The UK’s retail sector has long been seen as a digital leader, pioneering ecommerce, omnichannel loyalty and data-rich customer journeys. But in recent weeks, that digital ambition has met an equally ambitious adversary.
Dior. Marks & Spencer. Harrods. Co-op. One after another, some of the UK’s most recognisable retail brands have found themselves dragged into damaging cybersecurity breaches, often through no immediate fault of their own. Their experiences reveal systemic issues that reach far beyond any one retailer’s IT estate. At stake is not only operational resilience, but the sector’s ability to secure increasingly complex ecosystems and maintain customer confidence in an age of data-driven commerce.
These incidents weren’t isolated blips. According to the UK government’s Cyber Security Breaches Survey 2025, 43% of businesses reported a cybersecurity breach in the last year, with ransomware and supply chain compromise on the rise. Retail is among the most affected sectors — a finding echoed in global research from Armis, which notes that 49% of IT leaders in retail admit their organisation has already been hacked and not fully secured. Despite this, only 46% believe their teams can detect and respond to a major cyberattack in real time.
M&S is the most prominent recent victim. The company’s Easter-weekend breach is believed to have been orchestrated by the Scattered Spider group, exploiting access through an external IT contractor. Systems were shut down, customer data accessed, and online services suspended — all in the midst of a critical sales period. The company’s share price dropped sharply, with analysts estimating a £1 billion loss in market capitalisation.
Co-op’s incident, linked to the DragonForce hacker group, caused prolonged stock ordering issues across its food stores. Harrods reported a precautionary system shutdown. Dior, meanwhile, confirmed unauthorised access to customer data across Asia.
To cybersecurity professionals, this pattern wasn’t surprising. Spencer Starkey, Executive VP EMEA at SonicWall, states: “Ransomware holds retailers’ business operations hostage — which gives attackers additional leverage to extract ransom payments. These companies are lucrative targets.”
The third-party problem —
For threat actors, retail offers the perfect storm: rich data, broad attack surfaces, a need for constant uptime, and, critically, a vast network of third-party partners with access to core systems.
Jordan Avnaim, CISO at Entrust, noted that the breach at M&S followed a familiar trajectory. “Supply chain attacks are a common tactic for cybercriminals, who often view contractors as softer targets. This incident is concerning, but not surprising.” In today’s environment, he argued, “defending against these risks requires more than perimeter controls. It demands identity verification that can’t be socially engineered and a clear board-level understanding of risk.”
That board-level dimension is increasingly urgent. As Avnaim puts it, “Security leaders need to speak the board’s language — reputational and financial risk, not technical jargon.”
His view is echoed by Darius Goodarzi, Business Director for Information Security at Robert Walters London: “Building cyber resilience is about acknowledging that your business will never be completely protected. Boards must implement pre-, during- and post-attack measures to ensure their organisation can absorb, recover, and improve.”
The challenge isn’t merely about hardening defences. It’s about recognising where the risks originate. Retail’s modern supply chains are built on fast-changing vendor relationships, from app developers and marketing agencies to logistics partners and embedded fintech providers. Many of these connections were bolted on for speed and convenience, not built for resilience.
Traditional risk assessments no longer suffice, according to Marko Maras, CEO of Trustfull. “Spreadsheets and annual questionnaires are no longer enough in 2025. What businesses now need is continuous, real-time monitoring of vendor risk.”
Maras warns that many vendors have deep access into sensitive systems, but without the same oversight retailers apply internally. His advice: “Segment access, ask smarter questions during onboarding, and treat vendors like an extension of your own attack surface.”
Garry Brown, Managing Director at Bondgate IT, agrees: “A once-a-year audit or compliance checklist doesn’t reflect the real-time nature of today’s threats. The biggest takeaway from these attacks is that businesses need a mindset where everything is verified constantly — not assumed secure because a vendor passed an assessment months ago.”
That shift in mindset requires businesses to go beyond technical fixes. Several experts pointed to the importance of a “defence-in-depth” approach — layering systems, segmenting access, and investing in real-time threat detection. But equally important is organisational culture. Abraham Ingersoll, Chief Security Officer at THG Ingenuity, argues that employees should never be expected to carry the burden of security decisions. “Clicking on a dodgy link should never even be possible. The phishing attempt should have been caught upstream — at the browser, at the firewall, or at the identity gateway.”
Social engineering is central to modern cybercrime. Many recent breaches involved some level of impersonation or credential theft, made more sophisticated by AI-generated deepfakes or automated phishing. According to the Armis survey, major attacker groups feared by retailers include Anonymous, DarkSide, and APT41 — all known for highly targeted and adaptable tactics.
From breach response to business resilience —
For businesses, the cost of failure is no longer just technical downtime. It’s consumer trust, media scrutiny, and strategic paralysis. M&S reportedly expects to recover up to £100 million through cyber insurance — a valuable cushion, but one that doesn’t account for reputational damage or lost consumer confidence. For Dior, a data breach in Asia could erode loyalty in one of its most strategically important markets.
Even with insurance in place, the operational shock can be significant. “Organisations need to have a solid incident response plan,” said Bondgate IT’s Garry Brown. “That means training staff regularly, testing recovery processes, and having clear communication protocols in place — both internally and externally.”
SonicWall’s Spencer Starkey puts it even more directly: “Companies should presume they will be targeted and prepare accordingly. That includes not just response, but transparency with consumers and regulators.”
The regulatory pressure is growing too. Nearly half of retail IT leaders told Armis they feel overwhelmed by the complexity of the current compliance landscape. As rules evolve — from GDPR to the incoming NIS2 Directive — companies must now not only defend against breaches, but prove that they’ve taken reasonable steps to prevent them.
There is, however, some optimism. According to the same Armis research, 79% of retail IT leaders now cite moving toward a more proactive cybersecurity posture as a top goal for the year. That means going beyond prevention and towards resilience — anticipating failure, containing blast radius, and recovering with minimal damage.
This shift is crucial. Cybersecurity is increasingly about building tolerance — designing systems and teams that can absorb impact, isolate infection, and respond without delay. For retailers, that means embedding cyber thinking into vendor procurement, logistics planning, workforce training and board-level governance.
Darius Goodarzi summarises it well: “Cybersecurity investments must be proportional to risk. That doesn’t mean overengineering for every scenario, but understanding which systems, suppliers and assets are critical — and planning accordingly.”
Ultimately, the attacks on M&S, Co-op, Harrods and Dior aren’t just stories about hackers. They are stories about interdependence, fragility and the growing pains of digital transformation. As consumer expectations rise and attackers evolve, the ability to secure and communicate trust will be as central to brand value as price, product or service.
In a sector where loyalty is measured in seconds and disruptions ripple through entire ecosystems, retail’s cyber reckoning may have only just begun. But if there’s one lesson from the past month, it’s that those who build resilience now won’t just be safer — they’ll be better positioned to lead.
Leave a Reply
You must be logged in to post a comment.