Cyber wakeup call: What risk managers must learn from the M&S, Harrods and Co-op attacks

In a troubling escalation for the UK’s retail sector, three major high street names - Marks & Spencer (M&S), Harrods, and the Co-operative Group (Co-op) - have been targeted by cyberattacks in recent weeks.

The incidents have disrupted operations, exposed customer data, and raised significant questions about the sector’s cyber resilience.

What happened

M&S

On 22 April 2025, M&S experienced a major cyberattack that disrupted contactless payments and online services.

The group believed to be behind the attack, “Scattered Spider”, reportedly used social engineering techniques to impersonate employees and trick IT help desks into resetting passwords.

The breach led to shortages in stores, difficulties with restocking, and even closure of some hot food counters. M&S’s market value fell by an estimated £650 million in the immediate aftermath, and some reports suggest losses may exceed £30 million.

Harrods

Luxury department store Harrods confirmed an attempted cyberattack on 1 May 2025.

A spokesperson said: “We recently experienced attempts to gain unauthorised access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe and, as a result, we have restricted internet access at our sites today.” Harrods clarified that no customer data had been compromised and that operations remained largely unaffected.

The Co-op

The Co-op revealed on 2 May 2025 that hackers had gained unauthorised access to customer data, affecting a significant portion of its 6.2 million current and former members.

Compromised data included names and contact details, although passwords and financial information were reportedly not impacted.

Chief executive Shirine Khoury-Haq issued an official statement expressing regret and outlining steps taken in collaboration with the National Cyber Security Centre (NCSC) and the National Crime Agency (NCA).

She said: “While we have been able to protect our Co-op from significant trading disruption, which is often the intent of these sorts of attacks, I am very sorry that this member information was accessed. While there is no impact to your account, and you can continue to trade with us as normal, I appreciate that members will be concerned.”

These incidents have not only disrupted services and shaken customer confidence but also highlighted systemic weaknesses in how cyber risk is managed across the retail sector. Experts say this is a critical opportunity for organisations to rethink their approach to digital resilience.

1. Cybersecurity is not just an IT issue—it’s a business continuity issue

The M&S attack affected core services ranging from payments to online fulfilment, forcing refunds and damaging customer trust. The disruption made clear that cyber incidents can bring daily operations to a standstill.

“What happened at Marks & Spencer shows just how fragile operations can be – and that IT systems are the spine of every business,” says Matthew Oleniuk, risk advisor at theRiskInsider.com. Oleniuk compares today’s environment to an “earthquake zone” where businesses must expect seismic disruption and prepare accordingly.

Retailers, he argues, must stop treating cybersecurity as a technical bolt-on and instead embed it into core risk and continuity planning. When the digital infrastructure is compromised, it’s not just systems that are at stake—it’s brand, revenue and investor confidence.

2. Plans must be tested under real-world condition

The best crisis response plans often fall short when systems go down. That’s why testing is critical.

“While you may have plans that look great on paper, they may not work,” says Karla Gahan, head of resilience services at Barnett Waddingham. Gahan highlights how standard assumptions – like convening teams online during a crisis – may not hold up if the network is down.

“It’s crucial to consider the physical and mental implications of the incident on your response team. The response might mean the team suffers from a lack of sleep, pressured decision making with little or no information… What support can you put in place to help front-line people who may be learning new processes during an incident?”

Gahan urges organisations to make testing inclusive: senior leaders, operational staff and customer-facing teams all need exposure to simulated scenarios. That includes preparing for things as basic as manual checkouts if systems fail.

3. Third-party risk is a growing vulnerability

Although not confirmed in the M&S case, several experts pointed to third-party relationships as an overlooked threat vector.

“Your cybersecurity is only as strong as your weakest supplier,” warns Ian Oswell, business development director at FLR Spectron. “Supply chain vulnerabilities can easily become entry points for attackers.”

Akash Mahajan, chief executive at Kloudle, agrees: “Retail operations are deeply interconnected, and many services—from payments to payroll to logistics—rely on external providers. One weak link can create ripple effects across an entire brand.”

Effective third-party risk management, experts say, requires both due diligence and regular monitoring. Contracts should define cybersecurity standards, and vendor access to systems must be tightly controlled.

4. Human factors remain the most exploited weakness

Reports suggest attackers used social engineering to impersonate M&S employees and bypass internal safeguards. It’s a reminder that the human layer is often the easiest to breach.

“People still represent the single largest vulnerability to cyber threats,” says Jeff Le, managing principal at 100 Mile Strategies. “Regular training and unplanned exercises are key. Finally, security should be an everybody problem, not just the IT staff’s problem.”

Organisations that neglect frontline training or over-rely on technical controls are missing a critical line of defence. Regular, scenario-based education can improve threat recognition and reduce the success of phishing, credential theft, and other common exploits.

5. Build for failure: continuity and communication are key

Experts warn that no system is foolproof. The real differentiator is how prepared an organisation is to continue operating through a breach.

“True cyber resilience isn’t just about having firewalls and backups, it’s about preparing for operational continuity and effective response when defences fail,” says Vivek Dodd, chief executive at Skillcast.

“A retailer that acknowledges its vulnerability and speedily responds with integrity will often come out stronger, both in operations and in reputation.”

This includes investing in redundant systems, clear communication protocols, and rapid recovery capabilities. Regular review of Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) should be standard practice.

6. Leadership and culture determine resilience

Cybersecurity must become a board-level priority. It is no longer a niche technical issue but one that affects every corner of the business.

“Boards must ensure they understand the risks and invest accordingly,” says Oswell. “Cybersecurity must be a standing item at board meetings, not just an IT concern.”

Resilience requires a culture where accountability is shared across leadership, IT, operations, and customer service teams. Experts agree that this shift in mindset is as critical as any technical upgrade.

7. Learn from disruption before it learns from you

As cyber threats continue to evolve, retailers must shift from reactive crisis management to proactive resilience. That means treating cybersecurity as central to brand, operations and customer trust.

Whether it’s testing fallback payment systems, reviewing vendor access, or preparing spokespeople for a public response, the lesson is clear: those who prepare broadly, inclusively, and realistically are best positioned to emerge stronger from the next attack.

“Cybersecurity must be treated not as a back-office function, but as a core pillar of business resilience,” concludes Dean Gefen, chief executive of NukuDo.

“Companies that invest now will be positioned to weather the next storm. Those that don’t may find themselves learning the same lesson the hard way.”