Lessons from the recent retail cyber attacks

This article was co-authored by Trainee Solicitors' Shreya Bhalla and Simran Bhandel.

Recent high-profile attacks on major retailers have underscored the growing cyber risks facing the sector, as threat actors exploit both technical vulnerabilities and complex supply chains to cause maximum disruption.

In recent weeks, 3 major retailers have confirmed that they either have suffered a cyber incident, or have identified sophisticated attempts to compromise their systems:

• On 21 April 2025, Marks & Spencer reported that they were suffering from a cyber incident, causing them to halt clothing and home orders through their website and app.
• On 30 April 2025, Co-op reported that it had taken down parts of its IT systems in order to fend off a cyber-attack. In a major twist, the hacker themselves reported to the BBC (with proof) that they had infiltrated Co-op’s IT networks and exfiltrated customer and employee data. It was reported that extortion messages were sent to the head of cyber security at Co-op via a Microsoft Teams chat. The cyber group are believed to have usernames and passwords of all employees, and also membership details of Co-op’s customers.
• On 1 May 2025, Harrods was the latest retailer to confirm it had been hit by cyber issues. However at this stage, they report that attempts to infiltrate their systems have been unsuccessful, and there has been no confirmation of any operational issues or data impact.

There is speculation that the incidents may be linked to hacking group, Scattered Spider, which previously targeted MGM Resorts. 

Scattered Spider Scattered Spider is a cybercriminal group believed to consist primarily of young individuals based in the United Kingdom and United States. Active since 2022, the group has been linked to over 100 cyberattacks against major corporations across a broad range of sectors, including finance, retail and gaming. Their hallmark lies in how they gain initial access, using sophisticated social engineering tactics which can be difficult to guard against. Scattered Spider has built a reputation around its ability to manipulate individuals rather than just IT systems. The group’s tactics rely on social engineering, including: Calling IT help desks while posing as employees, convincing staff to reset passwords or bypass multi-factor authentication (MFA). This has allowed the group to gain access to accounts that are usually well protected, particularly those tied to single sign-on (SSO) systems and cloud applications. Overwhelming users with repeated MFA prompts, often in rapid succession, in the hope that the user will eventually approve one out of confusion or frustration. SIM swapping, where they take control of a victim’s phone number to intercept verification codes sent via SMS. This allows them to bypass account security measures and gain unauthorised access to sensitive systems or data.

How can organisations avoid falling victim?

The recent spate of attacks has thrown the importance of cyber preparedness back into the spotlight. There has been much commentary on how proactive measures may have influenced the trajectory for each of the key victims. In particular, there is much to compare and contrast between the significant disruption suffered by M&S versus the “near miss” experienced by Harrods.

This difference in outcome firmly highlights the importance of ensuing that there is robust preparation for this type of incident. That spans from technical measures intended to prevent an attack or provide early warnings, through to a robust game-plan should the worst happen, which should be regularly stress tested.

There are a few key takeaways from our experience of recent events, which should be at the top of every organisation’s priority list:

1. Deployment of identity and access policies

If they don’t already, organisations should consider the adoption of multi-factor authentication as a mandatory part of their access policies throughout the business, as well as a thorough review of password policies.

Given the sophisticated social engineering tactics in use, IT helpdesks in particular should consider implementing additional measures, including ID verification – e.g. having staff make video calls with a valid form of ID. They should also be alert to anything out of the ordinary, like requests made outside of usual business hours.

2. Robust detection and response strategies

Organisations should ensure they have robust monitoring and detection strategies in place to both identify potential suspicious activity and react to it. Where there are any third party providers or MSP’s in the supply chain, organisations should be absolutely sure where responsibility lies for reacting to alerts to ensure that containment steps can be actioned promptly. A lack of clarity on this can result in a situation where an alert is received, but a failure to action can result in an attack being allowed to progress.

3. Regular training

People are always the weakest link in cyber security and that is what Scattered Spider, and other threat actors, rely on. It takes a momentary lapse in judgment to fall victim to social engineering techniques, which are becoming increasingly difficult to spot. As a result, it is critical to continuously refresh people’s knowledge on what to look out for and how to react.

Additional training should be considered for those who would be involved in the incident response process should an incident occur. Businesses should regularly revisit their incident response plans and stress test them with cyber simulation exercises. This provides a valuable opportunity to identify gaps in planning or potential stumbling blocks that would arise in a real life incident. For example, in a recent simulation exercise, a client realised that they were unable to access critical IT hardware if their electronic access software was unavailable!

4. Proactive Preparation

Businesses often underestimate how much preparation can be done to make the process of responding to an incident more streamlined. This includes proactive analysis of key contractual triggers, data mapping and audit and preparation of suites of template communications. All of these measures make the incident response process quicker and more efficient, ultimately helping to protect reputation.

Cyber insurance can also play an important part, as it will typically provide streamlined access to a panel of expert vendors within minutes of an incident being reported.

Key takeaways

The recent attacks in the retail sector should be seen as a timely reminder of the importance of prioritising cyber security. The cyber threat landscape is constantly evolving and the tactics that have been employed in the recent attacks is just the latest development, so it is imperative for organisations to stay one step ahead.

The fact that these attacks have impacted such large, established retailers like M&S shows that no organisation is immune. However, a proactive approach to cyber security gives organisations the best chance of preventing, or mitigating their risk.