M&S and Co-op Cyberattacks: What Retail IT Teams need to know
Ransomware Cyber News Human Risk Social Engineering 06-May-2025 16:23:03 Max Harper 5 min read

CYBERATTACK INTELLIGENCE
What's happened?
Two of the UK’s biggest retailers – Marks & Spencer and the Co-operative Group – have recently been hit by major cyberattacks. While full investigations are still ongoing, early reports have provided important insights into how attackers gained access and what went wrong. For IT leaders in retail, this is a timely reminder that even the most mature organisations are vulnerable to social engineering – and that the ability to detect and respond quickly is now business-critical.
What we know so far
M&S: Access via Social Engineering
According to reports from The Times and Bleeping Computer, a group believed to be Scattered Spider used advanced social engineering to deceive IT help desk staff into resetting admin credentials. SIM swapping was also reportedly used to intercept multi-factor authentication codes, giving attackers deep access.
The ransomware deployment later crippled online operations. While M&S hasn’t issued a full breakdown, media coverage suggests the disruption may have cost the business up to £40 million per week in lost revenue. Multiple reports also describe overnight meetings and staff sleeping on-site as the business scrambled to respond - a situation made harder by what insiders described as the absence of a predefined cyber incident plan.
Co-op: Data Theft and Password Hash Extraction
The Co-operative Group (not to be confused with regional co-ops like East of England Co-op) confirmed a similar breach. Attackers allegedly tricked IT into resetting an employee's password and gained access to internal systems, extracting the NTDS.dit file – the Windows database containing user credentials.
The threat group DragonForce, which has ties to Scattered Spider, has claimed responsibility. They allege they exfiltrated data on up to 20 million Co-op members, including names, emails, phone numbers, and membership card numbers. While no passwords or financial data were confirmed as stolen, the risks from follow-on phishing and identity-based attacks are significant.
Three Key Takeaways for IT Leaders
1. Help Desks Are a Frontline Defence
Social engineering remains one of the most potent techniques - especially when attackers know how internal teams operate. Training and process hardening around password resets and identity verification are essential.
2. Always-On Detection Is No Longer Optional
The dwell time in these cases (weeks, in M&S's case) shows that once inside, threat actors have time to move laterally and escalate. 24/7 Managed Detection and Response (MDR) gives teams the edge to spot and contain incidents before damage is done.
3. Incident Response Plans Need to Be Battle-Ready
An untested response plan is the same as no plan. M&S’s internal chaos, with 3am meetings and on-site sleeping bags, highlights how critical it is to have a clear, rehearsed strategy that everyone understands.
Final Thoughts
No security tool can prevent every breach. But what these attacks show is that the right response – speed, clarity, and confidence – can mean the difference between disruption and disaster.
They also reinforce a critical truth: technology alone isn’t enough. The frontline of most retail breaches still starts with people. Whether it’s a help desk worker being socially engineered or a staff member clicking a malicious link, attackers are increasingly targeting human vulnerabilities.
That’s why user awareness and human risk management should sit alongside MDR in any modern cyber strategy. Building a culture of security awareness, supported by phishing simulations and behaviour-based insights, helps reduce the likelihood of successful attacks – while MDR ensures that, when something does slip through, you’ve got the tools and people in place to catch it fast.
For retail businesses juggling complex systems and distributed teams, 24/7 MDR, paired with proactive user training, is quickly becoming a must-have - not a nice-to-have.
If you're reassessing your approach or looking to build a more human-centric security programme, the team at Spear Shield are always happy to talk.
Speak with the team to learn more.
Sources:
The Times – M&S and Co-op cyberattackers tricked IT into resetting passwords
Bleeping Computer – Marks & Spencer breach linked to Scattered Spider ransomware attack
TechRadar – Co-op crisis deepens as it admits UK customer data stolen in cyberattack
SecurityWeek – Ransomware Group Claims Attacks on UK Retailers
The Guardian – M&S cyber-attack linked to hacking group Scattered Spider

Max Harper
As CEO and Co-Founder, Max is dedicated to Spear Shield’s mission of creating one of the most cyber secure client communities across Suffolk, East Anglia, and the UK. By working closely with business leaders and IT Teams, Max’s approach is to understand core business drivers, challenge the conventional approaches to cybersecurity strategies and enable our customers to articulate risk and exceed their cybersecurity needs.