In recent months, the UK retail sector has been under siege by a surge in ransomware attacks, with high-profile companies such as Marks & Spencer (M&S), Co-op, and Harrods falling victim to these cybercriminals. These incidents have not only disrupted operations but also exposed significant vulnerabilities within the industry.
The Rising Tide of Ransomware Attacks
Between April and May 2025, several major UK retailers experienced significant cyberattacks, primarily attributed to the DragonForce and Scattered Spider ransomware groups. These incidents disrupted operations, compromised customer data, and highlighted vulnerabilities within the retail sector. (inreachgroup.co.uk)
In the first quarter of 2025, there was an 85% increase in ransomware attacks against UK retailers compared to the same period last year. This surge underscores the escalating threat landscape facing the retail industry. (bitdefender.com)
Explore the data solution with built-in protection against ransomware TrueNAS.
Case Studies: M&S, Co-op, and Harrods
Marks & Spencer (M&S):
On April 21, 2025, M&S customers began reporting issues with contactless payments and click-and-collect services. The company confirmed a cyber incident later that day, and by April 25, M&S suspended all online orders, halting a critical revenue stream that generates approximately £3.8 million daily. The attack, identified as a ransomware assault, encrypted key servers using the DragonForce ransomware tool, rendering systems inaccessible. The financial toll was severe: over £700 million was wiped off M&S’s market value, with shares dropping 6.5% in the week following the attack. (breached.company)
Co-op:
On May 2, 2025, Co-op disclosed a cyberattack that resulted in unauthorized access to personal data of current and former members, including names, contact details, and dates of birth. Financial data and passwords were not affected. The breach prompted the shutdown of certain IT systems to prevent further damage. (inreachgroup.co.uk)
Harrods:
On May 1, 2025, Harrods reported an attempted cyberattack, leading to restricted internet access at some sites as a precautionary measure. While no breach was confirmed, the incident raised concerns about potential vulnerabilities. (inreachgroup.co.uk)
The Attackers: Scattered Spider and DragonForce
The DragonForce ransomware group, believed to operate from Asia or Russia, has been identified as a significant threat actor behind these attacks. They employ sophisticated social engineering tactics to gain unauthorized access to systems, as seen in the M&S incident, where an attacker tricked a third party into resetting an M&S employee’s password, allowing unauthorized access. (techradar.com)
Similarly, Scattered Spider, a financially motivated group known for its social engineering capabilities, has been particularly active in the UK. (purecyber.com)
The Impact on the Retail Sector
These cyberattacks have had far-reaching consequences for the UK retail sector. The disruptions have led to stock shortages, operational halts, and a significant loss of consumer trust. For instance, M&S faced a £300 million loss in operating profit due to the April attack. (ft.com)
The Co-op experienced similar challenges, with the breach affecting back-office and call center operations, leading to a temporary shutdown of certain IT systems. (cyberproof.com)
Law Enforcement Response
In response to these incidents, UK police arrested four individuals under the age of 21 in connection with cyberattacks that targeted major retailers like M&S, Co-op, and Harrods. The National Crime Agency (NCA) led the investigation and has seized electronic devices for questioning by its National Cyber Crime Unit. (reuters.com)
Strengthening Cybersecurity Measures
The National Cyber Security Centre (NCSC) has issued guidance for companies to strengthen their cybersecurity defenses following these major retail cyberattacks. The guidance emphasizes the importance of robust cybersecurity measures to combat the growing threat of ransomware attacks. (bleepingcomputer.com)
Conclusion
The surge in ransomware attacks targeting UK retailers highlights the urgent need for enhanced cybersecurity measures within the industry. Retailers must prioritize the protection of customer data and operational systems to mitigate the risks associated with these evolving cyber threats.
References
Four under 21s arrested? Were they after the sweets or just practicing their coding skills on a grand scale? Perhaps retailers should offer cybersecurity apprenticeships instead of just stocking up on digital defenses?