Today I’m jotting down my thoughts on the spate of cyber incidents that hit three of the UK’s most recognised retailers—Marks & Spencer, the Co-op Group, and Harrods—over the past two weeks. Here’s what we know and what I’m mulling over, written in diary style rather than a dry report.

What Happened

I woke up on April 21 to a flurry of alerts about M\&S’s contactless-payment systems failing across their stores—turns out the outage began early that morning after unauthorised access was detected on their network (Reuters). By April 25, M\&S had suspended all online orders and click-and-collect services while they scrambled to contain the breach (The Guardian). According to insiders, the ransomware strain behind the attack is DragonForce, deployed by the Scattered Spider group—this aligns with forensic artefacts suggesting human-targeted phishing for initial entry (BleepingComputer).

Just as M\&S staff were still in crisis-mode, the Co-op Group announced on April 30 that it had proactively taken parts of its infrastructure offline after detecting a breach; they later confirmed extraction of significant customer data—names, emails, and addresses—though payment details seem untouched so far (The Guardian).

Then on May 1, Harrods revealed it had shut down certain systems in response to attempted unauthorised access—while they insist no data was stolen, inventory and stock-management functions remain impaired even today (Reuters)(The Guardian).

Technical Sneak-Peek

Flipping through my notes, these penetration tactics stand out:

  1. Spear-phishing & MFA fatigue Adversaries likely sent tailored emails with credential-harvesting links and then bombarded targets with MFA push requests—staff eventually approved under duress (The Security Validation Platform)(Talos Intelligence Blog).

  2. SIM-swap attacks In some cases, attackers hijack phone numbers to intercept one-time codes—this “phone porting” trick remains alarmingly effective against basic MFA setups (The Security Validation Platform).

  3. Exploiting unpatched VPN gateways Legacy VPN appliances and web-access portals often lag behind on patching. A remote-code-exec flaw there would grant initial footholds without any human interaction (The Security Validation Platform).

Once inside, they deployed Cobalt Strike-style tooling to map out domain controllers and escalate privileges—standard playbook for double-extortion ransomware campaigns (The Security Validation Platform).

My Thoughts & Opinions

I’ve seen too many incidents where organisations treat security as a checkbox. These recent breaches prove it’s not just about having MFA or AV; it’s about how it’s configured and how staff are trained. MFA fatigue is a design flaw in many user journeys—unless we adopt phishing-resistant authenticators (like hardware tokens), push-based MFA will keep failing us.

Moreover, patch cycles must accelerate—delaying a critical VPN patch by even a week can open the door. I’d push for immutable infrastructure in retail environments: if a VM shows signs of compromise, spin up a fresh instance from a hardened image instead of firefighting.

How GCHQ’s NCSC Is Helping

The NCSC, part of GCHQ, has embedded incident-response teams at all three retailers, sharing IoCs and reverse-engineering ransomware samples in real time (NCSC). They’ve also circulated guidance on the “Essential Eight” controls—application whitelisting, patch management, user privilege restrictions, and so on (NCSC):

  • Whitelisting critical apps to block unauthorised executables.
  • Segmenting networks to contain lateral movement.
  • Enforcing strong, phishing-resistant MFA.

Richard Horne, the NCSC CEO, called this a “wake-up call” for the entire retail sector, urging all boards to treat cyber resilience as core business risk (Computer Weekly).

What They Should Do Next

  1. Full containment and rebuild: Wipe compromised systems, rebuild from clean backups, and rotate every credential.
  2. Deep forensic review: Map every step attackers took—only then can you trust your restored environment.
  3. Adopt zero-trust: Enforce least-privilege across all services, especially those handling payments and customer data.
  4. Invest in user training: Simulate phishing and MFA-fatigue attacks to harden staff vigilance.
  5. Regular crisis drills: Run annual ransomware tabletop exercises with executive leadership and IR teams.