What M&S, Harrods and Co-op cyberattacks teach us

What can your business learn from the M&S, Harrods and Co-op cyberattacks in 2025?

In just one week, three major UK retailers were hit by cyberattacks: Marks & Spencer, Harrods, and the Co-op. These aren’t startups or small chains. They’re household names with hefty IT budgets and serious teams behind the scenes.

So what happened, and why should every business – no matter the size – be paying attention?

What happened to the Co-op?

The Co-op confirmed a significant data breach affecting millions of current and past members. Hackers accessed personal details including:

• Names
• Contact information
• Dates of birth
• Membership card numbers

Initially, the Co-op reported no bank or transaction data was stolen – but that’s now uncertain. Some login details have already surfaced on the dark web.

DragonForce, the group behind the attack, claimed to have stolen data from up to 20 million members. Further findings revealed:

• Membership login data leaked to the dark web
• Ordering systems were disrupted
• Some IT systems were temporarily shut down
• Stock availability was affected across stores

What happened at M&S and Harrods?

Marks & Spencer

• April 21 2025: Contactless payments and click-and-collect went offline
• April 25 2025: Online orders suspended, 200+ job listings pulled
• Market value dropped by over £700 million

Attackers may have accessed M&S’s systems as early as February 2025.

Harrods

• May 1: Detected attempted unauthorised access
• Employee data and internal files accessed
• No customer payment data affected, but a warning sign nonetheless

Are these attacks connected?

It’s under investigation.

• DragonForce claimed responsibility for all three incidents
• Scattered Spider (aka Octo Tempest) is linked to M&S by analysts
• NCSC and NCA are “mindful they may be linked”

A shift in cybercriminal tactics

These attacks show a shift from targeting payment data to broader business disruption:

• Targeting digital supply chains
• Disrupting ordering systems
• Exploiting employee data and internal files
• Using AI-powered tactics 

What practical steps can businesses take now?

Smaller businesses are often more agile and better placed to act. Here’s where to start:

1. Cyber awareness training: Because one wrong click is all it takes
2. Patch your systems regularly: Don’t give criminals easy entry points
3. Check your backups: And test them before you need them
4. Audit your supply chain: Vet vendors during onboarding and run regular audits
5. Build a response plan: Include crisis drills and pre-prepared comms templates
6. Protect your most valuable data and systems: Use layered security and role-based access tailored to sensitivity
7. Train beyond IT: Cybersecurity is everyone’s business

Adam’s take: “It’s not just a tech issue. It’s a people issue.”

“Cybersecurity isn’t just about firewalls and software. It’s about people, habits, and awareness. These attacks didn’t break through complex code – they exploited human error. That’s why at Cloud & More, cyber is everyone’s business. From the boardroom to the break room.”

– Adam Whatford, Cloud & More

What we can all learn

Key takeaways

• Big brands are vulnerable too: Even with big budgets, they’re still targets
• People are the weakest link: Most breaches start with a phishing email
• Supply chains matter: One third-party flaw can open the door
• DragonForce isn’t backing down: Retail is firmly in the crosshairs
• Recovery is just as important as prevention: Have your plan, team roles, and comms ready
• AI is changing the game: It’s used by both attackers and defenders now

Explore more cyber security with Cloud & More

Download our FREE Cyber Relience Check List

Further reading:

• Business continuity plan examples

• Why your team needs Cyber awareness training

• How to build a cyber-resilient business