UK Cyberattacks: Restoring Retail Resilience
A recent string of cyberattacks on major UK retailers has left supply chains reeling. Consumers are wondering if their data is safe, whilst businesses have lost millions. The question on everyone's lips now is - was this preventable?
Marks & Spencer, the UK’s biggest clothing retailer, found itself at the centre of the crisis. It wasn’t alone though, with Co-op, Harrods and others also reporting cyber incidents in quick succession.
“It’s not yet confirmed if the three incidents are connected,” explains Richard Allen, a cybersecurity expert at PA Consulting. “It could be coincidental (although unlikely); it could also be other groups encouraged by the first successful attack. However, it’s also possible that they share a common third-party supplier or compromised technology.”
With systems frozen and stock levels uncertain, it became clear that these attacks were targeted assaults on the operational heart of companies built around scale, speed and trust.
This broader pattern reveals that amidst economic headwinds and technological change, retail also has to fight on the frontline of a cyber war.
How a cyberattack brought M&S to a halt
Over the Easter weekend, M&S’s internal IT systems began behaving strangely. What might have initially looked like a glitch soon spiralled into full-blown chaos, leading to online orders being paused and automated stock management stopped – even routine tasks like monitoring fridge temperatures had to be done by hand.
Customers, urged by Chief Executive Stuart Machin to shop in person while staff worked “day and night” to restore operations, found bare shelves in food halls and limited sizing in fashion departments. Refunds and returns were eventually restored, along with contactless payments and gift cards, but the damage was done.
Behind the scenes, investigators believe the culprit may be Scattered Spider, a cybercrime group known for using social engineering, manipulating people rather than systems, to reset admin credentials and slip past multi-factor authentication.
That said, it is still under investigation by the National Cyber Security Centre (NCSC), which is working with the Metropolitan Police and National Crime Agency.
The NCSC’s National Resilience Director, Jonathon Ellison - and Chief Technology Officer, Ollie Whitehouse - have described these attacks as both “opportunistic and indiscriminate.” They warn that the rise in “ransomware as a service”, a model that allows relatively unskilled criminals to buy access to powerful hacking tools, is making it easier for attacks to be launched across sectors.
“Cyber criminality, including extortion and ransomware, is one of the most pervasive cyber threats facing UK organisations,” they write. “It affects organisations of all sizes, from the largest, to the very smallest. No one is immune from this threat.”
Deutsche Bank analysts estimate that M&S has lost around £30m (US$39.9m) so far, with ongoing weekly losses of £15m (US$19.9m). Its share price has also dropped by around £750m (US$997.8m) in value since Easter. While insurance may help cushion the blow, it can’t replace the dent to customer experience or the reputational risk of a breach of trust.
While M&S struggles to reboot, the wider sector is already feeling the impact. The retail sector, say experts, has been slow to modernise its cybersecurity approach.
Jonathan Lee, Director of Cyber Strategy at Trend Micro explains: “Retailers are an attractive target for hackers… They’re targeted because of the large amounts of valuable PII [personally identifiable information] they process and the integral nature of business uptime that makes ransomware and extortion attacks particularly disruptive.
“With hackers using ever-more cunning tactics to breach retail companies, the industry badly needs a proactive approach to cybersecurity,” he asserts.
Legacy systems, high staff turnover, multiple store locations and reliance on third-party logistics all compound the problem - meaning the sector’s very structure leaves it exposed.
A perfect storm of risk
According to the World Economic Forum’s 2025 Global Cybersecurity Outlook, 54% of large organisations cite supply chain complexity as their biggest barrier to cyber resilience. The more interconnected a system becomes, the more ways there are to break it.
The 2024 global IT outage, the largest in history, provides the perfect example of this. A single faulty update from a core cloud provider triggered chaos across airlines, banks and retailers, with estimated losses topping US$5bn. The incident was a brutal reminder of what happens when supply chains grow too dependent on too few providers.
Adam Meyers, SVP of Counter Adversary Operations at CrowdStrike, heads a global team tracking criminal groups, state-sponsored actors and nation-state entities. He says cloud-based attacks have soared by 75% in the past year.
“A few years ago, phishing emails with malicious attachments were the most common tactic,” he says. “Today, attackers increasingly rely on identity-based attacks, understanding that many organisations have fortified their technical defences with solutions like endpoint detection and response.”
“Relying solely on reactive measures or traditional defences isn’t enough anymore,” Adam adds. “Threat hunting allows organisations to go out and meet the adversary when they make contact.”
Turning defence into resilience
For many experts, the solution starts with preparation, not reaction.
Richard advises retailers should “assume that they are targets” and rehearse their response plans sooner rather than later. “Identify the operational choke points or crown jewels. Rehearse how you would recover the use of them without having to pay a ransom.”
Meanwhile, others believe collaboration is key: “By enforcing standards, leveraging threat intelligence and equipping organisations of all sizes with more effective cybersecurity solutions, we can close gaps and fortify the ecosystem,” explains George Kurtz, CEO of CrowdStrike.
This “ecosystem” is international, meaning regulation is rising. On one hand, the EU’s NIS2 Directive demands better oversight and faster incident reporting, whilst on the other, the US has introduced similar requirements with CIRCIA.
As a result, more than two-thirds of businesses surveyed by the World Economic Forum say they’re struggling to comply with overlapping rules.
Where can retail go from here?
The lesson from Marks & Spencer is not that retailers are uniquely vulnerable. It’s that any organisation relying on complex digital supply chains, legacy IT and real-time transactions is a target.
“Cybersecurity isn’t really a tech problem,” concludes Bob Bailkoski, Logicalis Group CEO. “It’s a business continuity issue. And the businesses that survive breaches best are the ones who prepare like they know it’s coming, because it is.”
Experts advise all businesses to start by understanding their digital footprint, urging them to segment networks, patch systems, train staff and use multi-factor authentication.
That said, the sector now knows that resilience is the cost of doing business in an increasingly connected world - but, with the cyber threat landscape evolving faster than ever, doing nothing is the biggest risk of all.
To read the full article in the magazine, click HERE.
Explore the latest edition of Supply Chain Digital Magazine and be part of the conversation at our global conference series, Procurement & Supply Chain LIVE.
Discover all our upcoming events and secure your tickets today.
Supply Chain Digital is a BizClik brand