UK Retail Cyber Security Crisis 2025: Inside the Attacks, the Impacts & How Attitudes Are Changing

Written By Kai Neophytou

A Year of Reckoning for UK Retail - 2025 has become a defining period for the UK retail sector, revealing the true scale and sophistication of modern cyber threats.

In a span of just a few months, some of the country’s most iconic retail brands - Marks & Spencer, Co-op, and Harrods, fell victim to a wave of highly targeted cyber attacks that disrupted operations, leaked sensitive customer data, and caused hundreds of millions in financial losses.

What makes this situation alarming is that these attacks were not opportunistic smash-and-grab incidents. They were carefully orchestrated campaigns, exploiting both technological vulnerabilities and human factors such as trust and urgency. The aftermath has sent shockwaves through the industry, and beyond, making it clear that cyber security is no longer an isolated IT concern that can be ignored or pushed to the bottom of an organisations to-do list.

The Threat Landscape: Why Retailers Became Prime Targets

Retailers have become highly attractive to cyber criminals for several reasons. First, the sheer volume of transactions and the sensitive nature of the data they handle, from customer information to payment details and loyalty programmes, make them rich targets for attack. Secondly, retailers rely on complex digital ecosystems that integrate numerous third-party suppliers and service providers, each introducing new vulnerabilities into the chain. Finally, the retail business model often prioritises uptime and customer convenience above all else. This urgency to remain operational leaves organisations more likely to pay ransom demands quickly to restore services, making them ideal prey for ransomware groups.

A Wave of Devastating Attacks

Marks & Spencer: A Case Study in Operational Chaos

In mid-April 2025, Marks & Spencer faced what can only be described as a catastrophic cyber event. The attack crippled the retailer’s ability to fulfil online orders, disabled Click & Collect services, and even affected contactless payments across its stores. For weeks, customers faced long queues, supply chain delays, and major service disruptions. The financial consequences were staggering: the company reported an estimated £300 million in lost profits and a dramatic erosion of market value, which fell by nearly £700 million in the aftermath.

Investigations later revealed that the attackers infiltrated the system using advanced social engineering techniques and SIM-swap fraud to bypass multi-factor authentication measures. Once inside, they deployed DragonForce ransomware, locking critical systems and demanding a ransom.

Marks & Spencer was forced to engage not just local authorities like the National Crime Agency (NCA) and National Cyber Security Centre (NCSC), but also the FBI, underscoring the global dimensions of this cyber attack.

Co-op: A Lesson in Rapid Response

Co-op experienced a breach during the same campaign, but its story played out differently. Attackers gained unauthorised access to a database containing details of 6.5 million members, including names, email addresses, and contact details.

Fortunately, financial and transactional data remained secure.

What sets Co-op apart from M&S is how swiftly it acted. The company detected suspicious activity early, isolated compromised systems, and shut down critical network segments before ransomware could be deployed. While there were temporary disruptions - including some stores reverting to manual operations, the overall impact was minimised because of a robust incident response plan. Co-op’s ability to contain the damage highlights the importance of preparedness and rapid action in mitigating cyber risk.

Harrods: Silent but Significant

Harrods, another high-profile retailer, also found itself caught in the crosshairs of this cyber crime wave. While the luxury department store has disclosed few details, it confirmed that certain IT systems were taken offline to contain the attack. Investigators believe the Harrods breach is linked to the same network of attackers, emphasising the coordinated nature of these assaults across the sector.

The Culprits: Who Is Behind the Attacks?

Investigations have attributed these attacks to a cyber crime collective known as Scattered Spider, also tracked as UNC3944. Unlike many international ransomware groups, Scattered Spider primarily consists of English-speaking actors, often young and highly skilled in social engineering tactics. Their methods combine technological exploits with psychological manipulation: they impersonate help desk staff, trick employees into granting access, and use SIM-swapping to hijack phone numbers, bypassing traditional authentication measures.

Once inside the network, the group leverages DragonForce ransomware, a ransomware-as-a-service (RaaS) platform, to encrypt systems and demand payments. This combination of credential theft, privilege escalation, and ransomware deployment has proven devastating for even the most well-defended retailers.

The scale of these attacks prompted one of the UK’s largest cyber crime investigations to date. In July 2025, the NCA announced the arrest of four individuals aged 17 to 20 across multiple locations in London, Staffordshire, and the West Midlands. The suspects face charges including computer misuse, blackmail, and money laundering. While these arrests mark a breakthrough, authorities emphasise that the investigation remains active, with international collaboration from agencies like the FBI.

How the Attacks Happened: Common Vectors

A detailed analysis of these incidents shows several recurring tactics and weaknesses exploited by attackers:

  • SIM-Swap Fraud: By hijacking a victim’s phone number, attackers intercept SMS-based one-time passwords.

  • Help Desk Impersonation: Posing as legitimate staff to manipulate IT support into resetting passwords or granting access.

  • Remote Access Exploitation: Abuse of tools like AnyDesk and TeamViewer for persistent, stealthy access.

  • Phishing and Credential Theft: Targeting employees and suppliers to compromise VPN credentials.

  • Supply Chain Weakness: Leveraging vulnerabilities in third-party systems to infiltrate core networks.

Lessons from the Crisis

The contrasting outcomes for Marks & Spencer and Co-op highlight the decisive role of response readiness. The ability to detect, isolate, and neutralise threats quickly can mean the difference between minor disruption and catastrophic financial and reputational damage.

Building Cyber Resilience: What Retailers Must Do

The events of 2025 have made it clear that retailers must overhaul their approach to cyber security. Below are the key strategies every retailer should adopt:

1. Strengthen Identity and Authentication:

Move away from SMS-based multi-factor authentication, which is vulnerable to SIM-swap attacks. Instead, implement app-based authenticators or physical security keys. Combine this with stringent identity verification protocols for internal help desk operations and vendor access.

2. Embrace Zero-Trust Architecture:

Adopt a “never trust, always verify” philosophy for every access request. This includes strict segmentation of networks so that critical systems remain isolated even if one segment is compromised. Remote access should be limited to whitelisted devices with continuous session monitoring.

3. Prepare and Rehearse Incident Response:

Every retailer needs a detailed incident response plan that includes playbooks for different attack scenarios. Regular simulations and red-team exercises ensure staff can act swiftly and decisively during a real breach.

4. Secure Data and Backups:

Implement immutable and offline backups to protect against ransomware. Sensitive data should always be encrypted, both in transit and at rest. Regularly audit vendor systems to minimise supply chain risks.

5. Stay Regulatory-Ready:

With increasing obligations for breach reporting and ransomware disclosure, organisations must stay ahead of compliance requirements and maintain transparent communication protocols with customers and regulators during incidents.

From Reactive to Proactive

The retail cyber attacks of 2025 signal a new reality: retailers are now contending with organised, highly skilled adversaries using advanced techniques and psychological manipulation. Waiting for an incident to occur is not a form of cyber defence. Retail boards must lead the charge in embedding cyber security into core business strategy, treating it as critical to resilience, reputation, and revenue.

Those who act now - by investing in proactive measures, educating employees, and securing their supply chains - will not only survive but gain a competitive advantage in a marketplace where trust and security matter more than ever.

Is Your Cyber Security Stressing You Out in 2025?

PureCyber Has All The Resources You Need to Stay One Step Ahead.

From AI threats to essential checklists and landscape reports, we’ve got you covered.

Discover expert-curated insights, tools, and resources to strengthen your organisation’s cyber resilience during the busiest season for attacks. Our upcoming webinar, Crisis Unfolding: Why Leaders Must Own Incident Response will walk you through the first critical few hours of a cyber incident using a realistic timeline - revealing exactly what you need to know to create an effective incident response plan.

How Can PureCyber Help?

The PureCyber team are here to take over the burden of your cyber security and ensure your organisation’s data remains secure and well managed, with proactive monitoring and real-time threat intelligence - providing you with a comprehensive and reliable cyber department to support you in all aspects of your security efforts, including: 24/7 Security Operations Centre (SOC) services, Managed Detection & Response (MDR/EDR),Threat Exposure Management (TEM) & Brand Protection Services & Penetration Testing.

PureCyber is recognised as an Assured Service Provider by the NCSC to offer governance and compliance consultancy services/audits. Contact our team of compliance experts to enquire about our full range of Governance Support - including Cyber Essentials, ISO 27001, FISMA, SOC1 and SOC2 standards.

Get in touch or book a demo for more information on our services and how we can safeguard your organisation with our expert cyber security solutions.

Email: info@purecyber.com Call: 0800 368 9397

Kai Neophytou
Previous

When Seconds Count: Why Every Organisation Needs a Cyber Incident Response Plan
Next

PureCyber Hosts Cyber Security Roundtable with Insider Media Wales