The recent cyberattacks on major UK retailers including Marks & Spencer (M&S) and Co-op have caused at least £30 million in losses, disrupted business, and exposed critical vulnerabilities in the retail sector’s cybersecurity infrastructure.
George Glass, a cyber threat expert at Kroll, said the three incidents could be the work of Scattered Spider, a hacking group that is allegedly linked to the DragonForce ransomware cartel which conducted similar actions in the past, and has been linked to M&S.
The attacks were orchestrated using advanced social engineering techniques. By impersonating employees and exploiting IT helpdesk protocols, they successfully tricked staff into resetting passwords, granting unauthorised access to internal systems
At Co-op, hackers accessed personal data of a significant number of customers and past members, including names, contact details, and dates of birth. Similarly, M&S faced severe operational disruptions, with online orders halted and in-store systems compromised, leading to substantial financial losses estimated at £15 million per week.
The fallout from the attacks
The attacks caused extensive damage and had profound effects on both the affected companies and their customers.
Operational disruption
At M&S, the attack led to significant operational challenges. Online orders and click-and-collect services were suspended, and contactless payments were disabled. Customers reported empty shelves, particularly in fresh produce sections, and popular items like meal deals were unavailable due to stock shortages. The disruption extended to supply chain and inventory systems, forcing staff to revert to manual processes.
Co-op faced similar issues, with up to 200 of its 2,300 stores experiencing problems with contactless payment systems. The company had to shut down parts of its IT infrastructure, impacting product deliveries and store inventories, resulting in empty shelves.
Financial losses
The financial repercussions have been severe. M&S experienced a £700 million drop in market value, with analysts estimating losses of up to £40 million per week due to halted online sales and in-store disruptions.
Co-op’s stock plummeted by 30% following the breach, and the company faced a £20 million fine from the UK’s Information Commissioner’s Office for failing to implement adequate data protection measures. Additionally, Co-op pledged $50 million to upgrade its cybersecurity infrastructure.
Customer data compromise
While M&S has not confirmed any customer data breaches, Co-op admitted that hackers accessed personal data, including names and contact details, of a significant number of its 6.2 million current and former members. Although financial information was reportedly not compromised, the breach has raised concerns about data security and customer trust.
What are the implications for the retail sector?
These breaches highlight the retail industry’s susceptibility to cyber threats, particularly through human-centric attack vectors. The reliance on digital systems for operations, coupled with insufficient cybersecurity training, creates an environment ripe for exploitation.
It’s also a wake-up call for organisations across all sectors to assess their own vulnerabilities, as no industry is immune to the growing sophistication of cyberattacks targeting people as the weakest link.
In response to the attacks, the National Cyber Security Centre (NCSC) issued a stark warning to all organisations, emphasising the need to bolster their defenses, particularly by reviewing helpdesk authentication processes and enhancing employee awareness to detect and prevent such attacks.
“These incidents should act as a wake-up call to all organisations,” stated NCSC CEO Richard Horne. He urged business leaders to prioritise cybersecurity and implement robust measures to prevent attacks and ensure effective response and recovery.
The NCSC also gave specific guidance to the retail sector, emphasising the need for proactive measures to strengthen cyber defenses.
Is your cybersecurity training up to the task?
The recent attacks on M&S and Co-op weren’t caused by software flaws, but rather by people being tricked. That means your best defence isn’t just stronger tech; it’s smarter staff.
To avoid becoming the next victim of an attack, both retail firms and all organisations must step up their cybersecurity awareness training. Educating employees to recognise phishing attempts, spot social engineering tactics, and follow secure protocols has never been more critical.
Train smarter with VinciWorks
These incidents underscore the urgent need for enhanced cybersecurity awareness and training across the industry.
Regular training, simulated attack scenarios, and clear escalation procedures can turn your workforce into a resilient human firewall.
Our cyber security courses prepare your team for all cyber risks with training and micro-learning modules on a range of topics from social media to IT security. These can easily be configured into a multi-year training plan, ensuring long-term protection.
