The UK retail sector recently experienced a notable escalation in cyber-attacks, from April to May 2025, impacting several major brands in the UK. The retail sector is particularly vulnerable to ransomware attacks due to its reliance on data and interconnected supply chain systems. This appears to be a potentially coordinated series of attacks that led to significant disruptions, data breaches, and financial impacts for targeted organizations.
Timeline of Disruptions
Marks & Spencer (M&S) began experiencing disruptions in contactless payments and Click & Collect services (service offered by retailers wherein customers can order items online and pick them up at a physical location ( click and collect service) around April 21, 2025. The situation escalated, leading M&S to suspend all online orders by April 25, 2025, due to ongoing cyberattack issues. The retailer confirmed that hackers gained access to customer data during the April cyberattack. The compromised data includes contact details, dates of birth, and online order histories. However, they have publicly stated that “usable payment or card details” and account passwords were not affected.
Around the same time, Co-Op Group detected unauthorized access attempts on April 26, 2025, and subsequently shut down parts of its IT network. Co-Op Group reported that it had taken down parts of its IT systems in order to fend off a cyber-attack. Hackers infiltrated the organization’s IT networks and exfiltrated customer and employee data, including usernames and passwords of employees, and membership details of customers. They have acknowledged that attackers accessed data on a “significant number” of its customers, including names and contact details.
Harrods confirmed a cyberattack on April 29, 2025, and restricted internet access across its stores. While the retailer confirmed it was the target of an attempted hack, which took place just days after a threat actor stole data from Co-Op Group and a separate attack disrupted operations at M&S, Harrods managed to thwart the attempted intrusion.
While not explicitly linked in the same coordinated campaign description – undisclosed – a health and beauty retailer based also experienced a surge of 2,000 legitimate password reset requests on May 1, 2025. Additionally, a vulnerability on Linux-based webshell servers for an independent consumer co-operative was reportedly exploited on April 28, 2025 as part of this attack.
These operations stand out not only for the caliber of victims but also for a strategic shift toward sector-specific targeting—specifically retail. The timing, coordination, and tooling suggest deliberate planning intended to maximize operational disruption and pressure victims into payment. The attackers likely chose this sector due to several factors, including the high volume of sensitive customer data, reliance on interconnected systems, and the potential for significant financial disruption.
The Direct Impact to Retailers
The cyberattacks had significant consequences for the targeted retailers, including:
- Significant IT disruption and reputational impact
- Store shortages due to supply chain disruptions
- Disruptions to in-store operations
- Paused online sales, with one retailer reporting issues for over two weeks
- Reputational impact and financial losses estimated in the hundreds of millions, including more than 700 million pounds ($930m) in market value.
- Data loss affecting at least 20 million consumers
- Some retailers reporting restricting store internet access to customers following the attacks
The impact of these attacks extends beyond immediate financial losses. The disruption to online sales and in-store operations can lead to long-term damage to customer trust and loyalty. Customers may switch to competitors if they are unable to make purchases or experience delays in receiving their orders. The reputational damage can also make it more difficult for retailers to attract new customers and retain existing ones.
Government and CTI Response
Worldwide governmental warnings have been issued in the wake of these attacks. The UK government specifically urges organizations to review IT help desk processes, particularly password reset procedures; to defend against impersonation-based attacks, a tactic reportedly used in these attacks. Globally, governments are alerting retail organizations of increased targeting and advising enhanced vigilance, recognizing the potential for similar attacks in other regions.
The UK’s National Cyber Security Centre (NCSC) is actively assisting the affected retailers to fully understand the nature of the attacks and to provide expert advice to the wider sector based on the threat picture. The NCSC has described the incidents as a “wake-up call” to all organizations, emphasizing the need for heightened cybersecurity preparedness across the retail sector.
The UK government’s response also involves collaboration with the affected companies to investigate how the breaches occurred and to assess whether there is a broader threat to the retail sector. This collaborative approach aims to enhance information sharing and coordination among government agencies, law enforcement, and private sector entities to mitigate the impact of the attacks and prevent future incidents.
The role of CTI teams is becoming increasingly critical in the face of sophisticated cyberattacks. By gathering and analyzing information about threat actors, their motivations, and their methods, CTI teams can provide valuable intelligence to help organizations anticipate and defend against attacks. This intelligence can be used to improve security controls, detect malicious activity, and respond effectively to incidents.
Context within the Broader Threat Landscape
While these retail attacks specifically involve Scattered Spider and DragonForce, there are implications for a broader ransomware landscape, including the expectation of a rise in activities tied to DragonForce operating as a Cartel in the coming months. Scattered Spider has also been named as the attacker behind the 2023 attacks against MGM Resorts in Las Vegas and because of the group’s known sophisticated social engineering techniques, it’s expected to cause significant disruption beyond retail.
Recommendations for Retailers
Security Hygiene
It is recommended that Cyber Threat Intelligence teams should monitor these campaigns using OSINT and the dark web, following threat actor chatter on dark web forums. Organizations should look for trusted research sharing Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) – which are often provided to the public after extensive threat hunting investigations and analysis by a variety of cybersecurity solutions providers. Sharing threat intelligence among industry partners and government agencies is also crucial for enhancing collective defense capabilities and staying ahead of evolving cyber threats.
To defend against such sophisticated threats, organizations are urged to implement several security measures:
- Ensure implementing Multi-Factor Authentication (MFA) for all accounts and applications, such as VPNs.
- Perform regular audits of inventory and logs.
- Implement regularly scheduled backups and recovery processes.
- Review and ensure regular patch management.
- Leverage cyber threat intelligence to stay ahead of threat actors targeting organizations directly or through indirect business partners.
- Ensure regular scans using updated EDR solutions.
- Limit exposure of services by disabling unused ports.
- Segment networks restrict lateral movement from initially infected devices to other devices in the same organization.
Implementing a Threat-led Strategy
Not all threats are relevant to a retail organization, and the burden of planning and managing defenses for all known threats can be both impractical and overwhelming. A thread-led strategy focuses your organization on defending against the threats that matter most. This includes a four (4) step process:
- Estate (Asset) Management: Tagging, classifying, identifying owners, and prioritizing the riskiest of assets within your retail organization.
- Exposure Management: Defining a threat profile for your estate of assets that focuses on relevant, exploitable exposures within the retail sector.
- Defense Management: Using your threat exposure profile to optimize your security controls and tools i.e. MDR/EDR, VM, UCM to better defend against targeted retail attacks.
- Running this strategy through a continuous automated process.
CyberProof’s Threat-Led Defense Platform (powered by Interpres) empowers retail organizations to implement these steps ensuring organizations focus on the threats that matter most.
This seemingly coordinated campaign against UK retailers underscores the evolving threat landscape and the importance of robust cybersecurity defenses in the retail sector. Retailers must adopt a proactive threat-led approach to cybersecurity, incorporating advanced technologies, threat intelligence, and best practices to protect their systems, data, and customers.
