Skip to content

Retail Under Siege: The Coordinated Cyber Assault on UK’s Top Stores

With Marks & Spencer, Co-op, and Harrods all experienced significant security incidents within a short timeframe, the pattern suggests a coordinated campaign that demanded immediate attention from security leaders across all retail operations.

James Dale

Head of Adversary Simulation and Regulatory Testing

  • Resources
  • Opinion
  • Retail Under Siege: The Coordinated Cyber Assault on UK’s Top Stores
Photograph of Harrod's store in London

The recent wave of cyber attacks targeting the UK retail sector serves as a stark reminder that even the most established brands are vulnerable to sophisticated threat actors. With Marks & Spencer, Co-op, and Harrods all experienced significant security incidents within a short timeframe, the pattern suggests a coordinated campaign that demanded immediate attention from security leaders across all retail operations.

The retail battleground

What we’ve witnessed isn’t random. DragonForce associated operators claimed responsibility for attacks, and the reported tactics used were consistent with Scattered Spider. These individual events demonstrated the devastating potential of a sophisticated cyber attack:

  • Marks & Spencer suffered extended disruption to online orders and stock systems, with initial access reportedly gained through social engineering of IT staff.
  • Co-op confirmed an attack more extensive than first reported, with DragonForce operators claiming exfiltration of substantial member PII data.
  • Harrods narrowly escaped major impact by taking swift proactive measures, including temporary internet restrictions at their locations.

The UK’s National Cyber Security Centre and National Crime Agency are actively investigating, but the damage is already done for some victims.

The security gap reality

What these incidents reveal is something we’ve observed repeatedly-there exists a critical disparity between perceived and actual security postures. When attackers constantly evolve their tactics, yesterday’s defenses quickly become obsolete.
Sporadic testing for limited periods simply cannot close this cyber risk gap. These recent retail breaches demonstrate that constant threat demands constant, targeted attack as a counter-measure.

Beyond reactive security

Organizations need to continue the fundamental shift in their security approach from periodic assessments to continuous adversarial pressure. Rather than waiting for the next attack, adopting continuous offensive security testing that:

  • Simulates the specific TTPs (tactics, techniques, and procedures) employed by threat actors like Scattered Spider.
  • Pressure tests external attack surfaces with IAB (Initial Access Broker) methodologies that discovered the vulnerabilities exploited in these recent breaches.
  • Conducts targeted social engineering campaigns that reveal the human vulnerabilities demonstrated in the M&S case.
  • Performs assumed breach scenarios to understand the potential impact of malicious insider threats.

Moving from compliance to confidence

The retail sector faces unique challenges-high-value customer data, complex supply chains and expanding digital footprints. When these organizations shift from checkbox security to constant adversarial testing, they gain far more than compliance-they develop genuine resilience against determined attackers.

By applying constant pressure to every part of your business, at every depth, your organization builds security through and through. The outcome isn’t just better technical defense but smarter staff, better tooling, and the confidence of knowing your security posture reflects reality-not just perception.

When faced with sophisticated threat actors targeting your sector, the question becomes simple: would you rather discover your vulnerabilities through a devastating breach or through the controlled, expert constant offensive security that helps you close gaps before real attackers find them?