The M&S, Co-op, and Harrods Cyber Attacks – Everything We Know So Far

“We’re putting UK Retailers on the blacklist”. 

The recent wave of cyber-attacks on UK retailers is a needed wake-up call for all business owners that robust cyber security is a necessity, not an accessory. 

From the Easter weekend until now, three UK retailers – Marks & Spencers, the Co-op, and Harrods – have been targeted by cyber-attacks. As the threat continues to escalate within a short window of time, this has left many news outlets nervously speculating, who’s next?  

Here is everything you must know about the recent retail cyber-attacks, and how you can defend your organisation from being successfully targeted. 

What has happened?  

The first cyber-attack – enacted on the Easter weekend – targeted one of the UK’s leading retail stores Marks & Spencers. Initially, there appeared to be a technical issue with click & collect services and contactless payments in stores nationwide, before the disruption was confirmed to be caused by a major cyber incident. Although the services had resumed by Friday 25th April, orders made online via their website or apps remain suspended two weeks after the incident. Although M&S have said that no evidence that useable cards, payment details, or passwords, have been breached, all customers have been urged to reset their passwords. The damage from the attack has caused a loss of £650 million in value thus far, and online services may remain down for months1. 

In mere days after the attack, another retailer, the Co-op, was targeted. The cyber-attack has caused disruption to deliveries, reports of empty shelves, and “significant” amounts of customer data being stolen. The cyber criminals behind the operation (more on this later) report to have 20 million customer’s data from their membership scheme2. According to the Co-op’s FAQ page, the breached personal data includes names, contact details and dates of birth – not bank details, transaction information, or passwords3. 

The latest attack, as of May 12th, 2025, targeted the luxury department store Harrods, which reported that it ‘recently experienced attempts to gain unauthorised access to some of [their] systems’, and that their ‘seasoned IT security team immediately took proactive steps to keep systems safe’. The extent that the cyber criminals were able to infiltrate their systems and cause damage has not been disclosed4.  

Who is behind the attacks? 

Anonymous individuals from the DragonForce cybercriminal syndicate have claimed responsibility for the attacks – reporting their involvement in the attacks to the BBC and Bloomsberg with supporting evidence. Additionally, their encryptors have been used on M&S’s VMware ESXi hosts to encrypt virtual machines, further supporting their involvement. DragonForce allege that the data held by them is much greater than reported by the retailers, particularly The Co-op. 

DragonForce is a ransomware group that surfaced in August 2023, originally purporting to be a hacktivist group before shifting to a profit-based operation5. DragonForce’s new Ransomware as a Service (RaaS) business model allows threat actors to orchestrate attacks using their malware in exchange for 20% of the ransom6. 

As such, it’s widely speculated that the organisation behind this attack is Scattered Spider – a decentralised conglomerate network of cyber criminals – rather than DragonForce alone, due to DragonForce’s recent takeover of RansomHub, a ransomware-as-a-service (RaaS) syndicate’s set of tools that Scattered Spider members have used in the past. The attacks are also consistent with Scattered Spider’s past targeting behaviour7. 

The National Cyber Security Centre (NCSC) has warned that criminals launching cyber-attacks at British retailers are impersonating IT help desks to break into organisations8, The attack on M&S allegedly occurred after attackers tricked IT help desk workers into granting access to company systems using social engineering techniques9. 

As a result, retailers are urged to stay on high alert, as the attackers, in communication with the BBC, were quoted as saying, ‘We’re putting UK retailers on the blacklist.’10. 

Why are the attacks happening? 

Cyber-attacks are designed to inflict damage and enable extortion, fuelling a thriving underground economy driven by profitability. For instance, the hacking group Scattered Spider has successfully targeted retailers in the past – most notably Caesars Entertainment in Las Vegas, which reportedly paid a $15 million ransom11. 

Although paying a ransom is strongly disincentivised in the UK, attackers still target UK-based organisations by upping the pressure through threats of data leaks or deletion. If one organisation does not concede, then they may use stolen sensitive data to target other customers or supply chains. As long as cybercrime remains profitable and relatively low risk for the perpetrators, the attacks will continue to grow in scale and frequency. 

Not only this, when attackers see their operations making headlines, it validates their impact. This notoriety becomes part of the motive – it boosts their credibility within the cybercriminal community, can act as a recruitment or funding tool, and as a platform for advancing wider political or ideological agendas. 

With insufficient budgets allotted for cyber security, criminals are increasingly aware that organisations are becoming easier targets as their defences weaken. As an example of this, it has been alleged by an insider that M&S had no business continuity plans in place for a potential cyber-attack, potentially raising concerns about the security posture of other UK retailers.  

How Do I Protect My Organisation from Cyber Attacks? 

Protecting your organisation against modern cyber threats requires multi-layered solutions – the more robust defences you have in your arsenal, the better prepared you are to defend against adversaries. 

Human error remains one of the most significant vulnerabilities in cyber security. That’s why educating your workforce and fostering a proactive cyber security culture is critical for maintaining business continuity. 

We recommend our quick, interactive e-learning courses to help your team effectively recognise and respond to common threats. Courses include: 

• Phishing & Social Engineering 

• Ransomware & Malware 

• Cyber Resilience Awareness 

In addition, we strongly advise deploying AppGuard, a zero-trust security software designed to complement Microsoft Defender or other Endpoint Detection and Response systems (EDRs). While traditional antivirus and EDR solutions focus on detecting known threats, AppGuard proactively contains unknown (zero-day) malware by default-denying trust. Even if a phishing link is accidentally clicked, AppGuard prevents malware from escalating privileges or moving laterally within your network—effectively neutralising the threat. 

Last of all, we recommend our Digital Risk Protection (DRP) service, which includes dark web monitoring and vulnerability scanning. Since retail organisations have increasingly appeared on tracked data-leak sites used by extortion actors, our DRP service allows us to alert you of emails, passwords, and other sensitive data from your organisation that have been leaked onto the dark web. 

For more information or tailored guidance on securing your organisation, please contact us at enquiries@ccoe.org.uk.

Written by Kurtis Toy, CISSP, CEO of the Cyber Centre of Excellence, and CEO and Lead vCISO of Onca Technologies. Edited by Kyle M.