The boss of Marks & Spencer told shoppers last Friday that the retailer was working “day and night” to fully restore its operations and “get things back to normal as quickly as possible” following a cyber attack that started a fortnight ago and has wiped more than £600 million (€705 million) off its value.
This is the second time in a matter of days that chief executive Stuart Machin has attempted to reassure customers. M&S first disclosed on April 22nd that its systems had been compromised and that it had been unable to accept online orders since the previous Friday. A police investigation has been launched.
The retailer was the first household name to be targeted by cyber criminals, just days before the Co-op and luxury department store Harrods was also forced to shut down some IT systems and restrict internet access to fend off similar attacks.
The incidents have highlighted the vulnerability of the retail sector to digital threats and have prompted concerns that retailers could be the target of a co-ordinated attack.
Toby Lewis, head of threat analysis at Darktrace, says “we shouldn’t rule out that the three incidents are coincidence”. A supplier or technology that all three chains had in common might also have been breached, he said.
Richard Horne, chief executive of the National Cyber Security Centre, warns that “the disruption caused by the recent incidents ... are naturally a cause for concern” and “should act as a wake-up call to all organisations”.
Co-op says it is “continuing to experience malicious attempts by hackers to access our systems”. Despite its preventive efforts, hackers were able to access and extract names and contact details for a significant number of shoppers.
The company says the hackers did not have customers’ “passwords, bank or credit card details, transactions or information relating to products or services”.
Harrods says all of its stores are open as normal and shoppers can continue to buy goods online.
Some cybersecurity experts believe that large retailers represent an attractive target for hackers, more so than other sectors.
“Cyber criminals are generally opportunistic,” says Rafe Pilling, threat intelligence director at Secureworks. “They pursue targets that they can gain easier access to. Retailers generally don’t prioritise cybersecurity in the same way the regulated industries do, and there are more opportunities to target companies in retail and hospitality, manufacturing and healthcare.”
[ Ireland should follow Estonia and get serious about cyber securityOpens in new window ]
Research by law firm Irwin Mitchell in 2024 revealed that UK retailers were showing signs of cybersecurity apathy, with FTSE 100 retailers referencing “cybersecurity” less frequently in their annual reports compared with other sectors, despite growing risks.
According to the UK’s Information Commissioner’s Office, the sectors reporting the highest number of cybersecurity breaches in 2023 were finance, with 22 per cent of reported incidents; retail, at 18 per cent; and education, with 11 per cent.
Helen Dickinson, chief executive of the British Retail Consortium, which represents the sector, says, “Cyber attacks are a real risk for all businesses and are becoming increasingly sophisticated. Retailers spend hundreds of millions every year to mitigate these risks and ensure they can continue to serve customers.”
Retailers also have large customer databases rich with payment information, says Jamie Smith, global managing director of cyber security at S-RM, a consultancy that offers digital forensic services.
He adds: “The real-time nature of retail operations means that any disruption can be catastrophic, and also very visible,” creating “greater leverage for an attacker wanting to extort them”.
Michael Yates, partner and head of cyber security at law firm Harbottle & Lewis, says hacking “a well-known retail brand generates leverage ... because the victim will want to avoid brand and reputational damage at all costs to stop eroding customer trust”. He adds, “M&S is one of the most trusted brands in the country.”
Even if retailers do not pay ransoms, he says, their mountain of data means hackers can still profit from selling it on.
There’s just a big kudos within the [hacking] community element, so they do it for bragging rights almost
While M&S, the Co-op and Harrods are the latest retailers to suffer IT disruption, Christmas sales at supermarket chain Wm Morrisons were badly hurt by a cyber attack on technology provider Blue Yonder last year. Currys and JD Sports have also suffered attacks that breached customer data.
M&S warned in its most recent annual report that the shift to hybrid working since the Covid-19 pandemic had made it more susceptible to cyber attacks, as well as the greater use of digital technology and cloud systems.
Retailers’ operations are also fragmented, spanning stores and online and mobile networks. They also work with numerous suppliers, which all increase the risk of an attack, says S-RM’s Smith. Many retailers still rely on legacy systems, he adds, which cannot be taken offline without disrupting tills.
The all-encompassing nature of technology in businesses means that “through a ransom attack, everything can very simply grind to a halt”, says Darktrace’s Lewis.
George Glass, a cyber threat expert at Kroll, says the three incidents could be the work of Scattered Spider, a hacking group that has conducted similar actions in the past, and has been linked to M&S.
Scattered Spider typically works with ransomware groups such as DragonForce or RansomHub, which can help orchestrate the data leaks if ransom negotiations prove fruitless for cyber criminals.
Scattered Spider’s profile is somewhat unusual, says Secureworks’s Pilling. The group is amorphous, with known members tending to be male, and as young as 14 or 15. But crucially they are also English-speaking and tend to be based in the West, he adds.
“That’s an unusual thing for cybercrime groups – many of them are outside of western jurisdictions, and that’s how they get away with things long term.”
While the group’s motivations are ultimately to make money from a hack, “there’s just a big kudos within the [hacking] community element, so they do it for bragging rights almost”, says Pilling.
Unlike groups that rely on sophisticated techniques, Scattered Spider is “very good at getting on the phone to people, talking them into revealing credentials or resetting password. They understand business processes well and so they’re very good at manipulating people”, he adds.
Darktrace’s Lewis believes it will take M&S “months” to fully restore the impact of the attack, as it has to strike a balance between swiftly turning the systems back to serve customers, and risking moving too quickly if the malware is still present in its systems. He adds that when there has been an attack, “you often only see the symptoms”. – Copyright The Financial Times Limited 2025
