Cybercrime in the retail sector has dominated headlines in recent weeks. First M&S, then Co-op, and now Harrods. A pattern is emerging, and it’s putting every Cyber Security leader on edge.
We expect cyber threats. But when they hit the high street and the places we shop daily, they feel personal. These aren’t niche businesses, they’re some of the UK’s best-known brands. And the impact has been felt everywhere, from shop floors to boardrooms.
So, what’s happening? Who’s behind it? And more importantly — what can we learn?
Because while these attacks are making headlines, the underlying vulnerabilities could exist in any organisation. The lessons here go beyond retail.
In this blog, we’ll break down the latest cyber attack. We’ll look at what happened, who’s responsible, and what these attacks reveal about the evolving threat landscape and how you can use that insight to strengthen your Cyber Security strategy.
Timeline: Retail Cyber Attacks UK – How It Unfolded
The past few weeks have been a rollercoaster for the UK retail sector. Here’s a breakdown of how it all played out.
Inside the Marks & Spencer UK Cyber Attack
How the Recent Cyber Attack Worked
M&S has confirmed that ransomware was deployed to its VMware ESXi servers on 24 April, encrypting virtual machines and causing widespread disruption to operations. This points to a clear tactic used by the ransomware attack group DragonForce, who have since claimed responsibility.
- It’s believed that the attackers exploited known vulnerabilities or used compromised credentials to gain access.
- Once inside, they deployed lateral movement tools like Cobalt Strike, Advanced IP Scanner, and Mimikatz to escalate privileges and maintain persistence.
- They then targeted virtualised infrastructure to encrypt high-value systems at scale a technique that allows maximum impact with minimum noise.
Although early reports speculated that the attack may have been linked to Scattered Spider, a group known for social engineering and credential harvesting, this connection remains unconfirmed.
What Was Stolen?
It was initially unclear whether any data had been taken — but that’s now changed.
On 13 May, M&S confirmed that customer data was exfiltrated during the attack. This includes:
- Names
- Contact details
- Order Histories
- Possibly other identifying information
There’s no evidence at this stage that passwords or payment information were compromised. However, the company still issued widespread password resets as a precaution, underscoring the severity of the breach.
Business Disruption: More Than Just IT Issues
This attack didn’t just impact internal systems — it hit core customer-facing services.
- Online orders, Click & Collect, and contactless payments were suspended.
- Distribution centres were affected, creating knock-on delays in product availability across UK stores.
- Internally, chaos unfolded. Some IT staff were reportedly sleeping in offices due to extended shifts and lack of clear protocols for managing the crisis.
- There was criticism around the lack of an established incident response plan, which left teams scrambling to adapt in real time.
The financial toll? M&S reportedly lost over £500 million in market value in the days following the public disclosure.
The Co-op Cyberattack:
Co-op’s breach revealed just how deep the ripple effects of a cyberattack can go, especially in a sector as time-sensitive and logistics-heavy as retail.
Unlike some attacks that stay behind the scenes, the impact on Co-op was immediately visible in stores. From broken contactless payment systems to gaps on supermarket shelves, the disruption quickly reached customers on the ground.
What We Know About the Cyber Attack Examples
- The incident was first identified on 30 April 2025, though it’s likely attackers had been active within the network for some time before that.
- In response, Co-op took multiple IT systems offline, a sign of a containment strategy meant to prevent further spread or data loss.
- On 1 May, staff were advised to stop using VPNs and be wary of internal communications being monitored suggesting the attackers had compromised parts of the internal environment.
- By early May, the ransomware group DragonForce had claimed responsibility for the attack, linking it to a broader campaign also targeting M&S and Harrods.
Technical details are still being confirmed, but based on DragonForce’s known tactics, it’s likely the attackers:
- Used stolen credentials or exploited known vulnerabilities to gain access.
- Moved laterally using tools like PingCastle and Mimikatz to establish persistence and harvest data.
- Deployed ransomware selectively to maximise pressure without immediately locking down the entire organisation.
What Data Was Compromised?
This wasn’t just about systems being encrypted, personal data was stolen.
According to Co-op and multiple press reports:
- Data from up to 20 million Co-op members was extracted.
- Stolen information includes names, email addresses, dates of birth, and contact details.
- No payment details or passwords were reported stolen, but the scale of the breach was still significant enough to trigger widespread concern.
DragonForce reportedly shared a sample of the stolen data around 10,000 records with the BBC to prove their involvement and demonstrate their access. This adds credibility to their claim and highlights the extortion pressure tactics used in these attacks.
Impact on Business Operations
- Contactless payment systems were disrupted across many Co-op locations.
- Stock shortages occurred due to delays and system outages affecting the supply chain.
- Internal systems were limited, slowing down day-to-day processes across the business.
- In-store teams were under pressure, with minimal access to usual support systems or digital tools.
Harrods Cyber Attack: What We Know
Incident Overview
On 1 May 2025, Harrods, one of the UK’s most iconic retailers, confirmed it had been targeted by a cyberattack. The company reported attempts to gain unauthorised access to its internal systems.
As a precaution, Harrods’ IT security team took immediate action by restricting internet access across multiple business sites to prevent any further risk. This was done swiftly to minimise the impact while investigations began.
Despite the attempted breach, all Harrods stores remained open. Their online store, harrods.com, also stayed fully operational, which helped to reassure customers and maintain business continuity.
Impact Assessment
- Operations: The main disruption involved Harrods restricting internet access internally. This action was taken as a containment measure. There were no confirmed service outages for customers either in-store or online.
Response and Investigation
Harrods acted quickly and is now working closely with Cyber Security experts to investigate the incident and bolster defences. The National Cyber Security Centre (NCSC) has also stepped in, supporting Harrods along with the other affected retailers to understand the nature of the attacks and reduce any further harm.
Lessons We Can Take From These Three Incidents: The Cyber Attacks In The Retail Industry
- Social Engineering In Cyber Security Remains A Go-To Entry Point — And It's Evolving Fast
We don’t yet know exactly how the attackers got in. But based on past campaigns by similar groups, social engineering is likely part of the story.
Threat actors don’t always need zero-days. A convincing phone call, a spoofed email, or a prompt that looks legit can be enough to gain access. Especially when employees aren’t expecting it — or are under pressure to act quickly.
What to reinforce:
- Run regular targeted phishing simulations that go beyond generic templates — include consent prompts, MFA fatigue attacks, and fake IT service messages.
- Train employees to slow down and question urgency, especially when dealing with access requests or unusual login attempts.
- Review your helpdesk and onboarding processes. Can someone socially engineer a password reset? If so, that’s a gap.
- Make reporting easy — a suspicious email should be one click away, not buried in a policy.
Social engineering is often the first step in a much bigger attack. Stopping it early can prevent everything that follows.
What to improve:
- Don’t rely on annual training. Use real-time prompts, role-specific refreshers, and embedded nudges in daily workflows.
- Rehearse ransomware-specific scenarios. Include legal, PR, and senior leadership.
- Run tabletop exercises that focus on cross-functional response, not just containment.
Knowing what to do isn’t the same as being ready to do it.
- Retail Is Now A Prime Target And The Pressure Is Public
Retailers hold customer data. They rely on real-time operations. And downtime means lost revenue and reputation. That makes them high-pressure, high-reward targets for attackers.
What to reinforce:
- Do you have a business-wide cyber resilience plan, not just an IT one?
- Have you mapped your crown jewels — the systems attackers are most likely to encrypt or exfiltrate?
- Is your ransomware playbook up to date — including crisis comms and regulatory reporting?
- Test Like It’s Real: The Value of Threat-Led Simulations
Reactive security isn’t enough. M&S, Co-op, and Harrods were hit because attackers understood the environments they were targeting. The question is — do you?
That’s where attack simulations and threat-led penetration testing come in. They go beyond traditional assessments by mimicking the tactics, techniques, and procedures (TTPs) of real-world threat actors — tailored to your environment and risk profile.
Why it matters:
- Understand threats in context — Not just “can someone get in?” but how they’d do it, and what they could reach if they did.
- Validate incident response in practice — Tabletop exercises are useful, but threat-led simulations show whether your detection and response processes actually work under pressure.
- Pair targeted social engineering with technical intrusion — Can your high-risk users spot a cleverly crafted phishing email, a fake MFA prompt, or a spoofed IT call? If not, that’s your entry point.
- Test lateral movement and ‘defence in depth’ — If an attacker gets in, how far could they go? Could they reach domain controllers, exfiltrate sensitive data, or deploy ransomware across core infrastructure?
These are not hypothetical questions. They’re the exact paths ransomware groups like DragonForce take — and they often go undetected until it’s too late.
Turn insight into tailored action:
The outputs of these exercises can directly inform:
- Improved detection logic — If your SOC didn’t catch the simulated attack, neither will it catch the real one.
- Refined playbooks — From containment to comms, this is your chance to fix gaps before you need them.
- Targeted training for high-risk groups — Simulations help you identify which teams or users need more tailored, ongoing security awareness — beyond generic phishing emails.
If M&S had visibility through this kind of testing, they may have spotted weaknesses before attackers did. That’s the difference between being ready — and being reactive.
- Ransomware groups now operate like SaaS businesses
DragonForce isn’t a one-off actor. They’re part of a ransomware-as-a-service ecosystem. They offer custom payloads, leak sites, and built-in negotiation tools. And their affiliates can launch fast, low-noise campaigns that bypass basic defences.
What to build into your strategy:
- Keep a live threat profile for ransomware actors in your sector.
- Map their TTPs to your defences using MITRE ATT&CK or similar frameworks.
- Simulate these tactics in-house. Think purple teaming, not just pen testing.
These groups evolve fast. You should too.
Turning Insight into Action: Recent Ransomware Attack In The UK
The recent attacks on M&S, Co-op, and Harrods are a stark reminder that even the biggest brands aren’t immune. But they also serve as a powerful opportunity — to learn, adapt, and strengthen our defences.
At Equilibrium Security, we help businesses build Cyber Security strategies that cover every angle. From securing core infrastructure to preparing for ransomware, we work with you to reduce risk and respond with confidence.
Need help reviewing your current approach? We’re here to talk.
📞 Call us on 0121 663 0055
📧 Or email us at enquiries@equilibrium-security.co.uk
Let’s make sure you’re ready for whatever’s next.
Ready to achieve your security goals? We’re at your service.
expertise to help you shape and deliver your security strategy.