In early May 2025, two of the United Kingdom's best-known grocers, Marks & Spencer (M&S) and the Co-op, as well as luxury retailer Harrods, were struck by sophisticated social-engineering attacks that tricked IT teams into resetting critical passwords and deploying ransomware across their networks. Online systems were shut down in response, payments couldn't be accepted, and shelves were left empty as the supply chain broke down.
We can't treat these incidents as specific to the U.K. retail industry. Groceries might not seem like the most obvious target for cybercriminals, but this should be a broader wake-up call that any industry's digital infrastructure can be a high-value target. Plus, threat intelligence from Google indicates that the very tactics used against U.K. grocers are now being deployed against American retailers, so let's dive into what's happening and what we can learn.
Why retail and groceries are prime targets
Retailers process billions of customer transactions each year, making them treasure troves of personal and payment data. In the M&S breach, attackers managed to access customer contact information, dates of birth, and online order histories, although they didn't obtain usable payment card details or passwords. Similarly, Co-op confirmed that hackers stole both employee credentials and membership data, including usernames, passwords, and personal contact details.
Modern grocery operations also rely on deeply interconnected digital ecosystems—from e-commerce platforms and payment gateways to automated stock management and perishable-goods logistics. Each link in this chain expands the attack surface for malicious actors. When a key system goes offline, inventory management grinds to a halt, deliveries are delayed, and shelves, especially those holding refrigerated or fresh-produce items, can go bare in a matter of hours, directly impacting their customers’ access to food.
[RELATED: Scattered Spider Strikes Again: U.K. Attacks Spark U.S. Retailer Alarm]
The financial fallout from retail cyber incidents can be severe. Industry analysts estimate that the average cost of a data breach in the retail sector has climbed well into the tens of millions of dollars, factoring in ransom payments, lost sales, remediation efforts, and regulatory fines. M&S alone is believed to have suffered losses in excess of £1.1 billion ($1.5 billion U.S.) in market value and millions in daily lost e-commerce revenue during its downtime.
Beyond hard dollars, these breaches inflict psychological fallout, eroding consumer trust and deterring online purchases long after systems are restored.
Breaking down the major breaches in British retail
Marks & Spencer (M&S)
There are reports that the M&S attack could have began as early as February 2025, but it came to the fore during the Easter weekend of April 2025 (April 18th to 21st, a national holiday in the U.K.), when customers experienced failures in contactless payments and Click & Collect services. By April 25th, the retailer had suspended all online clothing and home goods orders and later extended the pause to its food-ordering site.
Critical systems remained offline for weeks, causing stock depletion in some stores and forcing suppliers into manual, paper-based order processing. M&S confirmed that while personal customer data was stolen, payment card details and account passwords were not compromised.
The attack was quickly identified as ransomware, with security experts linking the intrusion to the DragonForce group and its affiliates, who deployed encryptors against M&S's VMware ESXi infrastructure. Despite apologies to customers, M&S's infrequent updates on service restoration have fueled concerns over lasting reputational damage.
The Co-op Group
Co-op's IT leadership actually managed to anticipate a major breach and proactively shut down their key systems when they detected anomalous activity, including unauthorized access attempts and exfiltration of member data. While hackers boasted to the BBC that they had spent significant time in Co-op's network and had planned to deploy ransomware, the retailer's swift isolation maneuvers prevented full encryption of its systems.
Delivery schedules and in-store stock levels still suffered disruptions, as operations teams implemented contingency plans to route supplies via alternative channels. Co-op later confirmed that no financial details or passwords were exposed, though membership data and employee credentials were taken.
Harrods
Following the M&S and Co-op incidents, Harrods reported attempts to gain unauthorized access to its internal platforms. The luxury retailer immediately restricted internet connectivity across its locations as a precaution, but maintained full operational capabilities in its Knightsbridge flagship, H Beauty stores, and online channels.
While Harrods has yet to confirm any data compromise and no widespread disruptions were reported, the incident nonetheless underscores the aggressiveness of attackers targeting high-value retail brands.
The emerging tactics and suspected actors behind cyberattacks
The attacks against U.K. retailers follow a certain pattern that allow us to analyze the tactics and strategies of these cybercriminals.
Security authorities and incident reports widely associate these U.K. retail breaches with Scattered Spider, a loose collective of young, English-speaking hackers operating across the U.K. and U.S., known for its adept social‐engineering prowess. Scattered Spider's playbook routinely includes impersonating employees during help-desk calls to reset passwords or bypass multi-factor authentication (MFA), so-called "MFA bombing" to overwhelm users with verification prompts, and SIM‐swap attacks to intercept one-time codes.
Once inside, the attackers look to steal Windows NTDS.dit files and repositories of Active Directory account password hashes, to facilitate lateral movement within the network and persistence. After gaining footholds, affiliates of DragonForce, a ransomware-as-a-service cartel, were able to deploy encryptors to lock up critical servers in exchange for ransom payments.
DragonForce's affiliate model enables multiple threat actors to leverage its ransomware tools in exchange for a share of extortion proceeds, blurring the lines between initial access operations and final payload deployment. Attackers additionally exploit vulnerabilities in legacy devices, third-party vendor systems, and supply-chain software, focusing on the weakest link to breach otherwise hardened networks.
Implications for other industries and the path forward
These recent cyber assaults on British retailers should be a stark reminder that any sector reliant on digital infrastructure faces similar perils. Google's Threat Intelligence Group has explicitly warned that the same actors are now targeting U.S. retail companies, using similar social-engineering techniques and password-reset scams.
As industries accelerate their digital transformations, their attack surfaces will only expand, making cyber resilience an absolute business imperative.
To stay ahead of these threats, companies must treat cybersecurity as an ongoing business function rather than a one-off IT project. This means strengthening identity and access management through mandatory MFA, zero-trust networking, and rigorous verification protocols at help desks.
It also requires continuous monitoring and rapid detection capabilities to spot suspicious behavior before it escalates. Equally vital is regular employee training on social-engineering tactics and conducting simulated phishing and breach exercises to validate incident response plans.
Organizations should develop robust continuity and recovery strategies, including off-network backups, clear communication protocols, and pre-negotiated incident response plans to bring in expert assistance automatically.
Collaborative intelligence sharing within and across sectors can help identify emerging attack patterns and collective defenses. Finally, investment in advanced technologies, such as AI-driven threat detection and automation, can enable faster, more accurate responses to intrusions.
Consumers also need continued vigilance. Companies should encourage them to frequently update personal passwords, monitor financial statements for anomalies, and listen out for official notifications. This helps reduce the impact of post-breach scams and black-market data misuse.
Conclusion
The spate of sophisticated, socially-engineered ransomware attacks against M&S, Co-op, and Harrods underscores that no organization, regardless of reputation or size, is beyond reach. As threat actors refine tactics using AI-powered reconnaissance, MFA fatigue, and targeted supply-chain exploits, security teams must match their agility with proactive defense, continuous vigilance, and build a culture that elevates cybersecurity to the level of core business strategy.
Only by embracing this mindset can companies protect their operations, safeguard sensitive data, and preserve the consumer trust that sustains the very shelves we rely on for our daily groceries.
