UK retail brands have taken a digital battering over the past few months. Over 10 days in April and early May, Marks and Spencer (M&S), the Co-operative Group and Harrods were hit by cyber attacks that crippled their business-critical services, including ecommerce and payments processing. Then, in June, H&M suffered an IT outage, which briefly took its in-store payments systems offline. In September, auto maker Jaguar Land Rover was hit by a major cyber incident, causing supply chain issues. And later in that month, travellers at Heathrow suffered delays due to an attack on a supplier.
Although the cause of the H&M outage has not been announced, some observers speculate that hackers are to blame. Indeed, DragonForce, a new purveyor of ransomware-as-a-service, is thought to be behind some of the most impactful attacks.
Cyber attacks can be detrimental to the bottom line. According to data from Dynatrace, an IT-analytics firm, and FreedomPay, a payments platform, companies can bleed millions of pounds within minutes if their payment or retail services are impacted by an attack. The report found that victims could lose up to £73m of revenue per minute in the first 10 minutes of their payments systems going offline.
Attack victims are at risk of reputational damage, too, especially if they have failed to establish robust business-resilience procedures. Any disruptions to online or in-store services could motivate customers to take their business elsewhere.
Retailers are attractive targets for cybercriminals because they have very large organisational footprints and plenty of customer data.
Quarter of businesses suffered cyber attack over past year
More than a quarter of organisations in the UK have suffered a cyber attack over the past 12 months, up by 16% from the previous year, according to new data from the Royal Institution of Chartered Surveyors (RICS).
A survey by the organisation found that 27% of facilities managers, service providers and consultancies had suffered such an attack. Meanwhile, 73% of business leaders expected disruption from cyber incidents over the next two years.
The group warns that insecure physical footprints may be partially to blame for the uptick in cyber attacks. Paul Bagust, who is the head of the property practice at RICS, warned in the Guardian: “Buildings are no longer just bricks and mortar. They have evolved into smart, interconnected digital environments embracing increasingly sophisticated and ever-evolving technologies.”
Embedding digital systems in physical locations comes with a high level of risk, increasing the attack surface that must be protected against any interlopers.
That is especially risky for retailers with brick-and-mortar stores because their buildings are open to the public. Attackers can quite casually scope potential ways into networks – say, unguarded network sockets. RICS pointed to building-management systems, internet-of-things devices, access control systems, CCTV networks and even ventilation and air condition systems as potential entry points.
Below are some of the retailers that have suffered cyber incidents or major IT outages in the UK this year.
Adidas
Adidas reported a data breach in May after cybercriminals accessed customer information through one of its third-party customer-service providers.
The incident affected customers who had contacted the company’s help desk. Although no payment information or passwords were leaked, the attackers managed to steal customer names and contact details. Adidas’s day to day operations were not impacted.
H&M
Speculation is mounting that a major IT outage at H&M in early June was the result of a cyber attack. The incident briefly affected the fashion retailer’s payments systems, leaving customers unable to pay for goods in stores across the UK. In some locations, the disruption persisted for two hours. H&M apologised to customers but has not confirmed what caused the outage.
Harrods
On 1 May, Harrods disclosed that it had been hit by a cyber attack, making it the third major retailer after M&S and the Co-op to be targeted in a 10-day digital crime spree.
The luxury department store said attackers had attempted to gain unauthorised access to its systems. Its security teams promptly restricted internal IT systems and paused internet access in its stores as a precaution.
Thankfully, its operations were largely unaffected – its physical stores remained open and the retailer continued to process online orders as usual. The company found no evidence of customer data being compromised.
Harrods experienced another breach at the end of September, this time through a third-party provider. The retailer claims the breach was an isolated incident, but warned its online customers that their personal data, including names and contact information but not passwords or payment details, may have been stolen. The attack appears unrelated to the incident in May.
Heathrow Airport
European travellers have suffered delays for four days at Heathrow due to a cyber attack on Collins Aerospace, a software company that provides electronic check-in and baggage services to airports.
Hundreds of flights across Europe were delayed due to the cyber incident, while airports resorted to manual check-ins for travellers. According to reports, Heathrow’s Terminal 4 was most affected.
Collins Aerospace has said it is working on “necessary software updates” in order to restore electronic services to airports.
Some commentators have speculated that a nation-state, such as Russia, may have been behind the cyber attacks.
Meanwhile, the National Cyber Security Centre said in a statement: “We are working with Collins Aerospace and affected UK airports, alongside Department for Transport and law enforcement colleagues, to fully understand the impact of an incident.
“All organisations are urged to make use of the NCSC’s free guidance, services and tools to help reduce the chances of a cyber attack and bolster their resilience in the face of online threats.”
Jaguar Landrover
On 1 September 2025, carmaker Jaguar Land Rover (JLR) suffered a major cyber attack, severely disrupting production at its two main UK factories and, by late September, had hit profits by £120m with £1.7bn in lost revenue, according to experts.
Meanwhile, the government recently acknowledged that the attack has complicated the wider automotive supply chain in the UK. Staff have been laid off and told to apply for Universal Credit, according to the Unite union.
The cyber offensive began with IT staff at the auto firm detecting unusual activity. They shut down all of its IT systems to minimise damage. Although Jaguar Land Rover claimed no customer data had been stolen, its retail and production activities ground to a halt and still have not been fully restored.
Claiming credit for the attacks are the same group believed to have been responsible for the ordeal suffered by M&S and other retailers.
On the messaging application, Telegram, a group calling itself Scattered Lapsus$ Hunters, taunted the company with messages such as “Where is my new car, Land Rover”.
An individual claiming to be a spokesperson for the group described how they conducted the attack, along with sharing screenshots of documents that suggested they could have been sourced from the victim’s internal IT network.
Marks and Spencer
M&S was struck by a significant ransomware attack over the Easter weekend and is still dealing with the impacts over two months later. The attack caused all online orders to be suspended and also prevented the retailer from accepting contactless payments in its stores.
Although the attackers gained access to customer information, M&S maintains that payment details and passwords were not compromised. At the time of writing, some online ordering and delivery services have been restored but others remain unavailable.
The incident, which caused M&S to lose £300m in market value, has been described as the most financially damaging cyber attack ever suffered by any UK retailer.
The Co-operative Group
The Co-operative Group, which is owned by its members and runs more than 2,000 supermarkets across the UK, fell victim to a cyber attack in April, disrupting IT systems and leading to empty shelves at many of its stores.
Initially, the retailer reported that no data had been stolen, but later confirmed that criminals did indeed obtain member data, including names and contact information.
The Co-op shut down parts of its IT systems as a precautionary measure, which led to significant disruption in the short term but may have prevented hackers from deploying ransomware and causing even greater damage.
UK retail brands have taken a digital battering over the past few months. Over 10 days in April and early May, Marks and Spencer (M&S), the Co-operative Group and Harrods were hit by cyber attacks that crippled their business-critical services, including ecommerce and payments processing. Then, in June, H&M suffered an IT outage, which briefly took its in-store payments systems offline. In September, auto maker Jaguar Land Rover was hit by a major cyber incident, causing supply chain issues. And later in that month, travellers at Heathrow suffered delays due to an attack on a supplier.
Although the cause of the H&M outage has not been announced, some observers speculate that hackers are to blame. Indeed, DragonForce, a new purveyor of ransomware-as-a-service, is thought to be behind some of the most impactful attacks.
Cyber attacks can be detrimental to the bottom line. According to data from Dynatrace, an IT-analytics firm, and FreedomPay, a payments platform, companies can bleed millions of pounds within minutes if their payment or retail services are impacted by an attack. The report found that victims could lose up to £73m of revenue per minute in the first 10 minutes of their payments systems going offline.
