In spring 2025, a coordinated cyberattack hit three of the UK’s best-known retailers simultaneously: Marks & Spencer, Co-op and Harrods. It became the most damaging retail cyber incident in British history, wiping hundreds of millions off share prices, shutting down online stores, and exposing the personal data of millions of customers and employees.
This is what we know about how it happened, how it ended, and what it means if you’re running a business in the UK right now.
What Happened
The attacks began in April 2025. M&S was the first to go public, confirming it had been managing a “cyber incident” while customers reported disruption to Click & Collect and in-store returns. What followed was weeks of operational chaos: M&S suspended online clothing orders for 46 consecutive days. The company’s share price fell 6.5%, and more than £700 million was erased from its market value.
On 30 April, Co-op detected suspicious activity on its systems and took the decision to proactively shut down critical IT infrastructure — a call that limited the damage but couldn’t prevent it entirely. Investigations confirmed that attackers had already accessed the personal data of millions of Co-op members and employees, though payment details remained secure.
Harrods was also targeted around the same time as part of what investigators later classified as a single combined cyber event.
The combined financial impact across M&S and Co-op was estimated at between £270 million and £440 million (~$363M–$592M USD).
How They Got In
This is the part that matters most for any business with external IT support.
M&S’s IT helpdesk is run by Tata Consultancy Services (TCS), a third-party contractor. Investigators found that the attackers didn’t break through M&S’s own defences directly — they went through TCS first.
The method was social engineering: convincing, well-researched impersonation of employees to manipulate helpdesk staff into handing over credentials or bypassing identity checks. Scattered Spider are known for setting up phishing pages that closely mimic legitimate corporate login portals — once an employee enters their credentials, the attacker has everything they need.
From that initial foothold in the helpdesk contractor’s systems, they moved laterally across M&S’s network. The endgame was ransomware with double extortion — systems were encrypted and data was stolen, giving the attackers two levers: pay to get your systems back, or pay to stop us publishing the data.
Who Was Behind It
The attacks have been attributed to Scattered Spider, a loosely organised, predominantly English-speaking group with a track record of high-profile attacks including MGM Resorts and Caesars Entertainment in the US.
What makes Scattered Spider unusual is the profile of its members. These aren’t state-sponsored hackers with years of tradecraft. In July 2025, four individuals were arrested in connection with the attacks:
- Two men aged 19
- A 17-year-old
- A 20-year-old woman
All were apprehended in the West Midlands and London, on suspicion of Computer Misuse Act offences, blackmail, money laundering, and participating in an organised crime group.
The skill gap between “young person in the UK” and “orchestrating a £440M attack on three major retailers” is closing fast — and that’s partly because attack tooling, social engineering scripts, and ransomware infrastructure are increasingly available off the shelf.
What This Means for UK Businesses
A few things stand out from this attack that go beyond the headlines.
Third-party access is your attack surface too. The attackers didn’t need to compromise M&S directly — they only needed to compromise someone who had access to M&S. If your IT provider, software vendor or managed service has access to your systems, their security posture is your problem as much as theirs. Ask who has access, why, and whether it’s scoped to the minimum they actually need.
Multi-factor authentication isn’t a silver bullet. Social engineering attacks like these specifically target the human layer around MFA. An attacker who can convince your helpdesk to reset an account, or who tricks an employee into approving a push notification, gets the same access as if MFA wasn’t there. Technical controls need to be matched by staff training and strict identity verification procedures — including for third-party support staff.
Speed matters more than perfection. Co-op’s decision to proactively shut down systems on 30 April, before the full picture was clear, likely prevented a much worse outcome. Having a clear incident response plan — including who can authorise a shutdown and what your communication chain looks like — is what makes that kind of fast decision possible.
The M&S attack is a reminder that cyber incidents don’t just cost money at the time. They cost customers, reputation, and confidence — and those losses take much longer to recover than the technical ones.
If you want to understand where your business stands and whether the protections you have in place would hold up, get in touch — it’s exactly the kind of conversation we have every day.
