Over the past 12 months, an unprecedented wave of cyber-attacks targeted high-profile companies in a single industry, retail. Three of the most severely impacted victims were UK-based, Marks & Spencer (M&S), the Co-op and Harrods.
The incidents were linked to the Scattered Spider hacking group using DragonForce ransomware infrastructure. In July, UK law enforcement arrested four individuals, three of whom were teenagers, on suspicion of offenses relating to the three attacks.
M&S estimated the cyber-attack to have cost it £300m ($400m), while the Co-op assessed revenue losses following its cyber incident to amount to £206m ($277m).
During oral evidence before a UK Parliament Committee hearing in July, M&S chairman Archie Norman confirmed the involvement of the Scattered Spider collective and the use of Dragonforce ransomware in the cyber-attack. However, he declined to confirm whether a payment was made to the threat actors.
Norman explained that the attack occurred through a “sophisticated” social engineering attack, involving a third party. This ties into reports that Scattered Spider leveraged compromised credentials from Tata Consultancy Services (TCS), a major IT outsourcing firm, to infiltrate M&S.
He also said that a decision was made by M&S to not directly communicate with the attackers, instead relying on professional intermediaries to do so. Norman also noted that a lot of the attacker demands came through media channels, mostly the BBC.
Co-op Cloud Migration Helped Minimize the Cyber-Attack’s Impact
Both M&S and the Co-op experienced operational disruptions, but the former had to halt online orders for several months, while the latter managed to get its stock back to normal levels as early as the end of May, with most shops returning to usual trading in June.
Speaking at the Financial Times’ Cyber Resilience Summit: Europe in December, Alison Griffiths, Conservative MP and Vice Chair of the Business and Trade Select Committee, said it is “really important to draw a distinction between M&S and the Co-op” because it can partly explain why the former was more heavily impacted than the latter.
“M&S, by their own admission, were quite slow to prioritize migration from legacy infrastructure into a cloud environment, which ensures some level of secure by design architecture. This means that they had to rebuild their systems over four months and, meanwhile, the door was wide open for the attackers to go in. Co-op was much further down the track of transforming its legacy infrastructure – and was significantly less impacted,” said Griffiths.
This, she said, should convince the boards of other organizations, especially in the retail sector, to accept the accept the cost of digital transformation.
A Wake-Up Call For the Retail Sector
These cyber-attacks on UK retail companies were described by Sunil Patel, Information Security Officer at British fashion brand River Island, as a “wake-up call” for the retail sector and beyond.
Speaking at Infosecurity Europe 2025 in June, Patel said the techniques used by the threat group linked to the hacks, Scattered Spider, were “elegant and subtle, but not as complicated as we imagine.”
“A combination of social engineering – potential manipulation of tech staff into giving access – and powerful off-the-shelf ransomware-as-a-service (RaaS) makes it easier to cripple businesses,” he explained.
“Once they gained access, they watched and scoured for weeks, maybe months before acting.”
Patel emphasized how targeted the attacks were: “These weren’t opportunistic attacks, they likely conducted a long reconnaissance work beforehand.”
"And let’s be honest, the UK high street is on its knees at the moment," Patel added.
Threat actor’s likely targeted such retail firms knowing the economic difficulties many in the sector face in 2025 make them attractive prey as the current business focus is returning to profitability.
During the July Parliamentary hearing, M&S’s Norman said the cyber-attack was like nothing he had ever experienced in his years working in business and retail.
He explained why he believed several retail companies were targeted: “We have a very wide attack surface – we have 50,000 people, colleagues in the stores, contractors working for us, some outsourced in India, who are working on our systems.”
This was corroborated by Brent R. Tomlinson, president of risk advisory at Kroll. Speaking at the FT’s Cyber Resilience Summit: Europe, Tomlinson said: “Retail is a target-rich environment with stagnating IT and security budgets. Retail companies manage payment data consumer behavior data, IP and much more.”
Unreported Cyber-Attacks Likely Hit UK Retail in 2025
There were indicators that the wave of cyber-attacks targeting the retail sector in the spring of 2025 went far beyond the disclosed incidents.
During the Parliamentary hearing, Norman said he has “reasons to believe” that at least two major cyber-attacks on two large British companies in the last four months have gone unreported.
At the FT’s Summit, Carlos Rombaldo, CISO of UK health food chain Holland and Barrett, testified that his company experienced an unprecedented rise in volume, sophistication and level of targeting of cyber intrusion attempts from April 2025.
“Before that period, we had maybe 10 to 20 phishing campaigns every month, now we’re in the order of 300 a month,” he added.
“Additionally, just in the past months, we experienced over 300,000 attempts of reusing credentials compromised during other cyber-attacks to gain access to our systems.”
AllSaints’ head of information security, Spencer Scott, said during the FT event he was lucky to learn about the M&S cyber-attack early on, in part thanks to a Telegram group with several CISOs and the Retail and Hospitality Information-Sharing Analysis Center (RH-ISAC).
Nevertheless, Scott also mentioned facing heightened cyber threats at that period, with attackers trying to gain access to his company’s stores by impersonating IT staff – a tactic commonly used by Scattered Spider hackers.
“We had to quickly educate our store managers, our district managers and our service desk staff that there was going to be more traffic coming via phone calls, texts or even physical conversations,” he added.
AllSaints and Holland & Barret’s Post-Spring 2025 Security Measures
During the FT event, Rombaldo and Scott both shared that they felt lucky to have started some digital transformation and cyber resilience hardening processes long before the spring 2025 wave of cyber-attacks.
Despite this claimed preparedness, both cybersecurity professionals shared some of the key measures their groups took following the cyber-attacks affecting M&S and Co-op. These include:
- AllSaints and John Varvatos increased its planned and unplanned crisis communication calls with quarterly and unscheduled calls with the leadership team to test the company practice drill
- Scott recently joined the Fair Institute that uses a new way of modelling attacks following a risk quantification framework in order to see how a cyber-attack could have a negative impact on an organization’s finances
- Holland and Barret strengthened its support for third parties
- Holland and Barret created a new team focused on ‘people’s security’ – internally called the “People behavior team” – and directed a third of the overall security resources towards this team. “This new team’s mission is to foster and drive security awareness and education,” said Rombaldo
Photo credits: Ben Molyneux / Richie Chan / Shutterstock