systems safe."
When will the M&S website start working again?
Last week, Marks and Spencer suffered a more serious attack and is still recovering. At the time of writing, it has paused online orders. "Products remain available to browse online and stores are open," it told customers.
M&S customers usually spend £3.8m on home and clothing products daily via its website and app.
Although M&S stores seem to be in good working order, the BBC claimed there are "gaps on the food shelves" after the retailer took its systems offline as it tried to manage the attack. Loyalty scheme and gift card payments have also allegedly suffered disruption.
"Our experienced team - supported by leading cyber experts - is working extremely hard to restart online and app shopping," the chain said in a statement. "We are incredibly grateful to our customers, colleagues and partners for their understanding and support."
Dr Darren Williams, CEO and Founder of ransomware prevention and anti data exfiltration (ADX) specialists, BlackFog told Machine: "On the heels of the Marks & Spencer attack this week, the Harrods attack highlights the escalation of cyberattacks globally and the new arms race in the use of AI for targeting high-value targets. While there is no evidence that this is from the same group of attackers, it does align with the highly tuned targeting we have seen this year and the 45% increase in attacks through Q1 of 2025.
"The attempts to gain unauthorised access to Harrod’s systems is just another example of how data exfiltration is used to target and ultimately extort victims. With bad actors continuing to remain latent for months – and sometimes years – before launching full-scale attacks, detecting these attacks is becoming crucial in the fight against ransomware."
Supply chain SOS
Dr Harjinder Singh Lallie, Associate Professor at Warwick Manufacturing Group, The University of Warwick, said the attacks highlight the frightening fragility of the supply chains which prevent Britons from starving.
He warned: "The recent cyber attack on Marks & Spencer highlights the critical vulnerability of the UK’s food supply chain - an essential pillar of our national infrastructure. The food sector is under relentless cyber assault, and attacks like these can seriously disrupt access to basic necessities.
"The industry must urgently strengthen resilience, not just in preventing breaches, but also in developing robust response mechanisms. This includes real-time detection, rapid containment, and parallel operational systems to minimise disruption for customers. Cyber security must now be seen as central to national food security and public confidence.”
The attacks show that large retailers face an acute risk of cyberattack due to the sheer size of their digital estates and the number of employees they employ.
Adam Casey, Director of Cybersecurity & CISO at Qodea, told Machine: “Large retailers have intricate IT infrastructures with numerous interconnected systems, resulting in a high number of potential entry points for attackers. At the same time, cybercriminals are leveraging AI to craft convincing phishing emails, develop smarter malware, and automate their operations – making attacks faster, more targeted, and harder to detect.
"Shutting down affected systems is a standard and crucial step in managing a significant cyber incident. Isolating compromised systems limits the attacker's ability to move laterally within the network and infect other critical infrastructure. This move also helps to contain the damage, as shutting down systems can prevent further data encryption, exfiltration, or corruption. Drawing operations to a halt also allows cybersecurity experts to safely analyse the affected systems, identify the root cause, and implement necessary fixes without the risk of further interference.
"The best practice for mitigating cyberattacks like these involves putting robust security controls in place to prevent infiltration from the outset. That means having the right tools – like Endpoint Detection and Response (EDR) and SIEM platforms, ideally backed by User and Entity Behaviour Analytics (UEBA) to spot anything unusual early on. Regular and fast patching helps to close known vulnerabilities, while enforcing multi-factor authentication (MFA) for all cloud/critical systems, and remote access adds an extra layer of security.
"Of course, prevention alone isn't enough – you also need a clear strategy for when the worst does happen. That means enhancing Business Continuity and Disaster Recovery (BC/DR) capabilities. Organisations must have robust, isolated, and regularly tested backup systems that can restore critical data quickly and safely. A well-rehearsed Incident Response Plan is also key, ensuring that technical teams, leadership, and communications staff know exactly how to respond in the first critical hours of a cyber event."
Scattered Spider and Dragonforce vs. Marks and Spencer?
A hacking collective called Scattered Spider has been blamed for the attack - although this has not been confirmed by M&S,
Bleeping Computer claimed the group, whose members include teenagers, breached the retailer as far back as February 2025. It reported that hackers accessed an NTDS.dit file - an Active Directory Services database file containing password hashes for the retailer's Windows accounts.
Cracking the hashes offline lets hackers access passwords, giving them the ability to penetrate defences and move laterally through the network.
BleepingComputer alleged Scattered Spider used the white-label DragonForce encryptor to lock down virtual machines on VMware ESXi hosts.
Dr. Darren Williams of BlackFog also told us: "Although Marks & Spencer hasn’t yet commented on the nature of the attack, reports are linking the incident to the Scattered Spider group, a name that should raise concerns. Whilst they’ve been quiet for the last couple of years, this group has a track record of high-impact breaches, from major hits on Twilio and Okta in 2022, to MGM Resorts in 2023.
"Scattered Spider is also known for its highly effective social engineering tactics, often targeting employees to gain initial access to enterprise networks. They’ve previously used BlackCat’s ransomware and have been linked more recently to newer variants like RansomHub and Qilin, showing their ability to evolve their methods.
"If this group is behind the Marks and Spencer cyber attack, it’s a further warning that any company can be a target. The retailer has assured customers that personal data has not been compromised, however, the operational and financial consequences are significant.
"We might not be able to stop these groups from launching attacks but it’s vital to have measures in place, not only to stop criminals from gaining a foothold but also to stop data exfiltration, which in most cases is their ultimate goal."
Retailers at risk: Which company is next?
The question that's being asked in boardrooms around Britain today is clear: is our brand next?
Unfortunately, the answer is: possibly.
James Hadley, Founder and Chief Innovation Officer at Immersive, added: "Data breaches like the one M&S experienced are not unique. While M&S communicated the issue clearly and has likely invoked tried and tested incident response processes, attacks like these serve as important reminders that businesses' perception of their cyber resilience may not align with their actual capabilities.
"No matter how big or small, breaches have the potential to damage an organisation's bottom line, making frequent cyber drills essential to limiting their impact. As the threat landscape continues to evolve, offering realistic crisis simulations is necessary to instil confidence in business leaders and give them the proof they need to better understand their organisation's cyber capabilities and shortcomings.
"In a world where a data breach or disruption is seemingly inevitable and increasingly expensive, check-the-box awareness is no longer enough. Hands-on, measurable exercising programs for specific individuals, teams, and departments are essential in mitigating the impact of these events and ensuring businesses' most sensitive data remains secure."
How long could recovery take?
Jason Gerrard, Senior Director – Channel Systems Engineering EMEAI at cyber resilience company, Commvault, said: "The increase in IT outages and cyberattacks is becoming extremely hard to ignore and that’s exactly what threat actors are counting on. Targeting industry leaders and critical supply chains is a calculated strategy for notoriety and financial gain. Hackers know that compromising a single piece of software can open doors to hundreds of downstream organisations. They’re chasing money and publicity – so they aim for ‘big fish.’
“Regulations like the EU’s DORA rightly push for compliance but may also make these businesses more appealing targets. The higher the stakes, the greater the leverage for attackers. Faced with legal or reputational fallout, some organisations are more likely to pay ransoms – but payment doesn’t guarantee recovery. One major travel company paid $2.3 million in bitcoin, only for the decryption tools to fail, leading to its collapse.
“Recovery isn’t swift. On average, it takes 24 days – and some take over 200. Most companies don’t know their ‘Minimum Viable Company’ – the systems they must prioritise to recover. Often, this only gets considered during an attack – too late.
“This applies to individuals too. Consumers should use secure password managers, avoid password reuse, and steer clear of public Wi-Fi without a VPN. In an outage, cash is still king – as seen in Spain and Portugal. Could you pay a utility bill without internet? Buy food without a working terminal? Consumers and businesses alike must prepare – the next disruption may already be in motion.”
Do you have a story or insights to share? Get in touch and let us know.
