A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods all affected within weeks of each other. As its customers shopped for last-minute chocolate treats and legs of lamb, M&S first began reporting issues over the Easter weekend, with shoppers […]
A recent spate of retail cyber attacks has highlighted growing vulnerabilities in the UK sector, with high street names including M&S, the Co-op and Harrods all affected within weeks of each other.
As its customers shopped for last-minute chocolate treats and legs of lamb, M&S first began reporting issues over the Easter weekend, with shoppers experiencing problems using contactless payments and other services.
It was the retail giant’s CEO, Stuart Machin, who revealed the company was managing “a cyber incident”. The attack and its consequences have lasted far longer than anticipated, however, leading to stock shortages and issues with IT systems.
Within days, it was reported that fellow UK retailer the Co-op had also suffered a cyber incident, with hackers breaching some of its backend systems and call centre operations.
On 4 May, it emerged that a significant amount of Co-op customer data had been compromised, and the fallout is still affecting many of its stores. Walking into a Co-op just yesterday, this reporter found empty shelves due to restocking issues linked to the hack.
Luxury retailer Harrods was the third British brand to fall victim to a cyber attack in as many weeks. However, the London-based store brought in specialists and reported that it had successfully repelled the intrusion.
These attacks prompted the Chair of the Business and Trade Select Committee to write to the CEOs of M&S and the Co-op, seeking reassurance that the incidents are being managed effectively.
The events mark the latest in a growing wave of cybersecurity breaches across the UK retail sector in recent years.
Retailers including JD Sports, Boots, and WHSmith have all been targeted in recent years, Insurance firm QBE also found that the number of “disruptive and destructive global cyber-attacks” occurring annually has more than doubled between 2020 and 2024.
With a host of attacks plaguing the industry, what could these cyber-attacks mean for UK retailers, and what is the industry’s best recourse to defend itself?
Why retail, why now?
UK retailers processed over 48 billion payments in 2023 — a significant increase on the previous year, as cash continued to give way to cards. Nearly 90% of these payments were made by consumers.
Despite this, only 5% of luxury brand websites and 10% of commerce websites are fully protected against malicious bots, according to research from cyberfraud expert DataDome. The firm’s 2024 Global Bot Security Report found that the e-commerce and luxury sectors are at the highest risk of online fraud.
The report also found that 63.2% of retail sites lacked any bot protection, making the industry the second worst protected overall.
Dr Darren Williams, CEO and founder of BlackFog, says there has been a significant rise in attacks during the first quarter of the year, with retail increasingly targeted.
“On the heels of the Marks & Spencer attack this week, the Harrods incident highlights the escalation of cyber attacks globally and the new arms race in the use of AI to target high-value entities,” he explains.
“While there is no evidence this attack was carried out by the same group, it does align with the highly tuned targeting we’ve seen this year and a 45% increase in attacks in Q1 2025.
“The attempt to gain unauthorised access to Harrods’ systems is another example of how data exfiltration is used to target and ultimately extort victims. With bad actors often remaining dormant for months — sometimes years — before launching full-scale attacks, early detection is crucial in the fight against ransomware.”
Retail is a prime target for attacks such as data mining and ransomware due to the volume of customer data processed and the high cost of operational downtime, explains Cody Barrow, former NSA cyber chief and current CEO of EclecticIQ.
He says the recent breaches should serve as “a wake-up call” for the sector and warns that retailers “must assume they are targets.”
“The cyberattack on Harrods is the latest in a growing wave of incidents exposing the retail sector’s mounting vulnerability to cyber threats,” says Barrow.
“Following recent breaches at Co-op and M&S, it underscores an alarming trend: attackers are becoming increasingly opportunistic, exploiting weaknesses across complex, interconnected supply chains.
“These attacks don’t just disrupt IT systems — they paralyse point-of-sale operations, cripple logistics, stall online platforms, and damage customer trust. The consequences are immediate: revenue losses, operational chaos, and lasting reputational damage.”
Industry reaction
The recent spate of UK retail attacks have been claimed by representatives of the DragonForce ransomware-as-a-service (RaaS) operation.
According to a blog by SentinelOne senior threat researcher Jim Walter, the attacks were initially linked to Scattered Spider and The Com — two hacking collectives acting as DragonForce affiliates.
DragonForce, a white-label RaaS group, spoke to the BBC, claimed responsibility for the hacks, and shared sample data on around 10,000 Co-op members.
Walter explains that the group started as a hacktivist collective in Malaysia but has since pivoted to a hybrid model involving ransomware-based extortion.
“Although DragonForce’s large-scale cartel model is not the first of its kind, its recent successes — and the demise of rival operations — suggest it will become increasingly attractive both to orphaned ransomware actors and more resourced groups looking to thrive in a competitive space,” he wrote.
The latest statement from M&S, issued on 25 April, warned that the company would pause online orders — with some website functions still unavailable at the time of writing.
“Our experienced team — supported by leading cyber experts — is working extremely hard to restart online and app shopping,” the statement read.
“We are incredibly grateful to our customers, colleagues and partners for their understanding and support.”
At the Co-op, as well as some stores facing empty shelves due to disrupted deliveries of fresh stock, some outlets also experienced issues accepting contactless and chip-and-pin payments, temporarily reverting to cash-only transactions.
However, the larger concern is the potential breach of customer data. The Co-op told the BBC it had taken “proactive measures” to fend off the attacks but later confirmed that hackers “accessed data relating to a significant number of our current and past members.”
The cyber criminals claim to possess private data for 20 million people signed up to Co-op’s membership scheme, though the company has not confirmed that figure.
Co-op operates more than 2,500 supermarkets, along with 800 funeral homes and an insurance business.
In a letter to customers, Co-op Group CEO Shirine Khoury-Haq said the firm was focused on “minimising disruption”. Khoury-Haq acknowledged that cyber criminals had accessed “a limited amount of member data,” calling the incident “extremely distressing” and apologising to those affected.
She emphasised the Co-op’s commitment to data protection as “a member-owned organisation”, but noted that it was “limited in the detail” it could currently share, thanking members for their patience.
Government reaction
The recent spate of retail cyber attacks has also prompted responses from the UK government and the National Cyber Security Centre (NCSC), which is part of GCHQ.
The NCSC confirmed it is working with the affected retailers to resolve issues and warned that the breach of three major retailers should serve as a “wake-up call” for businesses worldwide.
In a statement, NCSC CEO Dr Richard Horne said the incidents were “a serious concern” and urged organisations to consult NCSC guidance to ensure they are prepared to defend, respond to, and recover from attacks.
He added that the NCSC is actively supporting the organisations involved and sharing insights with the wider sector.
The government also unveiled a £16 million cyber defence package earlier this week at CyberUK in Manchester, announced by Chancellor of the Duchy of Lancaster Pat McFadden.
The funding includes measures to reinforce systems against attack, including investment in CHERI (Capability Hardware Enhanced RISC Instructions).
According to a government paper published yesterday, CHERI is is a UK-backed semiconductor technology designed to improve cyber security by preventing memory safety bugs — a key cause of software vulnerabilities and a major attack vector.
By embedding security directly into hardware, CHERI aims to enhance system resilience and protect against cyber threats.
So far, the government has invested £80 million into CHERI via its Digital Security by Design (DSbD) programme, whose stakeholders also include UK chip designer ARM.
At CyberUK, it was announced that a further £4.5 million will be used to support implementation of the technology, which the Cabinet Office claims can help block up to 70% of cyber attacks.
At the same conference, the UK government introduced further measures to improve safety of software and AI development.
It released a new Software Security Code of Practice to guide organisations in securing software products. Additionally, the AI Security Code of Practice, previously issued by the UK, will now be adopted as a global standard by the European Telecommunications Standards Institute, establishing baseline security measures for AI systems worldwide.
In a speech underscoring the government’s more serious tone on cyber security, McFadden said:
“Cyber attacks are not a game. Not a clever exercise. They are serious organised crime. The purpose is to damage and extort.
“The digital version of an old-fashioned shakedown — either straight theft or a protection racket where your business will be safe if you pay the gangsters.
“What we have seen over the past couple of weeks should serve as a wake-up call for businesses and organisations across the UK — if we needed one — that cyber security is not a luxury but an absolute necessity.”
