.st0{fill:#FFFFFF;}

Unanswered Questions Loom Over Cyber Attacks on M&S, Co-op & Harrods 

 May 3, 2025

By  Jane Frankland

It’s the May Bank Holiday, and as I sit at my desk, working, unanswered questions continue to swirl around the recent cyberattacks on Marks & Spencer (M&S), the Co-op, and Harrods, leaving the full scope and implications of these breaches uncertain.

Allegedly orchestrated by the same group known as Scattered Spider, these attacks highlight the significant challenges even the most respected and established brands face in defending against modern cyber threats. While details remain sparse, reports suggest social engineering tactics like phishing, SIM swapping, and multi-factor authentication (MFA) fatigue attacks may have been used to infiltrate systems. Once inside, they’ll likely have used other methods to successfully bypass enterprise security tools. Their knowledge indicates that they may have also previously worked with them legitimately.

The attack on M&S, which is still unfolding, has wiped more than £750 million off the company’s market value. Reports suggest their systems were infiltrated as early as February 2025, with sensitive data reportedly stolen and ransomware deployed to disrupt their infrastructure.

https://youtu.be/77GMj1PxJqU?si=BRBeJyG_vfG6MKmq

Meanwhile, the Co-op is grappling with claims from cyber criminals that they possess the private information of 20 million members from its membership scheme. A spokesperson clarified today that hackers have accessed the personal data of members such as names and contact details. Sensitive data like emails and login details have also been found on the dark web. The firm initially reported that bank details, and transactions were not compromised but this now remains uncertain.

While further details are yet to emerge, this series of attacks makes one thing clear: organisations and their leaders must do better—not just in prevention but in collaboration and communication. Cybersecurity isn’t just an IT problem; it’s central to risk management, operational continuity, and customer trust.

That’s what this blog is all about, In it, I’m examining the changing landscape of cyber threats, looking first at the M&S cyber attack. Then, the focus of cyber attacks on retailers, and what lessons must be learned by business leaders and customers.

The Changing Landscape of Cyber Threats

AI is transforming the cybersecurity landscape, revolutionising how organisations defend themselves while simultaneously empowering hackers to elevate their methods. On one hand, AI enhances security by enabling faster threat detection, predictive analytics, and automated responses. It allows organisations to identify anomalies in real time, predict potential vulnerabilities, and act immediately to mitigate risks.

However, on the other hand, this same technology is being harnessed by attackers to innovate and intensify their tactics.

Cybercriminals are now employing AI to launch polymorphic attacks, where malware constantly changes its code to evade detection, and adaptive, evasive methods that adjust their strategies to bypass even advanced security measures. Additionally, AI is driving automation in phishing campaigns and generating more convincing deepfakes, making it harder for employees and IT teams to distinguish between legitimate and malicious activity.

This dual-edged impact of AI is raising the stakes for cybersecurity teams to stay ahead in this dynamic threat landscape.

Cybercriminals, like the English speaking group Scattered Spider, are becoming more advanced. These hackers, often part of loosely affiliated communities like “The Com,” use innovative methods and target industries like retail, telecoms, and finance for maximum impact. With over 100 attacks attributed to them since 2022, including high-profile breaches like MGM Resorts and Caesars Entertainment in 2023, their reach and ambition continue to grow.

Organisations of all sizes now face a dual challenge:

    1. Reduce the immediate risks posed by increasingly sophisticated attackers.

    1. Minimise the cascading effects of cyberattacks on customers, employees, and the broader supply chain.

Large organisations may have stronger cybersecurity teams and resources, but their expansive networks, sensitive customer data, and brand reputations place a larger target on their backs. They also face the complexity of protecting vast supply chains, which attackers increasingly exploit. Conversely, small and medium businesses, though less visible, often lack the awareness and then resources to defend themselves effectively, making them prime targets when connected to broader supply ecosystems.

9 Lessons for Business Leaders

Traditionally cybersecurity has been siloed as an IT responsibility—a costly mistake. Cybersecurity needs to be integrated into the organisation. Here’s why and how:

1. Leadership Matters

While appointing a senior executive, ideally at the board level, to oversee cybersecurity is essential, true cyber resilience lies in having your entire leadership team aligned and fully committed. When everyone at the top understands the stakes and works together, cybersecurity becomes a shared responsibility and a strategic priority—not an afterthought. A united leadership team ensures that decisions, resources, and actions reflect the importance of protecting the organisation, building a stronger and more effective approach to tackling cyber threats.

2. Shift your Mindset from “If” to “When”

Cyber incidents are inevitable. The key to minimising damage lies in preparation. Build robust incident response plans that not only simulate a potential crisis but are tested regularly. This way, your organisation won’t be left scrambling when an incident occurs.

3. Prepare for Worst-Case Scenarios

Preparing for worst-case scenarios goes beyond technical readiness. Running cyber drills is essential to ensure teams are familiar with their roles in a crisis. Legal, operational, communications and potentially ransomware negotiator teams must work in alignment, each playing a critical part in the response. Having clear, pre-prepared communications messages is just as important as patching technical vulnerabilities. Whether it’s informing employees, customers, or stakeholders, timely and transparent communication can significantly limit reputational damage and maintain trust.

4. Protect Your Crown Jewels

Identifying and protecting your business’s critical assets is a fundamental pillar of effective cybersecurity. Assets such as customer data, proprietary technology, and financial systems not only hold immense value but also represent prime targets for cybercriminals. These are the lifeblood of your operations and the trust you’ve built with customers and stakeholders.

To safeguard them, businesses must adopt a defence-in-depth approach, layering multiple security measures to create a robust, multi-faceted protection framework. This includes implementing robust access controls, encryption standards, network segmentation, and regular vulnerability assessments to address potential weak points.

Advanced threat detection systems, paired with endpoint protection and monitoring tools, help identify and neutralise risks before they escalate. Equally important is the human element; ongoing employee security awareness training that’s adaptive and personalised to their role ensures that your workforce recognises and acts appropriately against threats like phishing or fraud attempts.

5. Back up Regularly, Securely & Test Thoroughly

Regularly backing up your data is a critical safeguard in the fight against ransomware, but it’s not enough to simply create backups. These backups must be secured against unauthorised access and tested frequently to ensure they function as intended.

Modern ransomware attacks are more destructive than ever, with some wiping data entirely and others poisoning it, rendering its integrity untrustworthy. To counter these threats, businesses must adopt immutable backup solutions, which ensure data cannot be altered or deleted, even by attackers. By prioritising secure, tested, and immutable backups, organisations can protect their critical information and maintain operational continuity, even in the face of sophisticated cyber threats.

6. Train Beyond IT

Most cyber breaches begin with human error, not system failures, as humans can be a weak link if not properly trained in best practices.Regular phishing simulations are a good start but you reduce these risks significantly when you use cybersecurity human risk management solutions (see OutThink), coupled with making cybersecurity part of your company culture.

7. Secure Your Supply Chain

Cybersecurity is not just an internal effort; it’s a team sport that extends far beyond your business to include every link in your supply chain. A single weak spot among your vendors, service providers, or partners can compromise your entire operation, creating pathways for threat actors to infiltrate your systems. These risks make it critical to hold all third-party vendors and collaborators to the same high security standards you expect internally.

Start by conducting thorough due diligence during the onboarding process, ensuring that each vendor’s security policies align with your company’s needs and compliance requirements. Regular security audits and reviews are essential, not only to evaluate their systems but also to identify any new vulnerabilities or threats that may emerge over time. This collaborative approach should also include transparent communication and shared responsibility, fostering a culture where vendors prioritise security as much as you do.

8. Patch and Stay Up-to-Date

Outdated systems create entry points for cybercriminals to deploy attacks that could have been easily prevented with timely updates. Regularly applying patches and updates ensures that security gaps are addressed before they can be exploited by opportunistic attackers who target predictable flaws.

This practice is especially critical for operating systems, third-party applications, and firmware, where vulnerabilities can quickly become widely known and targeted. However, patch management should go beyond just deployment; organisations must have a structured approach that prioritises high-risk vulnerabilities and critical systems based on their importance and exposure to potential threats.

Automated tools can streamline this process, identifying and applying necessary patches promptly while reducing human error. Staying current not only helps protect against malicious exploitation but also reinforces compliance with industry standards and regulations. Consistent patching is not merely a reactive measure; it’s a proactive, foundational step in building an adaptive and resilient defence against evolving cyber threats.

9. Communicate and Collaborate

When data breaches occur, organisations must prioritise transparency and accountability. Keeping customers informed builds trust, even in difficult situations. For example, communicating how customers can protect their accounts and personal data after an incident can ease frustrations and fears.

At a broader industry level, organisations also need to engage in open collaboration. Sharing critical threat information, coordinating responses, and learning from one another, for example through platforms like Information Sharing and Analysis Centers (ISACs), can strengthen collective defenses. This united approach helps create a more resilient and secure business ecosystem, where knowledge and resources are leveraged to counter evolving cyber threats effectively.

Cyber threat actors share strategies in online forums and hacker spaces; organisations must find ways to mirror this level of collaboration to stay ahead.

Lessons For Customers

This is also a wake-up call for consumers. Using strong, unique passwords and enabling multi-factor authentication (MFA) or preferably passkeys wherever possible remains vital. While the burden of security shouldn’t fall on the individual, adopting these measures adds an extra layer of protection.

To End

Hackers are known for following the money trail and retailers are an attractive target for them. Unfortunately, retailers and their customers will face increasing service disruptions due to cyberattacks. Attackers are no longer solely targeting payment systems. Logistics, customer support platforms, and supply chains are becoming prime targets. This points to a pressing need for organisations to focus not just on prevention but also on recovery. Speed, clarity, and transparency will define resilience when disruptions inevitably occur.

Better still, for organisations to come together and work towards creating a safer digital environment for both customers and businesses alike. Now is the time for C-suites and IT leaders alike to challenge outdated notions of cybersecurity. This isn’t just about protecting assets; it’s about ensuring continuity, resilience, and trust in an increasingly digital world.

The question is simple but urgent: Is your organisation ready to act?

Now I want to hear from you

Tell me your thoughts in regard to these cyber attacks and what needs to happen. Drop me a message or join me and the conversation on LinkedIn.

Image credit xl.store – stock.adobe.com

Did you enjoy this blog? Search for more blogs that you want to read!

Jane frankland

 

Jane Frankland MBE is an author, board advisor, and cybersecurity thought leader, working with top brands and governments. A trailblazer in the field, she founded a global hacking firm in the 90s and served as Managing Director at Accenture. Jane's contributions over two decades have been pivotal in launching key security initiatives such as CREST, Cyber Essentials and Women4Cyber. Renowned for her commitment to gender diversity, she authored the bestselling book "IN Security" and has provided $800,000 in scholarships to hundreds of women. Through her company KnewStart, and other initiatives she leads, she is committed to making the world safer, happier, and more prosperous.

Follow me

related posts:

Leave a Reply:

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch