RetailSecurity
This spring, Marks & Spencer, the Co-op, and Harrods made headlines for all the wrong reasons. Each retailer fell victim to cyber-attacks that disrupted services and raised fresh questions about cybersecurity readiness in retail.
While most media reports typically focus on the “what” and “when,” at Planit, we’re focused on the “what next?” Because in today’s threat landscape, the best defence is a proactive one.
So, here’s a quick-fire look at each of the incidents, followed by Planit’s expert lessons and the next steps to plug gaps before they can become the root of your problem.
1. Marks & Spencer (April 2025)
What happened:Ransomware struck over Easter, encrypted key systems and halted online orders and some in-store services. It was reported that the Scattered Spider group was behind this breach. They managed to lock files using a white-labelled DragonForce encryptor to demand a multi-million-pound ransomware.
Impact:Due to the widespread outages, it is estimated M&S lost millions in sales; customer trust was dented when contactless payments and recruitment portals went offline.
2. Co-op (Late April 2025)
What happened:Unusual account activity triggered a shutdown of back-office systems. Staff were ordered to keep webcams on during meetings to spot imposters. Co-op did not attribute the attack to any group, but forensic sources indicate the attackers used identical social-engineering tactics and password-reset methods associated with the Scattered Spider community, The DragonForce operator spoke to the BBC directly, sharing samples of Co-ops stolen data and claiming credit.
Impact:Due to early detection there was minimal customer disruption, but internal processes slowed, and employee morale dipped due to the additional security controls that were requested.
3. Harrods (May 2025)
What happened:Early warning signs of unauthorised access led to an immediate internet lockdown at all sites. Harrods described its intrusion as an “attempt” that was detected and contained early. In addition, they restricted internet access of the stores as a precautionary measure. Cybersecurity experts note that due to the similar patterns this attack was also executed by DragonForce/Scattered Spider.
Impact:Stores and the website stayed open, but staff lost day-to-day online tools until systems were cleared.
These incidents point strongly to a common campaign by Scattered Spider / DragonForce, according to industry analysts. But more importantly, they serve as a critical reminder: no business is too established, too prepared, or too prominent to be targeted.
When three major retailers experience breaches within weeks of each other, each involving similar social-engineering tactics and infrastructure shutdowns, it’s not just coincidence.
It’s a signal. If these household names can be hit, any business can.
The question isn’t whether you’re at risk, but whether you’re ready.
1. Assume you’re already a target and get the board onboard NOW.
It’s not a question of if but when, and attackers are counting on you being unprepared.
Next step: This week schedule a board-level briefing this quarter to review your current threat landscape and what budget must be made available to ensure you don’t run reactive but proactive security. Fail to plan, is plan to fail.
Anecdote:During a Red Team exercise last year our team simulated a “silent login” at a retail client. Our team gained domain-admin access within hours—without triggering a single alert. The client was shocked at how easily we moved through their network undetected, reinforcing just how vulnerable even mature environments can be.
2. Test before you’re tested
If you’re not regularly testing your defences, you’re running blind.
Next step: Book a penetration test focused on ransomware entry vectors (email, VPN, unpatched servers).
Anecdote:During a penetration test, we uncovered an unmonitored remote-access CRM system—a major blind spot. After the client secured and patched it, their external attack surface was reduced by 35% in a single night.
3. Build rapid containment playbooks
Having a response plan is great. Knowing how to use it under pressure is even better.
Next step: Run an incident response drill this month under “ransomware” and “insider compromise” scenarios.
Anecdote:During a table-top session with a financial services client, we discovered that even their C-suite wasn’t sure who had authority to isolate / shut down systems. We helped them optimise their incident response process and RACI, providing guidance and ensuring that they were crystal clear on who should do what when, and who had the authority to sign off. During a re-run of the exercise, we helped them isolate the threat in under 15 minutes
4. Empower Your People
Your people are your frontline and your biggest asset when trained well.
Next step: Launch a phishing and meeting-security awareness campaign. Provide simple steps—like verifying meeting attendees and reporting suspicious invites.
Anecdote:During a client’s first phishing simulation, over half of their employees clicked the malicious link. Many even submitted their credentials. After 12 months of ongoing phishing simulations and tailored training, 92% correctly identified and reported the malicious phishing emails – a significantly high percentage by today’s standards. That level of awareness significantly strengthened the client’s frontline defence.
5. Lock Down Your Supply Chain
A breach through a vendor still damages your brand.
Next step: Audit your top five third-party vendors’ security. Require evidence of recent security assessments or ISO 27001/NIST compliance.
Tip:Review and if not found ensure breach-notification clauses are in all new contracts, this will ensure rapid alerts if a supplier is breached.
These three incidents are a loud wake-up call: In 2025, reactive security isn’t just outdated, it’s dangerous. The patterns are clear, the threat actors are emboldened, and the time to act is now.
If you’re serious about staying out of the news and ahead of attackers, your roadmap needs to include:
Engaging your executive board
Proactively testing your defences
Practising real-world incident response scenarios
Training your people to spot and stop threats
Scrutinising the cyber hygiene of every vendor in your supply chain
At Planit, we don’t just find the gaps. We help you close them.
Whether you need a deep-dive penetration test, a rapid incident response drill, or a realistic red team simulation, our security specialists work alongside you to raise your cyber maturity and build lasting resilience.
We specialise in:
Don’t wait for a breach to show you the cracks. Reach out, because prevention is always better and more affordable than recovery.
Director - Security Services
We use cookies to optimise our site and deliver the best experience. By continuing to use this site, you agree to our use of cookies. Please read our Cookie Policy for more information or to update your cookie settings.
