In April 2025, Marks & Spencer (M&S), one of Britain’s most iconic high-street retailers, fell victim to a devastating cyberattack that disrupted its operations and compromised customer data. The incident, linked to the notorious hacking group Scattered Spider and the DragonForce ransomware, has not only cost M&S millions but also raised serious concerns about customer safety and the vulnerability of UK retailers to cybercrime. This attack is part of a broader wave of cyberattacks targeting major retailers like the Co-op and Harrods, signalling an alarming trend in the retail sector. This article explores the M&S hack, its risks to customers, and the implications of these ongoing cyber threats.
The M&S Cyberattack: What Happened?
The cyberattack on M&S began over the Easter weekend in April 2025, when customers reported issues with contactless payments and click-and-collect services. On April 25, M&S confirmed it was dealing with a “cyber incident” and suspended all online orders, a critical revenue stream accounting for roughly one-third of its clothing and home sales. The attack, believed to be a ransomware assault, encrypted M&S’s servers, halting online operations and disrupting in-store services. More than three weeks later, online ordering remains paused, and some in-store services, such as gift card acceptance, are still affected.
The hacking group Scattered Spider, also known as Octo Tempest, is suspected of orchestrating the attack using DragonForce ransomware. This group, comprising young, English-speaking hackers, employs sophisticated social engineering tactics, including phishing, SIM swapping, and impersonating IT help desk staff to gain access to systems. In the case of M&S, hackers reportedly tricked IT workers into resetting employee passwords, allowing them to breach the network. The attack has wiped over £700 million ($930 million) off M&S’s market value, with daily revenue losses estimated at £3.8 million ($5.05 million) due to the online shutdown.
On May 13, 2025, M&S confirmed that customer data, likely including names and addresses but not payment details or passwords, had been compromised. While the retailer stated there is no evidence the data has been shared, the breach poses significant risks to customers, as outlined below.
Risks to M&S Customers
The compromise of customer data, even without payment details, exposes M&S shoppers to several risks:
- Phishing and Social Engineering Attacks: Hackers with access to names and addresses can craft highly targeted phishing emails or text messages, posing as M&S or other trusted entities to trick customers into revealing sensitive information, such as login credentials or financial details. These attacks exploit trust in the brand and can lead to identity theft or financial fraud.
- Identity Theft: Personal information like names and addresses can be combined with other data available on the dark web to build comprehensive profiles for identity theft. Criminals may use this information to open fraudulent accounts, apply for credit, or commit other forms of fraud in victims’ names.
- Reputational Damage and Loss of Trust: The prolonged disruption and data breach risk eroding customer confidence in M&S. As consumer expert Kate Hardcastle noted, “In today’s hyper-connected world, silence can be unsettling, particularly when trust and transparency are the most valuable commodities a brand can offer.” Customers may hesitate to shop with M&S, fearing further breaches.
- Potential for Future Exploitation: Even if the stolen data hasn’t been shared yet, hackers may hold it for future ransom demands or sell it on the dark web. The DragonForce group has claimed to have stolen millions of customers’ data and is pressuring M&S to pay a ransom, potentially in the millions of pounds, to prevent its release.
M&S has advised customers to monitor their accounts and be vigilant for suspicious activity, but the lack of a clear timeline for full recovery and limited communication has fuelled concerns about transparency. The National Cyber Security Centre (NCSC) recommends that customers use strong, unique passwords across platforms and check for updates from M&S regarding the breach.
Other Ongoing Cyberattacks: Co-op and Harrods
The M&S attack is not an isolated incident but part of a broader wave of cyberattacks targeting UK retailers. In the same week, the Co-op and Harrods reported similar incidents, raising fears of a coordinated campaign or vulnerabilities in shared systems like SAP, widely used in the retail sector.
The Co-op Hack
The Co-op, a major UK supermarket chain, disclosed on April 30, 2025, that it had shut down parts of its IT systems to fend off an attempted hack. The attack, also linked to DragonForce, compromised a significant amount of customer and employee data, including names, contact details, and dates of birth. Unlike M&S, the Co-op’s stores and funeral homes continued trading as usual, but back-office and call centre services were disrupted. To prevent further breaches, Co-op staff were ordered to keep cameras on during remote meetings and verify all attendees, indicating concerns about hackers infiltrating virtual calls.
The Co-op hack highlights similar risks to customers, particularly phishing and identity theft, as the stolen data could be used to target members. The NCSC has urged firms to review IT help desk password reset processes, as hackers exploited this vulnerability by impersonating employees to gain access.
Harrods Cyberattack
On May 1, 2025, luxury department store Harrods confirmed it was targeted by a cyberattack, becoming the third major UK retailer hit within a week. The store restricted internet access across its sites, including its Knightsbridge flagship, as a precaution after detecting attempts to gain unauthorised access. Harrods’ IT security team acted swiftly, and the retailer reported no evidence of customer data being compromised. All stores and the Harrods website remained operational, but the incident underscores the growing threat to retailers handling vast amounts of customer data.
Harrods has not disclosed whether the attack was linked to DragonForce or Scattered Spider, but cybersecurity experts suggest the timing and nature of the attacks on M&S, Co-op, and Harrods may indicate a shared vulnerability, such as a compromised supplier or technology. Toby Lewis of Darktrace noted that the incidents could be coincidental, but a common entry point or heightened vigilance following the M&S attack may have prompted other retailers to detect breaches.
Broader Implications and Industry Response
The cyberattacks on M&S, Co-op, and Harrods expose systemic vulnerabilities in the retail sector, which processes over 48 billion payments annually and relies heavily on digital infrastructure. Cybersecurity experts warn that retailers are prime targets due to the volume of identity and payment data they hold and their expanding attack surfaces through e-commerce and mobile platforms. Xavier Sheikrojan of Signifyd emphasised, “Retailers are prime targets because of the volume of identity and payment data they hold,” while Anton Yunussov of Forvis Mazars called for cybersecurity to be treated as a “strategic business priority” rather than just an IT issue.
The UK government and NCSC have responded with urgency. Cabinet Office Minister Pat McFadden, speaking at the CyberUK conference, described the attacks as a “wake-up call” for companies to prioritise cybersecurity. The NCSC is working with affected retailers and has issued guidance on securing IT help desk processes and monitoring for “risky logins” to prevent social engineering attacks. The Metropolitan Police’s Cyber Crime Unit and the National Crime Agency are investigating the M&S attack, with six arrests of suspected Scattered Spider members in the UK and US over the past year.
Retailers are now on high alert, with many reviewing their cybersecurity defences. However, experts like Jordan Jewell of VTEX warn that “no company is immune” as complexity increases with more systems, vendors, and data. The food and beverage industry, in particular, has been criticised for weak defences, with an M&S employee telling Sky News that the retailer lacked a business continuity plan for such an attack.
What Can Customers Do?
Customers of M&S, Co-op, and Harrods can take proactive steps to protect themselves:
- Monitor Accounts: Regularly check bank statements and accounts for unauthorised activity.
- Use Strong Passwords: Create unique, complex passwords for each platform and avoid reusing them.
- Enable Two-Factor Authentication: Add an extra layer of security to online accounts.
- Be Wary of Phishing: Avoid clicking links or sharing personal information in unsolicited emails or texts claiming to be from these retailers.
- Stay Informed: Check for updates from M&S, Co-op, or Harrods regarding the breaches and follow NCSC advice.
Looking Ahead
The cyberattacks on M&S, Co-op, and Harrods underscore the growing sophistication and audacity of cybercriminals, with groups like Scattered Spider and DragonForce exploiting human and technical vulnerabilities. For M&S, the financial toll—estimated at £30 million in initial profit losses and £15 million weekly—pales in comparison to the potential long-term loss of customer trust. While analysts like Adam Cochrane of Deutsche Bank believe M&S will recover due to strong consumer loyalty, the retailer must act swiftly to restore services and rebuild confidence.
The broader retail sector faces a critical juncture. As Helen Dickinson of the British Retail Consortium noted, cyberattacks are becoming “increasingly sophisticated,” requiring retailers to invest heavily in defences. The government, NCSC, and industry must collaborate to strengthen cybersecurity, address skill shortages (only 4% of UK firms are fully prepared for complex threats, per Cisco), and treat digital infrastructure as critical. Until then, customers and retailers alike remain vulnerable to the next wave of attacks, which DragonForce has ominously warned is “just the start.”
No comments:
Post a Comment