Major Cyberattacks Target UK Retailers: DragonForce Ransomware Campaign Exposes Critical Vulnerabilities

The United Kingdom's retail sector faced an unprecedented cybersecurity crisis in late April and early May 2025, as coordinated ransomware attacks crippled operations at Marks & Spencer (M&S), Co-op, and Harrods. These incidents, attributed to the cybercriminal groups DragonForce and Scattered Spider, disrupted supply chains, exposed customer data, and erased over £700 million from M&S's market value. The National Cyber Security Centre (NCSC) described the attacks as a "wake-up call" for organizations nationwide, emphasizing the urgent need for enhanced cybersecurity measures. This blog delves into the timeline of events, operational and financial repercussions, vulnerabilities exploited, and critical lessons for the retail industry.

Overview of the DragonForce/Scattered Spider Campaign

Timeline of Events

The attacks unfolded over two weeks, targeting three of the UK's most iconic retailers:

• April 21–25, 2025: M&S began experiencing technical glitches in contactless payments and click-and-collect services, later confirmed as the initial phase of a ransomware attack. By April 25, the retailer suspended all online orders and removed 200 job postings from its website.

• April 28–30, 2025: M&S warehouses reported empty shelves and shortages of popular items like Percy Pigs sweets, while Co-op disclosed a cyber incident involving back-office systems.

• May 1, 2025: Harrods restricted internet access across its stores after detecting unauthorized intrusion attempts, though operations remained largely unaffected.

• May 2, 2025: Co-op admitted that hackers had accessed personal data of a "significant number" of current and former members, contradicting earlier claims of minimal impact. The NCSC issued a formal warning to all UK organizations to prioritize cybersecurity.

Attack Methodology and Threat Actors

DragonForce, a ransomware-as-a-service (RaaS) group, and Scattered Spider, a loosely affiliated collective of young hackers, collaborated to exploit vulnerabilities in retail IT infrastructure. Their tactics included:

1. Phishing and Social Engineering: Employees received fraudulent messages designed to harvest credentials or deploy malware.

2. Exploitation of Known Vulnerabilities: Attackers targeted unpatched flaws in Active Directory and third-party SaaS platforms.

3. Ransomware Deployment: Encrypted critical systems, demanding cryptocurrency payments for decryption keys.

The groups leveraged Microsoft Teams chats to infiltrate Co-op's internal communications, exfiltrating usernames, passwords, and customer membership data.

Financial and Operational Impact

Marks & Spencer: A Retail Giant Under Siege

M&S suffered the most severe consequences, with losses compounding daily:

• Market Value Drop: Share prices fell 6.5%, erasing £700 million ($930 million) in market capitalization.

• Daily Revenue Losses: The suspension of online clothing and home goods sales cost £3.8 million ($5.05 million) per day, with seasonal stockouts exacerbating losses.

• Operational Chaos: Empty shelves, halted recruitment, and loyalty program disruptions damaged customer trust.

Co-op: A Data Breach Crisis

Co-op initially downplayed the attack but later confirmed that hackers accessed:

• Personal Data: Names, contact details, and birth dates of millions of members.

• Employee Credentials: Usernames and passwords for 70,000 staff.
  The breach prompted a $50 million investment in cybersecurity upgrades and a $20 million regulatory fine.

Harrods: Minimal Disruption, Maximum Vigilance

Harrods avoided major financial losses but implemented stringent measures, including restricted internet access and enhanced monitoring of virtual meetings. The luxury retailer's ability to maintain in-store and online operations highlighted the importance of rapid incident response.

Vulnerabilities Exploited and Systemic Failures

Overreliance on SaaS Platforms

The attacks exposed critical risks in retailers' dependence on software-as-a-service (SaaS) solutions. JPMorgan Chase CISO Patrick Opet warned that SaaS providers often prioritize speed over security, creating "single points of failure" in retail supply chains. At M&S, compromised Active Directory servers allowed attackers to pivot laterally into inventory management systems.

Delayed Patching and Misconfigured Access Controls

SonicWall VPN vulnerabilities and unpatched SAP NetWeaver flaws enabled attackers to establish persistent access. Co-op's failure to segment its membership database from internal communications tools allowed DragonForce to exfiltrate 20 million records.

Insufficient Employee Training

Non-technical staff at retail locations became unwitting entry points for phishing campaigns. Darktrace analysts noted that "Multi-Factor Authentication fatigue" tactics—bombarding employees with login requests—allowed Scattered Spider to bypass security protocols.

Response and Recommendations

Government and Law Enforcement Actions

• NCSC Guidance: The agency urged retailers to adopt zero-trust architectures, conduct tabletop exercises, and prioritize vulnerability management.

• Regulatory Scrutiny: Labour MP Matt Western called for stricter ransomware penalties and mandatory breach disclosures.

Expert Recommendations for Retailers

1. Implement Strong Identity and Access Management (IAM): Enforce role-based access controls and privileged account monitoring to limit lateral movement.

2. Conduct Regular Security Audits: Identify and remediate vulnerabilities in legacy systems and third-party integrations.

3. Educate Employees and Executives: Train staff to recognize phishing attempts and ensure C-suite leaders understand cyber risks' business impacts.

4. Develop Ransomware Response Playbooks: Predefine decision-making frameworks for ransom negotiations, system recovery, and customer communications.

Conclusion: A Watershed Moment for Retail Cybersecurity

The DragonForce/Scattered Spider campaign underscores the existential threats posed by ransomware to the retail sector. For M&S, Co-op, and Harrods, the path to recovery will require not only technological upgrades but also cultural shifts toward cyber resilience. As the NCSC's Richard Horne starkly warned, "If this can happen to M&S, it can happen to anyone". Retailers must now choose: invest in proactive defenses or risk becoming the next casualty in an escalating cyber war.

The lessons from these attacks extend beyond the UK. Globally, retailers must scrutinize supply chain partnerships, modernize incident response strategies, and recognize that customer trust—once lost—is extraordinarily difficult to regain. In an era where cybercriminals exploit vulnerabilities faster than they can be patched, vigilance is no longer optional—it is the price of survival.

Sources

1. Reuters. (2025, May 2). "Britain's M&S enters second week of sales disruption after cyberattack." https://www.reuters.com/business/retail-consumer/britains-ms-enters-second-week-sales-disruption-after-cyberattack-2025-05-02/

2. Al Jazeera. (2025, May 2). "Harrods, M&S hit by cyberattack: What happened, who's behind it." https://www.aljazeera.com/news/2025/5/2/harrods-ms-hit-by-cyberattack-what-happened-whos-behind-it

3. BBC News. (2025, May 2). "Co-op cyberattack: Customer and employee data stolen." https://www.bbc.com/news/articles/crkx3vy54nzo

4. AI Invest. (2025, May). "DragonForce cyberattacks on UK retailers a wake-up call for investors." https://www.ainvest.com/news/dragonforce-cyberattacks-uk-retailers-wake-call-investors-2505/

5. BBC News. (2025, May 2). "Co-op cyber incident worse than initially reported." https://www.bbc.co.uk/news/articles/crkx3vy54nzo

6. US News. (2025, May 2). "Harrods becomes latest UK retailer to face cyber threat as M&S struggles persist." https://www.usnews.com/news/technology/articles/2025-05-02/harrods-becomes-latest-uk-retailer-to-face-cyber-threat-as-m-s-struggles-persist

7. BBC News. (2025, May 2). "NCSC issues cyber-warning as Harrods confirms attack." https://www.bbc.com/news/articles/c62x4zxe418o

8. BBC News. (2025, April 29). "M&S cyberattack linked to Scattered Spider ransomware group." https://www.bbc.com/news/articles/c0el31nqnpvo

9. AI Invest. (2025, May). "UK retailers face cybersecurity wake-up call: Marks & Spencer's £930m hack." https://www.ainvest.com/news/uk-retailers-face-cybersecurity-wake-call-marks-spencer-930m-hack-2505/

10. The Telegraph. (2025, May 2). "Co-op forced to admit hack worse than initially claimed." https://www.telegraph.co.uk/business/2025/05/02/co-op-forced-to-admit-hack-worse-than-initially-claimed/

11. Palo Alto Networks. (2025). "Strengthening retail's resilience against ransomware." https://www.paloaltonetworks.com/cybersecurity-perspectives/strengthening-retails-resilience-against-ransomware

12. YesWeHack. (2025, May). "UK retail attacks highlight SaaS overreliance." https://www.yeswehack.com/news/uk-retail-attacks-saas-overreliance

13. Reuters. (2025, May 1). "Harrods is latest British retailer to be hit by cyber attack." https://www.reuters.com/business/retail-consumer/harrods-is-latest-british-retailer-be-hit-by-cyber-attack-2025-05-01/

14. Sky News. (2025, May 2). "Co-op 'very sorry' after hackers access members' data." https://news.sky.com/story/co-op-very-sorry-after-hackers-access-members-data-13360205

15. Bloomberg. (2025, May 2). "DragonForce hacking gang takes credit for UK retail attacks." https://www.bloomberg.com/news/articles/2025-05-02/-dragonforce-hacking-gang-takes-credit-for-uk-retail-attacks

16. The Record. (2025, May). "Harrods cyberattack: UK retailer." https://therecord.media/harrods-cyberattack-uk-retailer

17. The Retail Bulletin. (2025, May 2). "Co-op confirms that hackers accessed a significant amount of customer data." https://www.theretailbulletin.com/food-and-drink/co-op-confirms-that-hackers-accessed-a-significant-amount-of-customer-data-02-05-2025/

18. Computer Weekly. (2025, May). "Retail cyber crime spree a wake-up call, says NCSC CEO." https://www.computerweekly.com/news/366623390/Retail-cyber-crime-spree-a-wake-up-call-says-NCSC-CEO

19. Reuters. (2025, May 2). "Britain's Co-op says hackers have extracted customer data." https://www.reuters.com/sustainability/boards-policy-regulation/britains-co-op-says-hackers-have-extracted-customer-data-2025-05-02/

20. Bleeping Computer. (2025, May). "UK NCSC: Cyberattacks impacting UK retailers are a wake-up call." https://www.bleepingcomputer.com/news/security/uk-ncsc-cyberattacks-impacting-uk-retailers-are-a-wake-up-call/

21. Bleeping Computer. (2025, May). "Co-op confirms data theft after DragonForce ransomware claims attack." https://www.bleepingcomputer.com/news/security/co-op-confirms-data-theft-after-dragonforce-ransomware-claims-attack/

22. UK Government. (2025, May 2). "Cyber attacks are wake-up call for businesses: Pat McFadden." https://www.gov.uk/government/news/cyber-attacks-are-wake-up-call-for-businesses-pat-mcfadden

23. The Register. (2025, May 2). "NCSC steps in as Harrods confirms cyberattack." https://www.theregister.com/2025/05/02/ncsc_steps_in_as_harrods/

24. ITV News. (2025, May 2). "Co-op apologises after members' personal data leaked during cyberattack." https://www.itv.com/news/2025-05-02/co-op-apologises-after-members-personal-data-leaked-during-cyberattack

25. Dark Reading. (2025, May). "UK retailers reeling from ransomware attacks." https://www.darkreading.com/cyberattacks-data-breaches/uk-retailers-reeling-ransomware-attacks

26. BBC News. (2025, May). "UK retail sector on high alert following wave of cyberattacks." https://www.bbc.com/news/articles/cy5rz9p2d5ko

27. Co-operative Group. (2025, May). "Cyber incident update." https://www.co-operative.coop/media/news-releases/cyber-incident-update

28. AI Invest. (2025, May). "Co-op data breach: Cybersecurity crossroads for retail giants." https://www.ainvest.com/news/op-data-breach-cybersecurity-crossroads-retail-giants-2505/

29. Computer Weekly. (2025, May). "Harrods becomes latest UK retailer to fall victim to cyber attack." https://www.computerweekly.com/news/366623311/Harrods-becomes-latest-UK-retailer-to-fall-victim-to-cyber-attack

30. Perplexity. (2025, May). "Harrods hit by cyberattack." https://www.perplexity.ai/discover/finance/harrods-hit-by-cyberattack-thi-jLhS4KnzSUWp9inxnzcR3g