UK-based retailers Marks & Spencer, Co-op, and Harrods have been targeted by cyber attackers in the last few weeks.
Whether the attacks have been mounted by the same group is difficult to say for sure: the victimized businesses are sharing little in the way of details and the professed attackers are likely to exaggerate the effect of the attacks and otherwise mislead everyone involved and everyone watching from the outside.
What do we know about the attacks
It all started – publicly, at least – with a “cyber incident” at British multinational retailer Marks & Spencer.
The company confirmed on April 22, 2025, that a cyber attack forced them into defense mode. Since then, M&S has paused taking orders via its site, apps and over the phone, and its physical stores have suffered empty shelves and limited availability of certain items, likely due to the company temporarily turning off its stock ordering system and siloing off stores.
It still hasn’t been officially confirmed whether the attackers – suspected to be either members of the Scattered Spider hacking collective or using the same tactics for gaining initial access, then using the DragonForce encryptor – have made off with customer or company data.
Last week, Harrods Group, who operates the famous luxury London department store Harrods, said that they’ve been managing “an attempted cyber attack” and that they “took immediate steps to keep systems safe”. Unlike M&S, Harrods is keeping its online shop running.
Finally: Co-op, a British consumer co-operative that, among other things, runs a grocery retail business, confirmed last Wednesday that it had also been hit and that they’ve taken “proactive measures” to fend off the attackers.
But, according to the BBC, the attackers – ostensibly the same group that breached M&S and targeted Harrods – have managed to infiltrate its IT networks and systems many days before the official confirmation, have stolen private information of millions of its members, customers, and employees, and have been threatening to release it if they don’t get paid not to.
More recently, the Co-op CEO, Shirine Khoury-Haq, confirmed that the attackers “were able to access a limited amount of member data, which included name, date of birth and contact details, but they have not been able to access any members’ financial information.”
“Passwords have not been compromised and we are not asking members to do anything differently,” she added.
The hacking group apparently used the same tactic to gain initial access: they social-engineered an employee, took over their account by resetting the password, used the account to access Co-op’s network, then went after the Active Directory (Windows) ntds.dit database file, which holds encrypted credentials for employee accounts.
There has been no mention yet of ransomware having been deployed on Co-op systems.
Advice for defenders
The UK National Cyber Security Centre is working with the affected retailers “to understand the nature of the attacks and to minimise the harm done by them,” Jonathon Ellison, NCSC’s National Resilience Director, and Ollie Whitehouse, the Centre’s CTO, commented on Sunday.
“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all. We are working with the victims and law enforcement colleagues to ascertain that,” they said.
Cybersecurity researcher Kevin Beaumont, who used to work for Co-op back in the day and is still a member-customer, has criticized the company for downplaying the seriousness of the attack and for not informing affected staff and members-customers promptly or fully.
He also pointed out that the attackers may or may not be part of the English-speaking, loosely organized Scattered Spider collective, but that they are using the manouvres popularized by them: most prominently, they are posing as company IT and helpdesk staff to trick actual employees into divulging account credentials, one-time-pass (OTP) or multi-factor authentication (MFA) codes, or employing MFA bombing or SIM swapping to get access to employee accounts.
“Once they get access, they are living off the land — using Teams, Office search to find documentation, the works,” he noted.
“The key thing is: if your internal employees could go rogue and cause significant damage before detection, you have a serious problem if an external e-crime group ‘becomes’ an employee. So you need to stop them gaining access via Microsoft 365, VPNs and Virtual Desktop systems — and/or be able to detect accounts going rogue.”
He provided additional advice for defenders and instructed them to review CISA’s previous reports on Lapsus$ and Scattered Spider to learn how to fend off these types of attacks.
“The attacks on Marks and Spencer, Co-op and Harrods are linked,” he added. “DragonForce’s lovely PR team claim more are to come.”
As NCSC’s Ellison and Whitehouse pointed out, good defenses to keep out bad actors are a must, but they are not foolproof – organizations must also be able to detect threat actors when they are using employees’ legitimate access, are on the company network, and in the organization’s cloud services, and be prepared to contain the attackers and recover from the attack.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
