With weeks of cyber chaos for Marks and Spencer, an attack on the Co-op and now Harrods being targeted by cyber criminals, UK retailers are on high alert.
On the Easter weekend, M&S suffered a cyber incident that affected contactless payments and knocked its web store offline. Its stock was also affected, with shelves running empty in its brick-and-mortar shops. An insider at M&S told Sky News that the retailer had no business continuity plans in place for cyber incidents and claimed staff were sleeping in the office and working through weekends to remediate the incident. They added that it could be “a few months” before the company is back on its feet again. M&S was also forced to pause hiring and removed all job adverts from its website while the attack was ongoing.
As that attack ran into its second week, the Co-op Group, which operates more than 2,500 grocery and convenience stores across the UK, faced a potentially significant cyber breach. Although its operations continued unaffected, the company was forced to shut down part of its IT systems.
Co-op initially claimed that the attempted breach had been intercepted before dealing any damage but the cyber criminals involved sent the BBC proof that its IT networks had been infiltrated. Co-op later admitted the attackers accessed data “relating to a significant number of our current and past members”. The luxury retailer Harrods, was also forced to shut down parts of its IT systems following “attempts to gain unauthorised access”.
M&S shares fell 6.2% on the initial news of the incident. The FTSE 100 company lost nearly £700m in stock market value, although it has steadily recovered as it regains control of the incident.
Who are suspected M&S cyber attackers, Scattered Spider and DragonForce?
A decentralised cyber gang called Scattered Spider was initially thought to be behind the M&S incident. Annonymous reports suggest the group might have used a Russian ransomware encryptor, called DragonForce, to hold M&S’s files hostage.
Increasingly, successful cyber attackers are decentralised, without a clear chain of command. That appears to be the case for Scattered Spider, although unusually, the group seems to have a sizeable presence among native English speakers in the UK.
Being native English speakers may have proved advantageous for the group. Graeme Stewart, who is head of public sector at security vendor CheckPoint, says Scattered Spider’s main method of attack relies heavily on social engineering – or what he calls “human hacking” – where they might call victims on the phone and pretend to be from IT support, before convincing them to hand over login credentials.
“Once inside a system they typically run a two-pronged attack,” says Stewart. “First, they exfiltrate sensitive data, copying it out of the network. Then they deploy ransomware to lock the organisation’s systems and demand a ransom, usually paid in cryptocurrency for anonymity.”
Scattered Spider, adds Stewart, has drawn attention “not because they’re especially novel in tactics, but because of how young and brazen they are”. Some recently arrested members members include a 22-year-old Scot who was caught in Spain before being extradited to the US and a 19-year-old in Florida. Five were also charged in Tokyo and some members are thought to be as young as 17.
Google Threat Intelligence Group (GTIG) found patterns consistent with previous attacks by the Scattered Spider, such as targeting high-profile brands in certain sectors. However, security researchers have so far been unable to attribute the attacks to the gang.
A second group of hackers, also called Dragonforce, has since claimed responsibility for the cyber attacks and has sent evidence to both the BBC and Bloomberg. Thought to be based in Malaysia, Dragonforce started as a hacktivist group in 2023 but may have moved towards financially motivated cyber crime.
Some have theorised that members of Scattered Spider could have worked under the Dragonforce moniker as part of the UK retail hacks.
Why are UK retailers under cyber attack?
In the UK, supermarkets are classified as critical national infrastructure and the National Cyber Security Centre is said to be working closely with both M&S and the Co-op.
Supermarkets are a tempting target for cyber attackers due to their large attack surface – with a huge retail footprint offering plenty of feasible ways in for attackers – and their just-in-time supply chains, meaning any hold-ups to restoring systems could spoil produce and leave shelves empty.
There are hundreds of reasons attackers could target supermarkets, says Tom Exelby, who is head of cyber security at Red Helix. Supermarkets complete many card transactions each day and also carry highly sensitive personal information about their customers. But they also have many potential ways into their networks. “That could be everything from delivering sandwiches to people monitoring their logistics right through to HR systems and their websites,” Exelby says.
Anyone can scope out a supermarket’s retail footprint and walking through those sites, adds Chris Burton, head of professional services at Pentest People, attackers could locate potential ways into a system, such as an unguarded network socket.
“If you manage to successfully ransom a large food provider, it doesn’t just turn them offline,” adds Burton. “It can take out the physical locations too, so in terms of reward for effort, these attacks can have a huge impact. It’s high risk, high reward.”
When cyber criminals have launched a successful attack on one retailer, it’s natural that they’d attempt to repeat those methods on others, suggests Shobhit Gautam, who is security solutions architect for Europe at the cyber vendor HackerOne.
“Retail websites and mobile apps often mirror each other in both design and back-end infrastructure, right down to shared APIs and business logic,” says Gautam. “This creates a perfect storm where a single vulnerability, whether in a discount code workflow or a third-party plugin, can be exploited across platforms.”
Gautam says that he frequently sees the same “insecure patterns replicated across retailers”, especially with common ecommerce platforms and other widely used integrations.
Ongoing cyber resilience crucial in wake of M&S retailer attacks
Although Marks and Spencer continues to suffer from the fallout of the cyber incident, Exelby believes M&S and Co-op have done a good job in communicating to the public and calling in the experts. The fact these businesses are still managing to trade should be considered a success, he adds.
“What stands out for me is the importance of cyber resilience,” adds Exelby. “If you’re a highly sophisticated UK business, which has done its due diligence on cybersecurity, your ability to defend proactively and also how you recover is important.”
That means businesses must draft plans to contain incidents, eradicate threats, restore systems and remediate. The response from the UK retailers shows they have segmented their system design, so that the business can still operate even as one part of its IT estate is under sustained attack. “That shows reasonably good sophistication in their cybersecurity systems,” Exelby says.
Retailers will be on high alert, adds Burton. And so the three major cyber incidents, occurring within days of one another, should serve as a timely reminder for other retailers to redouble their focus on cyber resilience.
With weeks of cyber chaos for Marks and Spencer, an attack on the Co-op and now Harrods being targeted by cyber criminals, UK retailers are on high alert.
On the Easter weekend, M&S suffered a cyber incident that affected contactless payments and knocked its web store offline. Its stock was also affected, with shelves running empty in its brick-and-mortar shops. An insider at M&S told Sky News that the retailer had no business continuity plans in place for cyber incidents and claimed staff were sleeping in the office and working through weekends to remediate the incident. They added that it could be “a few months” before the company is back on its feet again. M&S was also forced to pause hiring and removed all job adverts from its website while the attack was ongoing.
As that attack ran into its second week, the Co-op Group, which operates more than 2,500 grocery and convenience stores across the UK, faced a potentially significant cyber breach. Although its operations continued unaffected, the company was forced to shut down part of its IT systems.
