How Hackers Exposed Retail Supply Chain Vulnerabilities

Major British retailers Marks & Spencer (M&S), Co-op and Harrods were hit by crippling cyber attacks earlier this year, leading to the arrest of four people in connection with the incidents. 

The attacks exposed the fragility of retail supply chains across the UK and their reliance on digital infrastructure, prompting big-name businesses to re-evaluate their supply chains. 

Four arrests made

The National Crime Agency (NCA) confirmed this week it had arrested two 19-year-old men, a 17-year-old boy and a 20-year-old woman across locations in the West Midlands, Staffordshire and London. 

All four are being held on suspicion of offences under the Computer Misuse Act, blackmail, money laundering and involvement in an organised crime group.

Though the group was initially thought to have overseas origins, investigators now suspect Scattered Spider, a group comprised primarily of English-speaking individuals operating in the UK and US. 

The NCA, working with the West Midlands Regional Organised Crime Unit and the East Midlands Special Operations Unit, seized electronic equipment and executed warrants during dawn raids.

Paul Foster, who leads the National Cyber Crime Unit, says: “Since these attacks took place, specialist NCA cybercrime investigators have been working at pace and the investigation remains one of the agency’s highest priorities.” 

“Our work continues, alongside partners in the UK and overseas, to ensure those responsible are identified and brought to justice.”

Elliot Dellys, CEO of cybersecurity firm Phronesis Security, explains: “Rather than being composed of a centralised command and control structure like Russian ransomware groups, it is believed to be composed of a disparate group of young hackers living in the United States and United Kingdom. 

“This makes effective action by law enforcement to take down the group, and its infrastructure, difficult to coordinate and execute.”

Retailers face significant loss

M&S was the first target in mid-April. Ransomware crippled its IT systems and shut down its online store for nearly seven weeks. 

Internal communications, digital logistics tracking and customer service platforms were all affected, leading to serious disruptions across its fulfilment chain.

The retailer has estimated losses at US$376m due to operational downtime and cancelled orders, and is still working to bring its systems fully back online. 

M&S Chair Archie Norman said the attacks "felt like an attempt to destroy the business". 

He added: "Cyber attacks can be hugely disruptive for businesses, and I’d like to thank M&S, Co-op and Harrods for their support to our investigations.”

Co-op faced a data breach just days after the M&S incident. Attackers obtained the private information on millions of customers and employees, with systems temporarily disconnected from the internet to halt further intrusion. 

Supply chain IT tools—used for managing warehouse stock, delivery scheduling and vendor coordination—were reportedly among the assets targeted.

Harrods, meanwhile, was forced to restrict internet access across its websites following unauthorised access attempts. Although the impact was less severe, any tampering with retail-facing infrastructure threatens business continuity and customer trust.

Following the arrests, a spokesperson for M&S said: “We welcome this development and thank the NCA for its diligent work on this incident.” 

A Co-op representative added: “Hacking is not a victimless crime. Throughout this period, we have engaged fully with the NCA and relevant authorities, and are pleased on behalf of our members to see this had led to these arrests today.”

A resilient sector?

Retailers like M&S and Co-op depend heavily on digital platforms to maintain day-to-day operations, with inventory management systems, supplier databases and logistics software deeply embedded in every step of the supply chain. 

Disruptions in these areas lead to delivery delays, missed restocking cycles and gaps in customer fulfilment.

This raises wider questions about how resilient the UK’s retail sector truly is when faced with targeted digital sabotage.

The breaches serve as a warning to other supply chain-reliant businesses. Retailers will likely re-evaluate cybersecurity policies, tighten access controls and ramp up incident response plans.

Despite this, the fragmented and anonymous nature of groups like Scattered Spider continues to make proactive defence a challenge.

As law enforcement works to trace further members of the group, businesses are being encouraged to prioritise transparency and coordination with authorities.