It’s a sad story if ever you’ve heard one. At the end of a hard day at a new job, our protagonist – let’s call him Jeff – seeks solace in a Friday night meal deal from that known purveyor of reliable discounted dinners, Marks & Spencer (other outlets are available.) Jeff, his shoulders hunched and his fingers aching from repetitive strain injury, has high hopes for his evening, only to discover – alas! The gleaming white shelves, bulging the previous week with innumerable ping curries, lie empty. Jeff, his brow furrowed, turns tail and flees into the night, his spirit exhausted and his dinner plans shattered.
Though sadly fictional, a similar fate did befall thousands of M&S customers across the UK in late April. Thanks to the nefarious actions of the cybercriminal consortium Scattered Spider in mid-April – the group, believed to be manned by Anglo-American teens, hacked a third-party in the retailer’s supply chain and used its access to the latters’ systems to seed ransomware – the firm’s internal ordering and payment systems quickly seized up. M&S stores quickly reported stock shortages, which soon turned into empty shelves and tangible losses for the UK High Street giant. By August, the brand announced that it expected the cyberattack to reduce its profits for this year by £300m.
Only days later, as stories emerged of a lack of any tangible business continuity plan for cyberattacks at M&S, Co-op became the next big brand to fall victim to Scattered Spider. The chain initially played down the impact of the breach, but later revealed that hackers accessed data on all 6.5m of its members and many of its employees. No doubt seeing the devastating effect on M&S, it decided to pull the plug on its own systems before more sensitive data could be stolen or ransomware installed.
“Co-op took a bold move, and it paid off,” says Jen Ellis, co-chair of the Ransomware Task Force at the Institute for Security and Technology (IST). “Taking everything offline is drastic.”
But the attack on Britain’s big-name retailers was not over yet. At the start of May, Harrods revealed it had been targeted and required external cybersecurity specialists to protect its systems. Taking a leaf out of Co-op’s book, it shut down parts of its IT network to prevent any major data breach. This meant its doors stayed open, its inventory remained full, and its online services continued running.
Unsurprisingly, a wave of panic rippled through the retail sector, as huge brands started to wonder – what do cybercriminals know that we don’t?
In the firing line
The UK government’s Cyber Security Breaches Survey 2025 suggests retailers are not alone in suffering cyberattacks, with more 40% of all businesses, both large and small, reporting some kind of incident in the past year.
Even so, the retail sector doesn’t seem to be doing itself any favours in this respect. The same survey showed that 44% of respondents from the industry classed cybersecurity as a low priority, compared to a cross-sector average of 27%. Only 22% of retailers or wholesalers, meanwhile, are likely to have a board member with explicit responsibility to manage cyber-defence strategy, again lagging way behind other sectors. And as if it were not enough to have too little internal resource, the industry is also among the least likely to seek external advice on cybersecurity: only 27% compared to 42% for businesses overall.
Could this be why hackers are looking at the sector and making a tidy profit? The same survey suggests that the industry is virgin territory, as only 11% experienced an incident of a cybercrime in 2025, a fall from 18% the previous year.
Even when the sector was not so clearly in the firing line, the cost was high. A study by global financial technology platform Adyen found that in 2023 alone, UK retailers lost more than £11bn to cybercrime. With the sights of hackers now firmly trained on retailers, that figure could skyrocket.
“All companies can be targets, but any organisation with a lot of consumer data should consider itself at higher risk,” says Andrew Northage, regulatory and compliance partner at UK law firm Walker Morris. “Stolen customer data is valuable to fraudsters. So, retail is particularly vulnerable because retailers store large quantities of consumer data.”
With so much to lose, retailers should be taking more care to protect themselves, but that is no easy feat. The scale of their operations means their businesses have many moving parts. Their supply chains are long and complex, involving an intricate and ever-changing network of suppliers.
Every link in the chain is a potential door into the network. The mix of stores, distribution centres, online services, partner relationships, and supply chain infrastructure provides many opportunities for hackers to hide within this complexity and interdependence. That is why not only big retailers like Co-op and M&S, but even smaller players, would find it to secure their perimeters even if cybersecurity were high on their to-do list.
“Big retail organisations operate complex digital ecosystems and hold large volumes of personal and financial data, not to mention behavioural insights gathered through loyalty programmes, all of which can fetch high prices on underground markets,” adds Northage. “Moreover, many still rely on legacy IT infrastructures that weren’t designed for modern cyber-defence.”
Enhancing retail cybersecurity
One thing that is true beyond doubt, sadly, is that people remain the weakest link in the cybersecurity chain. That was certainly the case with the M&S hack, wherein Scattered Spider managed to break into the retailer’s network by convincingly impersonating an employee at a third-party supplier. The group – also known as Star Fraud, Muddled Libra, or the catchy UNC3944 – has proven expert at these tactics, tricking hapless members of staff at vulnerable companies into revealing login details and bypassing multifactor authentication. Back in 2023, it used stolen login credentials and one-time passwords to access the networks of casinos run by Caesars and MGM.
For now, however, Scattered Spider’s chelicerae seem destined to take chunks out of big retailers (and the odd car company). Where, then, should the likes of M&S, Harrods and Co-op be shoring up their cybersecurity defences? There’s no one answer, explains Northage; rather, retailers should be prepared for a long, defensive campaign against such groups requiring the retention of many different assets. “Invest in dedicated tools, processes and expert talent rather than treating it as a one-off project,” he says. “Criminals constantly evolve their methods. Cyber protection should be viewed as an endless cycle of improvement.”
Retailers should with the basics. In this, much of the advice for supermarkets and wholesalers aligns with the standard dictums of the industry: staff must be trained to escalate cybersecurity concerns immediately; speed of awareness is, after all, critical in preventing a breach from getting any worse. As vulnerability can arise in the form of any employee with network access, this means comprehensive training at all levels, from the boardroom to the shop floor. Cybersecurity hygiene is all about keeping passwords and other personal information private.
While external cybersecurity advisors are often called in after a breach has occurred, it is also wise to have them on board as a pre-emptive measure, as Kirsten Whitfield, co-head of law firm Fieldfisher’s cyber breach team in London, explains “Get a forensics provider on board to help close down an incident, and engage them in advance, as they could stress test the systems against common attack vectors from their knowledge of hacking groups,” she says. “Even engage a professional ransomware negotiator who can profile attackers.”
On the technical front, the biggest challenge is to keep pace with the growth in AI. Hackers are using it, so retailers need to invest in defensive AI to fight fire with fire. “Investing as regulators expect you to will not necessarily mean you are iron clad,” says Whitfield. “Hackers are increasingly sophisticated and use tools like AI, so it is a good idea to invest in it, too, though you don’t want to rush into buying AI that you think will protect you but has not been fully understood.”
Remember, too, that cybersecurity does not end at the edge of your organisation. It extends into your network of partners and suppliers, which, in the case of retailers, is vast. All of those interdependent organisations should be able to meet specific cybersecurity criteria as part of their trading relationship.
Sadly, such measures might come too late to save UK retailers’ reputations for data security and transparency among their customers, but does that matter? Probably not, argues Ellis. “In principle, trust is important,” she says, “but the data does not support that a loss of business follows a data breach.”
Ellis cites the example of US retailer Target back in 2013, when hackers stole credit and debit card numbers of 40m customers, and the personally identifiable information of 70m. More than one in three US citizens were affected, but within a few weeks, Target was running successful promotions, getting more people than ever through the door, and seeing its share price rise.
“Trust in a brand is not based on trust in data,” says Ellis. “It is based on whether M&S, for example, has the knickers they like. People put trust in organisations intentionally around what they are buying, and unintentionally around the data they hand over.”
That may sound like retailers can be complacent and simply assume that business will recover, but if they make a habit of leaving the door open to rogue teenagers with laptops, the cost will soon add up. Even big retailers with deep pockets will find that ignoring cybersecurity becomes far too expensive.
Read more: When New Look took a new look at customer engagement
