Anatomy of a Breach

Anatomy of a Breach: UK Retail Under Siege — Co-op Group and Harrods Targeted in the Same Campaign

> series: anatomy_of_a_breach —— part: 197 —— targets: co-op_group + harrods —— context: coordinated_uk_retail_campaign —— ncsc: specific_guidance_issued<span class="cursor-blink">_</span>_

Hedgehog Security 31 May 2025 13 min read
co-op harrods uk-breach retail coordinated-attack ncsc-guidance scattered-spider series
Breach #197

M&S. Co-op. Harrods. Three of the UK's most iconic retailers. Targeted in the same campaign.

In May 2025, the Co-op Group — one of the UK's largest retailers with over 2,300 stores and a significant funeral care and insurance business — disclosed a significant cyber attack affecting its retail operations and back-office systems. The attack disrupted stock management, internal communications, and some customer-facing services. The Co-op was the second major UK retailer to be hit following Marks & Spencer's devastating DragonForce ransomware attack the previous month.

Days later, Harrods — the iconic Knightsbridge luxury department store — confirmed that it had been targeted in an attempted cyber attack that was intercepted before causing significant operational disruption. The concentration of attacks against three of the UK's most recognisable retail brands — M&S, Co-op, and Harrods — within weeks of each other prompted the NCSC to issue specific guidance to UK retailers on defending against the campaign, which it described as leveraging social engineering and exploiting IT help desk processes. The UK's Information Commissioner and cyber minister also made public statements about the attacks.

Coordinated Retail Targeting
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Three brands. Three weeks. The UK retail sector is under sustained attack.

UK Retail: The Target Sector of 2025
M&S (£1.9B), Co-op (significant disruption), Harrods (intercepted) — three of the UK's most prominent retailers targeted within weeks. The UK <a href="/blog/sector-under-the-microscope-retail">retail sector</a> was identified as being under specific, sustained attack. Our <a href="/penetration-testing">penetration testing</a> is available to UK retailers under threat.
NCSC Issues Specific Retail Guidance
The NCSC's decision to issue specific guidance to UK retailers — including recommendations on help desk verification, MFA enforcement, and IT service provider security — reflected the severity of the threat. <a href="/cyber-essentials">Cyber Essentials Danzell</a> addresses every control the NCSC recommended.
Harrods: Intercepted Before Damage
Harrods' successful interception of the attack demonstrated that prepared organisations with effective monitoring and incident response can detect and contain attacks before they cause M&S-level damage. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a> provides the 24/7 monitoring that enables interception.
Social Engineering of Help Desks
The NCSC's guidance specifically referenced social engineering of IT help desks — the same technique used against <a href="/blog/anatomy-of-a-breach-mgm-caesars">MGM/Caesars</a> (2023) and <a href="/blog/anatomy-of-a-breach-uber-2022">Uber</a> (2022). Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> include vishing scenarios targeting help desks and IT support teams.
UK Retail Must Defend

The NCSC has warned. The attacks are ongoing. UK retailers must act now.

The coordinated assault on UK retail in spring 2025 established that the sector is under active, sustained targeting. For every UK retailer — from high-street chains to independent shops — the NCSC's guidance and the M&S/Co-op/Harrods attacks demand immediate action: Cyber Essentials certification, social engineering testing of help desks, penetration testing of IT infrastructure, SOC in a Box for Retail, and incident response capability. Harrods proved that interception is possible. M&S proved the cost of failure. The choice is yours.

UK Retail Defence

M&S: £1.9B. Co-op: disrupted. Harrods: intercepted. The NCSC has warned. Are you defended?

<a href="/penetration-testing/social-engineering">Social engineering testing</a> for help desks. <a href="/cyber-essentials">Cyber Essentials</a>. <a href="https://www.socinabox.co.uk/sectors/retailers">SOC in a Box for Retail</a>. <a href="https://www.cyber-defence.io/services/incident-response">Incident response</a>.

Commission a Retail Security Assessment Next: SAP NetWeaver
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 30 April 2025

Anatomy of a Breach: Marks & Spencer — DragonForce Ransomware Costs £1.9 Billion and Hits UK GDP

Breach #196. In April 2025, Marks & Spencer — one of the UK's most iconic retailers with over 33,000 employees and an estimated 200,000 in its supply chain — was hit by a ransomware attack attributed to DragonForce, leveraging social engineering techniques associated with the Scattered Spider collective. The attack disrupted online sales, in-store contactless payments, click-and-collect services, and supply chain operations for weeks. The Bank of England confirmed the attack had impacted UK GDP growth. The estimated cost exceeded £1.9 billion ($2.5 billion), making it the most expensive cybersecurity breach in British history. The attack was linked to outsourced IT services, underscoring the supply chain dependency that has defined every major UK retail breach.

marks-spencer dragonforce
16 min read
Anatomy of a Breach 30 November 2024

Anatomy of a Breach: Blue Yonder — Supply Chain Ransomware Hits UK Supermarkets and Global Retailers

Breach #191. In November 2024, Blue Yonder — a major supply chain management software provider owned by Panasonic — was hit by ransomware that disrupted services for its global customer base. The attack affected warehouse management and logistics systems used by major retailers including Morrisons and Sainsbury's in the UK, and Starbucks in the US. Morrisons reported disruption to its warehouse management systems affecting the flow of goods to stores. The breach was the latest in a pattern of supply chain vendor attacks affecting UK retailers — from Blackbaud (2020) through Kaseya (2021) to MOVEit/Zellis (2023).

ransomware blue-yonder
13 min read
Anatomy of a Breach 30 September 2015

Anatomy of a Breach: Carphone Warehouse — 2.4 Million Customers and an ICO £400,000 Fine

Breach #081. In August 2015, Carphone Warehouse disclosed that attackers had gained unauthorised access to the personal data of up to 2.4 million customers and 90,000 encrypted credit card records through a division running the company's online services. The ICO later fined Carphone Warehouse £400,000 — its largest fine at the time — for systemic security failings including outdated software, inadequate testing, and lack of rigorous security measures. The breach came just two months before the TalkTalk attack would dominate UK headlines.

data-breach carphone-warehouse
12 min read
All Posts Get in Touch