Cyber Hits UK Retail: M&S, Co-op & Harrods Targeted

Retailers must constantly monitor their cyber resilience due to the sector’s high risk of attack.

Companies in the industry are attractive targets for cybercriminals because they handle a vast amount of sensitive customer data. Breaches can result in fraud, identity theft and loss of trust. 

Retailers also rely on complex supply chains, in which one weak link can result in widespread disruption.

As the threat landscape becomes more sophisticated, organisations must focus on continuous monitoring to allow for rapid detection and response.

This cyber resilience is vital for business continuity and reputation protection.

Recently, leading retail organisations – M&S, Co-op and Harrods – have experienced damaging cyber incidents.

These attacks have resulted in a drop in company shares, lost revenue, empty shelves and damage to customer trust.

In light of this, the National Cyber Security Centre (NCSC) has released a statement highlighting its support for the retailers that have been affected by these incidents. 

Dr Richard Horne, NCSC CEO, explains: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”

Harrods’ cyber incident

On 1 May, Harrods reported it had experienced difficulties as a result of a cyber attack. 

After an attempt to access its systems, the luxury department store said it had "restricted internet access at our sites".

Harrods said customers were asked to "not do anything differently at this point". 

A statement from Harrods said: "We recently experienced attempts to gain unauthorised access to some of our systems.

"Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.

"Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com."

Matt Aldridge, Principal Solutions Consultant, OpenText Cybersecurity, comments: “This is the third attack on UK retailers in a single week, raising serious questions about the security posture of the retail industry.

"This should serve as a wake-up call for businesses regarding the importance of investing in robust cybersecurity measures to prevent these attacks from occurring in the future.

“Although Harrods took the right steps to manage the breach and protect customers’ data while minimising business disruption, it likely raised understandable concern among consumers.

“To mitigate future attacks, this incident is a reminder that retailers need to continuously evolve their security practices - implementing robust systems, processes, and staff training. 

“One layer of protection is not enough to sufficiently reduce an organisation's exposure to risk. It is crucial to build multiple layers of protection, detection, and response into infrastructure.”

After Harrods first reported its cyber incident, Toby Lewis, Global Head of Threat Analysis at Darktrace, commented: “Details of the cyber attack at Harrods are still low and we shouldn’t rule out that the three incidents impacting M&S, Co-operative and Harrods are coincidence. 

“However, with the information publicly available we can see two other likely scenarios: either a common supplier or technology used by all three retailers has been breached and used as an entry point to big name retailers; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk. 

“It’s a lesson again in the growing difficulty large organisations have in securing against threats in their supply chain, particularly as those threats grow in volume and sophistication.”

M&S and the Co-op: what do we know so far?

M&S confirmed it was experiencing a ‘cyber incident’ on 22 April. 

On 23 April, it stated it was not “currently processing contactless payments, we have paused the collection of Click & Collect orders in stores, and there may be some delay to online order delivery times.”

M&S stopped orders on both its apps and websites on 25 April. 

Sources from BleepingComputer pointed to Scattered Spider as the responsible group behind M&S’s ongoing cyber incident. 

Since Easter weekend, many empty shelves have featured signs that say, “Please bear with us while we fix some technical issues affecting product availability."

In a LinkedIn post on 2 May, Stuart Machin, CEO of M&S, explained: “We are really sorry that we’ve not been able to offer you the service you expect from M&S over the last week.

“We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible. 

“Thank you from me and everyone at M&S for all the support you have shown us. We do not take it for granted and we are incredibly grateful.”

According to analysts at Deutsche Bank, M&S’s cyber incident has cut approximately £30 million (US$40 million) from its profit. It predicted that the ongoing incident would cost M&S around £15 million (US$20 million) a week. This is because of the ripple effect that food causes.

Arda Büyükkaya, Senior Threat Intelligence Analyst at EclecticIQ, explained: “The ongoing fallout from the M&S cyberattack, with remote staff locked out of systems, customer services disrupted and a knock-on impact on its share price, is a stark reminder of how quickly a cyber incident can escalate into an operational and financial crisis.

“While the exact nature of the cyberattack still remains under investigation, such incidents in the retail sector are often linked to ransomware campaigns, DDoS attacks targeting customer-facing services, or compromises within the supply chain.

"Initial access is frequently achieved through targeted phishing campaigns aimed at employees, exploitation of vulnerabilities in unpatched public-facing applications, or the compromise of third-party vendor credentials.

“Retailers remain attractive targets because of the pressure to maintain continuity and the rich stores of sensitive data they hold. The M&S incident serves as a clear warning that cybersecurity resilience must now be treated as a core operational priority, not an IT problem.”

On 30 April, the Coop announced the cyber attack. This comes after the retailer first discovered the attempted hack the previous weekend.

Its staff who were working from home were unable to access parts of the Coop’s IT system.

According to ITV News, the Co-op’s Chief Digital and Information Officer, Rob Elsey, sent a letter to staff saying: “We’re currently dealing with an IT issue after our security controls and monitoring flagged third parties had made attempts to access our IT systems over the weekend."

He continued to state that staff must not post any sensitive information in Teams chats and must remain on camera during all calls. Staff must be aware of any suspicious emails or links and must not record or transcribe Microsoft Teams calls. 

In a statement on the Co-op’s website, Shirine Khoury-Haq, CEO of the Co-operative Group, stated: “As you may be aware we are currently experiencing significant disruption following a cyber-attack on our Co-op.

"As a Member-Owner of our Co-op we want to be open with you about where we find ourselves right now, so I am writing to you personally to give as clear a picture as I am currently able to provide.

“The criminals that are perpetrating these attacks are highly sophisticated and our colleagues are working tirelessly to do three things: (1) protect and defend our Co-op, (2) fully understand the extent of the impact caused by the attack and (3) provide much needed information to the authorities that may help them with their investigations.

“Actively managing the severity of the attack has meant shutting down some of our systems to protect the organisation.

"That said, our front-line colleagues are focused on minimising any disruption that might be experienced by our members and customers.”

The retailer continues to face challenges with card payments, empty shelves and technical difficulties.

Explore the latest edition of Cyber Magazine and be part of the conversation at our global conference series, Tech & AI LIVE and Cyber LIVE.

Discover all our upcoming events and secure your tickets today. 

Cyber Magazine is a BizClik brand