Major UK retailers Marks & Spencer, Co-op and Harrods have all been targeted by hackers in the last two weeks. While there has not been confirmation that the attacks were all linked, the National Cyber Security Council (NCSC) has acknowledged that all of the attacks followed tactics most commonly associated with the collective nicknamed Scattered Spider.
Press speculation has centred around the theory that all three incidents could have been social engineering attacks, perpetrated by Scattered Spider. In this context, social engineering refers to attackers using psychological techniques to get employees of a company to trust them, tricking them into giving passwords and security codes. This could involve imitating a company’s help desk, or pretending to be an employee locked out of their account.
Hackers claiming responsibility for the Co-op attack spoke to the BBC on the 2nd May, confirming that they had compromised the retail group and stolen customer employee data. However, they denied any responsibility for the Marks & Spencer and Harrods attacks, and denied that they were Scattered Spider hackers, instead calling themselves DragonForce – the name of a cyber crime service used by attackers.
The incidents are still under investigation, with further details on the attackers and the impact of the hacks expected to be released.
Marks & Spencer attack
Marks & Spencer was the first retailer to be hit by an attack, with issues initially being noticed on Monday 21st April. The company apologised to customers after numerous services were disrupted online and in-store.
The retailer has since been able to restore some systems, including those responsible for contactless payments, refunds and returns, however, their online ordering system and automated stock systems remain offline. According to the Guardian, industry insiders have suggested it could take weeks for online orders to be resumed, and even months for all systems to be fully operational. It does not currently appear that any Marks & Spencer customer data has been accessed.
The attack has highlighted the level of disruption a cyber attack can cause for a business on this scale, with Marks & Spencer losing millions of pounds a day, and employees working around the clock trying to restore systems. An inside source spoke to Sky News, stating “We didn’t have any business continuity plan [for this], we didn’t have a cyber attack plan.”
Harrods attack
Luxury department store Harrods released a statement on the 1st May stating “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.”
While Harrods has not detailed the scale of the attack, the retailer has confirmed that customers do not currently need to do anything differently, and there does not appear to have been an impact on online or in-store operations.
Co-op attack
The Co-op group reported a similar attack on the 2nd May, stating it was “continuing to experience sustained malicious attempts”. They advised that hackers had accessed the data of a significant number or past and current members, including names and contact details, but not passwords or bank and card details.
Similarly to Marks & Spencer, the attack has caused disruptions across a wide range of operations, including contactless payments, delivery, and stock systems. The Chief Executive of the Co-op, Shirine Khoury-Haq, advised that “Our frontline colleagues are focused on minimising any disruption that might be experienced by our members and customers.”
How can businesses protect themselves?
Cabinet Office minister Pat McFadden has spoken at the CyberUK conference, and told UK businesses that these attacks should be a wake-up call: “In a world where the cybercriminals targeting us are relentless in their pursuit of profit – with attempts being made every hour of every day – companies must treat cybersecurity as an absolute priority. We’ve watched in real time the disruption these attacks have caused, including to working families going about their everyday lives. It serves as a powerful reminder that just as you would never leave your car or your house unlocked on your way to work, we have to treat our digital shop fronts the same way.”
The NCSC, which is also working directly with the affected organisations, has issued a series of recommendations for the retail sector. Their recommendations include following general NCSC guidance on mitigating malware and ransomware attacks, ensuring you are using multi-factor authentication, enhancing monitoring, reviewing password reset processes, ensuring you can identify atypical logins, and paying specific attention to Domain Admin, Enterprise Admin and Cloud Admin accounts.
A full-stack security suite can protect your organisation against attacks, threats and vulnerabilities, and maintain the confidentiality, integrity and availability of your data.
However, while these security measures can protect your infrastructure, ultimately, your employees are often your weakest link against social engineering attacks. You can have the strongest possible defences, but if an employee with legitimate access is tricked into giving away details, an attacker can access your systems. Therefore, employee training should be your first line of defence.
In the unfortunate circumstance that a hacker does infect your system with ransomware, backups allow you to restore your data with minimal data loss. On and off-site backups can be configured with customisable backup intervals depending on the importance of the data, and your tolerance to data loss, from a recommended minimum of daily backups, up to real-time replication.
For further details on cloud security information and protection measures, you can read our dedicated Cloud Security Guide.

