UK Retail Cyberattacks: M&S, Co-op, Harrods – What Happened and NCSC Security Tips

Britain’s high street faced an ugly surprise in spring 2025 when three well-known retailers – Marks & Spencer (M&S), the Co-op, and Harrods – all reported cyber incidents within days of each other. This spate of retail cyberattacks sent shockwaves through the industry and even prompted the National Cyber Security Centre (NCSC) to issue urgent warnings. Below we break down each case in depth, from timelines and technical details to customer impacts and official statements. We’ll also highlight the NCSC’s role and post-breach security tips (because who doesn’t love a shopping trip without ransomware?). By the end, you’ll have the full lowdown – and maybe even some clever password ideas – courtesy of the UK’s cybersecurity watchdog.

Marks & Spencer (M&S)

M&S’s familiar green logo (seen here on a store in Cheshire) became a symbol of upheaval when the retailer suffered a cyberattack in late April 2025. The incident, first publicly acknowledged on April 22, unfolded over the Easter weekend and into May, disrupting online orders and even store operations.

• Timeline: The first signs of trouble emerged around April 20–21 (Easter weekend). Customers and staff reported that contactless payments and click‑&‑collect pickups were failing across stores. On April 22, M&S formally notified the London Stock Exchange and customers of an ongoing “cyber incident”. By April 25, the company “paused taking orders via [its] websites and apps” for clothing and home goods as a precaution. The website shutdown lasted far longer than a holiday: as of May 2, M&S had entered a second week offline. By May 3, some store systems (like contactless payments and gift-card processing) were back online, but major parts of the online business – including customer loyalty (Sparks) and new hiring – remained suspended.
• Technical specifics: Cybersecurity experts quickly concluded this was not a casual data glitch but a sophisticated ransomware attack. Multiple sources (including BleepingComputer and security firms) linked the M&S hack to the Scattered Spider (aka “Octo Tempest”) criminal group. The attackers are believed to have crept in as early as February 2025: they stole the Active Directory database (ntds.dit), cracked admin passwords, then encrypted M&S’s VMware servers with the DragonForce ransomware on April 24. In plain English, the hackers phished or socially-engineered their way through the IT helpdesk to reset a user’s password and hijack a privileged account, giving them domain control. This matches an NCSC warning that many attacks start with helpdesk deception. M&S had pulled vulnerable VPN and external endpoints on April 20, a move which likely limited further damage. So far, the company has not said if customer data (names, credit cards, etc.) was exfiltrated; official statements only noted “no need for customers to take action”.
• Impact (customers, operations, finances): The fallout was severe. With ~30% of M&S clothing/home sales online, the pause in e‑commerce wiped out roughly £3.8 million per day in sales. In-store, shelves went empty (manual stock checks and even fridge-temperature monitoring had to be done by hand). M&S even paused some fresh-food deliveries to Ocado (its grocery partner) to “minimize disruption”. Staff saw routine operations upended: 200 agency workers at the Castle Donington warehouse were told to stay home on April 28 because systems were offline. Financially, investors panicked: M&S’s market cap plunged by ~£700 million in late April. Shares fell about 6% in a week. Analysts warned a short-term profit hit was all but certain. (On the bright side, clothes were flying off the rails for sunny May weather – but only those already in stores, as customers couldn’t order new summer outfits online.)
• Official response: M&S’s leadership kept customers in the loop, albeit without timetables. In regulatory filings (RNS notices), the company stressed it was taking “proactive” steps: on April 25 it announced that websites/apps were paused to protect customers. It assured shoppers that all stores remained open and that there was “no need to take any action”. CEO Stuart Machin personally apologized via email: “We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible,” he wrote. M&S also engaged outside cyber experts and reported the attack to authorities (the ICO and NCSC). By early May it had quietly restored many store functions (contactless cards, returns, even pickup of old orders), but it refused to say when its flagship online shop would return.

In sum, M&S was hit by a large-scale ransomware breach that crippled its online business and sliced hundreds of millions off its valuation. The company has kept fighting behind the scenes (and even removed online job adverts while IT teams work hard), but full recovery remained weeks away as of early May.

Co-op Group

The UK’s Co‑operative Group – owner of 2,300+ food stores – was next in line. Unlike M&S, the Co-op attack (in late April 2025) was more of a data breach than a system-wide lockdown, but it was serious nonetheless.

• Timeline: Co-op first announced an incident on April 30, 2025, calling it a “cyber attack” that had forced certain back-office and call-centre systems offline. Just two days later (May 2), the company revealed that hackers had indeed accessed and extracted data from one of its systems. So: initial attack discovered late April, confirmed on April 30, then full breach disclosure May 2.
• Technical specifics: Details emerged only via tech press (Co-op’s own statements were sparse). According to reports, the same DragonForce ransomware group was behind the Co-op hack. Like M&S, attackers impersonated an employee and tricked the IT helpdesk into resetting a password. They then stole the AD database (ntds.dit) on April 22 – although they did not proceed to encrypt the network. Instead, the criminals exfiltrated Co-op members’ data. Notably, Co-op’s forensics determined no financial or transaction data was taken – only personal info (names, contact details, dates of birth) of members. Co-op immediately began rebuilding Windows domain controllers and hardening its cloud (with Microsoft’s help) in case of persistence.. The breach was far less disruptive than M&S’s: Co-op’s cloud VPN was briefly locked down, but as of May 2 its online ordering and in-store sales were running normally.
• Impact: Operationally, the public-facing impact was surprisingly light. All Co-op supermarkets, funeral services and even its online delivery sites stayed open and trading normally – customers buying milk and bread saw no outages. Instead, the pain was felt in back offices: call centres and internal systems were temporarily shut to fend off the attack. For customers, the real issue was data privacy. Millions of Co-op members learned that their personal info had been pilfered. The breach affected a “significant number” of current and former members. Customers were advised to be vigilant, but Co-op stressed no bank/payment details were compromised, so the immediate financial risk was low. The hit to the business’s reputation and potential breach notifications to regulators are non-trivial, however.
• Official response: A Co-op spokesperson struck an apologetic tone. On April 30 the company confirmed “attempts to gain unauthorised access to some of our systems,” and said proactive steps had been taken to secure data. By May 2, Co-op admitted that personal member data had been extracted and promptly informed regulators. In a formal statement, the Co-op “apologised” for the breach and said it was working with the NCSC and National Crime Agency on the investigation. Crucially, Co-op reassured everyone that no passwords or payment details were stolen. Customers were told to monitor for phishing (the official word was that they needed “no action” beyond being cautious online). In effect, Co-op’s public messaging combined transparency (“yes, we were breached”) with reassurance (“but your finances are safe”).

Harrods

Even London’s glitzy Knightsbridge department store Harrods couldn’t avoid trouble – becoming the third major retailer targeted in under two weeks. The Harrods incident (announced May 1, 2025) was less severe than the others, but it still merited attention.

• Timeline: Harrods discovered the breach attempt in late April (allegedly “earlier this week” before May 1) and publicly confirmed it on May 1. It was described as a cyberattack attempt – not a full-blown encryption or data theft (at least not that Harrods disclosed). This came just days after M&S and Co-op went public with their problems.
• Technical specifics: Harrods revealed almost nothing about the mechanics. Officially, it simply said hackers had “attempted to gain unauthorised access” to some systems. There were no reports of malware, encryption, or data stolen. Press speculation (and claims on ransomware forums) suggest the same DragonForce/Scattered Spider actors may have been poking around, but Harrods did not confirm any link. In practical terms, Harrods treated it as an intrusion attempt: IT teams quickly restricted external connections and rebooted systems. There’s no public indication that the attackers ever hit a dead end – it seems IT defenses (and rapid reaction) contained the problem before it escalated.
• Impact: Minimal, by design. Harrods kept its stores, website, and airport boutiques open as usual. The statement noted that some internal systems were “shut down,” but all customer-facing services continued. For shoppers, business went on normally: people could walk in, browse luxury goods, and even shop online. Harrods told customers to carry on – no passwords to change, no data lost, and no need for panic. Essentially, Harrods’ handling turned what could have been a PR nightmare into a footnote. (For completeness: the threat actors claimed to BBC that they were behind Harrods as well, but that was never confirmed by the company.)
• Official response: Harrods issued a terse statement full of corporate calm. They admitted the attempted breach and said their “seasoned IT security team” had taken immediate steps, including restricting internet access on site. The statement explicitly assured customers that all stores – Knightsbridge, H Beauty, airport shops, and harrods.com – were operating normally. No data breach was reported, so Harrods didn’t ask customers to take any action. In short, Harrods treated the incident as a contained scare, promising to “provide updates as necessary”. It was the textbook example of doing damage control: fix the problem quietly, then reassure everyone that the lights are still on.

NCSC’s Role and Security Tips

The UK’s National Cyber Security Centre (NCSC) – a division of GCHQ – has been front-and-center in all of the above. The NCSC immediately worked with M&S and Co-op after the breaches, and later confirmed it was assisting Harrods as well. NCSC CEO Richard Horne publicly said these incidents should serve as a “wake-up call” for all organizations. In interviews and press releases, NCSC reminded the nation that big brands can be hacked too – so every business needs to tighten up its UK cybersecurity posture.

Importantly, the NCSC didn’t just yell “Wake up!” – it also handed out actionable guidance. On May 5 it published security best practices for retailers (and anyone else) to mitigate such attacks. Key recommendations included:

• Enable multi-factor authentication (MFA) everywhere. As the NCSC bluntly noted, “deploy MFA comprehensively across all systems”. In other words, don’t rely on passwords alone – use two-step verification so that a stolen password still won’t let attackers in.
• Monitor for suspicious logins. Watch your logs like a hawk: flag any unusual or unauthorized account activity, especially logins from odd locations or devices. (For example, if an admin account suddenly logs in from a residential VPN or overseas IP, you want to catch that fast.) Tools like Microsoft Entra ID Protection can help by flagging risky logins.
• Review password-reset and helpdesk processes. This is a direct lesson learned: the M&S/Co-op attackers exploited weak password-reset procedures. The NCSC advises strongly verifying identities before any password reset. Don’t let someone impersonate an executive and trick your IT staff into giving away access. In practice, that means implementing strict policies (secret questions, callback checks, etc.) on all account resets.
• Audit admin accounts. Regularly check who has elevated privileges, and confirm they really need them. Attackers often lurk in dormant admin accounts, so shutting down unused accounts or unnecessary domain admins can limit damage.
• Prepare for incident response. Beyond prevention, the NCSC urged firms to be ready for a breach. Keep offline backups of critical data, segment networks, and have an incident plan. (One tongue-in-cheek tip from infosec experts: assume “When in doubt, yank the server” – i.e. disconnect infected machines immediately.)
• Consumer advice: NCSC also reminded the public to check bank statements and update passwords if they shop with affected retailers. For example, shoppers told Al Jazeera that NCSC urged them to watch for phishing scams in the wake of these incidents.

These “NCSC security tips” are now pinned to the top of every CIS Helpline, from shiny big retailers to tiny bakers. As the NCSC put it, organizations of all sizes should “prepare for the worst” because “attackers could test their defenses next.”.

In a nutshell, the incidents have pushed UK cybersecurity into the spotlight. The Retail Consortium warned that UK stores are under increasingly sophisticated siege, and the government is considering new rules to force businesses to prioritize security. For our part, we can at least sleep easier knowing the experts have spelled out the checklist: MFA on, eyes on the logs, and never, ever let that dodgy call reset your password without proof.

Sources: This account draws on company disclosures and media reports. Key sources include official M&S and Co-op statements via the London Stock Exchange, Reuters and Guardian news articles, cybersecurity press (Help Net Security, BleepingComputer) for technical details, and NCSC guidance through news summaries. These provide a detailed, up-to-date picture of the breaches, their impact, and the recommended defenses in their aftermath.