06 May 2025
The UK’s National Cyber Security Centre (NCSC) has issued a stark warning following a series of cyberattacks impacting multiple UK retail chains, urging organizations to view the incidents as a ‘wake-up call’ for bolstering their cybersecurity defenses.
The NCSC, part of the GCHQ British intelligence agency, provides crucial support and guidance to both private and public sector entities in the aftermath of significant cybersecurity incidents to safeguard the UK's critical services. The agency confirmed it is actively collaborating with affected organizations in the retail sector to assess the nature and full impact of the attacks.
"The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public," said NCSC CEO Richard Horne. "These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively."
In response to the attacks, the UK House of Commons' Business and Trade Committee has requested that the CEOs of Marks & Spencer and Co-op provide details on whether relevant government agencies, including the National Crime Agency and the NCSC, have provided support.
The wave of cyberattacks targeting UK retailers became publicly apparent when Harrods confirmed it was targeted on 1 May, becoming the third major UK retailer to report incidents within a fortnight. This followed earlier attacks on the Co-operative Group (Co-op) supermarket chain and British retail giant Marks & Spencer (M&S).
Harrods additionally informed BleepingComputer that threat actors recently attempted to breach its network, prompting the luxury department store to restrict internet access to certain sites. While Harrods did not explicitly confirm a system breach, the action of limiting access suggests an active response to mitigate the attack.
On 30 April, Co-op disclosed another cyber incident, describing attempts to hack into their systems. However, an internal memo from Co-op Chief Digital and Information Officer Rob Elsey, urging employee vigilance with email and Microsoft Teams, also mentioned that VPN access had been disabled. This indicates potential containment measures were implemented, suggesting a security breach may have occurred.
Last week, Marks & Spencer was also affected by a cyberattack that caused disruptions to online ordering systems and impacted contactless payments and Click & Collect services. It was later confirmed that the attack on Marks & Spencer was a ransomware incident, with threat actors deploying the DragonForce ransomware and employing tactics associated with the notorious Scattered Spider group.