What happened?
In recent weeks, a wave of cyberattacks has hit UK retailers Marks & Spencer and Co-op, and luxury department store, Harrods.
The first incident came over the Easter weekend, when Marks & Spencer announced it was managing a cyberattack. The retailer was forced to suspend orders via its website, app and call centres, severely disrupting its online operations. In-store systems also suffered, leading to stock shortages and significant delays across supply chains.
As M&S worked to contain the issue, Co-op reported an attempted breach on its systems. The retailer shut down parts of its IT network across 2,300 stores, disrupting deliveries, card payments, and stock availability.
Shortly afterwards, Harrods confirmed hackers had attempted to access its internal networks. Though fewer details were disclosed, the scale of these attacks are a stark reminder that no organisation – regardless of sector or size – is immune to highly disruptive cyber threats.
Who is behind It – and what are they after?
The attacks are believed to involve affiliates of DragonForce, a ransomware-as-a-service (RaaS) operation that enables cybercriminals to purchase powerful malware tools. It is understood that the hacking group Scattered Spider used social engineering to gain access to networks and exfiltrate sensitive employee and customer data.
Following the attacks, The UK’s National Cyber Security Centre issued a warning that such groups are becoming more aggressive and organised, and that “attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared”.
While there are various types of attacks – ransomware, business email compromise – the objective is nearly always the same: financial gain. Attackers want to make money, whether through ransom payments, stolen payment card data, or intercepted transactions. Increasingly, stolen data is used as leverage, with victims threatened that information will be leaked publicly unless they pay up quickly.
Costly consequences and reputational damage
It is still early days, but for Marks & Spencer, the consequences of the cyberattack have already proved to be severe. Following the disclosure of the breach, the retailer’s share price dropped by 14%, wiping more than £700 million from its market value. With online orders suspended and in-store systems disrupted, analysts estimated the attack cost the retailer £43 million a week in lost sales and operational downtime. M&S has since confirmed the breach will lead to a £300 million hit to profits and warned that disruption is likely to continue into July, with empty shelves and delays expected for some time.
Recovering from a breach is rarely fast or straightforward – IBM’s 2024 Cost of a Data Breach Report found it took an average of 258 days to identify and contain a breach. Full recovery can take months or even years, as organisations work to rectify the damage and strengthen defences to try and prevent it from happening again.
Both M&S and Co-op confirmed that customer data had been stolen, including names and contact details – the breaches have raised serious concerns around data security.
The Information Commissioner’s Office (ICO) is likely to investigate whether “appropriate technical and organisational measures” were in place to protect personal data. If either retailer is found to have fallen short of their legal obligations, they could face significant penalties.
In addition to regulatory scrutiny, affected customers may also pursue compensation claims – particularly if evidence emerges that their data was shared or misused.
However, by far the most damaging consequence for any business hit by a cyberattack is the loss of customer trust and confidence. Even when financial losses are contained, the reputational fallout can linger for years. Customers may be hesitant to return, unsure whether their data is safe or if the organisation has done enough to prevent future breaches.
Rebuilding that trust takes time, transparency, and a clear demonstration that lessons have been learned and stronger protections are now in place. For brands like M&S and Co-op, the impact on reputation may ultimately outweigh the immediate financial and operational costs.
A wake-up call for professional services firms
The retail cyberattacks have highlighted just how serious the consequences of a breach can be – from operational disruption and financial loss to lasting reputational damage.
But cybercriminals don’t just target large brands and household names – small and medium sized firms are falling victim all too often.
On the back of the attacks, Richard Horne, NCSC CEO, advised “The high-profile cyber attacks we have seen in recent weeks must give us pause – not because they are unique, but because they are not. They merely serve to highlight the reality of what the National Cyber Security Centre sees every day”.
Accountants, law firms, financial and other professional services firms, all handle highly sensitive financial and client data, making them prime targets. While ransomware attacks make the headlines, firms in these sectors are more frequently hit by business email compromise, and the interception of payments or confidential information.
It’s a common (but dangerous) misconception that SMEs are too small to be a target. In reality, their size often makes them easier to breach given their frequent reliance on IT support, rather than cyber security specialists.
And the consequences can be just as damaging – if not more so. Operational disruption, loss of billable hours, leaked client data, and reputational harm can seriously threaten a firm’s stability, client relationships, and long-term success.
Ultimately, these recent attacks have made it clear that no business, regardless of size, is immune to cyber threats.
A strategic view: Introducing the Cyber Governance Code of Practice
The release of the UK Government’s Cyber Governance Code of Practice in April 2025 was not timed in response to the recent retail breaches (it was a year in the making) – but its arrival couldn’t be more relevant.
Developed in partnership with the National Cyber Security Centre (NCSC), the Code places clear responsibility for cyber resilience on boards and senior leadership. It recognises that cyber risk is a strategic imperative requiring oversight, accountability, and proactive management at the highest levels.
Built around five governance principles – Risk Management, Strategy, People, Incident Planning & Response, and Assurance & Oversight – the Code provides a framework for boards to strengthen defences and respond effectively to cyber threats. A key theme of the Code is the need for boards to gain assurance (which should be independent of your IT provider) that the right cyber risk management arrangements are in place.
Whether you are a large retailer facing widespread disruption or a professional services firm protecting sensitive client data, the message is the same: robust cyber governance starts at the top.
The time to act is now. Boards must embed these principles to safeguard their organisation’s future and build lasting digital resilience before their business becomes the next victim.
