UK Retailers Under Cyber Siege: Is the US Next for Scattered Spider?

The UK Retail Cyberattack Wave: What Happened?

The UK retail sector has been rocked by a series of cyberattacks that have disrupted some of the country’s biggest names. It all began over the Easter weekend when Marks & Spencer (M&S) customers suddenly found themselves unable to access their “Click and Collect” orders. Online payments stopped working, and store shelves quickly started to empty as the chaos unfolded.

Shortly after, Co-op took the unusual step of shutting down parts of its IT systems to stop an ongoing cyberattack. In a surprising twist, the hackers themselves told the BBC that Co-op’s decision to “pull the plug” prevented a full ransomware attack but came at the cost of lost sales, disrupted logistics, and damaged shareholder value.

Thanks to quick action by Co-op’s staff, the company is now recovering faster than M&S, with payment systems back online and stock levels expected to improve within days.

Harrods also faced an attack attempt on May 1 but managed to secure its network swiftly. The luxury retailer restricted internet access at its stores but avoided any major disruption.

Meanwhile, French fashion house Dior revealed on May 14 that hackers had stolen customer data, including names, email addresses, postal addresses, and phone numbers. Fortunately, no financial information was compromised.

Who’s Behind These Attacks?

Experts point to the hacker group Scattered Spider (also known as Octo Tempest) as the culprit behind the attacks on M&S, Co-op, and Harrods. This group is known for focusing on one industry at a time, and retail is currently their target.

Scattered Spider made headlines in 2023 when they attacked casino and hotel giants MGM and Caesars. The group is believed to be part of an online community known as "the Com," infamous for cyberattacks and violent activities.

The hackers reportedly use a ransomware tool called DragonForce, a service that provides malware and platforms for extortion. Their tactics often involve sophisticated social engineering, phishing, and exploiting third-party access to infiltrate companies.

The Real Impact on UK Retailers

• Marks & Spencer:
  M&S has had to halt online orders, resulting in a 16% drop in share value and wiping £1.3 billion off its market capitalization. The disruption has caused empty shelves and payment failures during a crucial shopping period.

• Co-op:
  Proactively shutting down IT systems helped Co-op avoid the worst, but caused major logistical headaches. Deliveries dropped by 20%, and some stores, especially in remote areas like the Isle of Skye, faced empty shelves. The company is now working hard with suppliers to restock.

• Harrods:
  Internet access was cut at stores to block unauthorized attempts to access systems. No customer data was compromised, and cybersecurity experts praised Harrods’ rapid response.

Is the US Next?

The threat is not limited to the UK. Google’s Threat Intelligence Group warns that Scattered Spider is now shifting focus to the US retail sector. John Hultquist, Google’s chief analyst, describes these attackers as “aggressive, creative, and highly skilled at bypassing even mature security defenses.” Their success often comes from social engineering and exploiting third-party relationships.

What Are the Experts Saying?

The UK’s National Cyber Security Centre (NCSC) has called these attacks a “wake-up call” for all organisations. According to NCSC’s National Resilience Director Jonathon Ellison and CTO Ollie Whitehouse, cyber resilience means more than just strong defenses-it means detecting attackers quickly, limiting damage, and recovering fast when breaches happen.

The NCSC recommends:

• Implementing multi-factor authentication everywhere

• Monitoring for unusual account activity

• Reviewing privileged account access regularly

• Tightening password reset procedures

• Ensuring security operations centers can detect suspicious logins

• Acting swiftly on threat intelligence

Final Thoughts: Cybersecurity Is Everyone’s Responsibility

The recent attacks on UK retailers-and Dior in France-show that no company is immune. But they also highlight the power of preparation. Harrods’ quick response is proof that being ready can make all the difference.

At Cyber Management Alliance, we help organisations build that kind of cyber resilience. Through our NCSC Assured Cyber Incident Response Training, expert-led Cyber Tabletop Exercises, and strategic consultancy, we give businesses the tools and confidence to respond effectively when it matters most.

Don’t wait for a breach to expose your vulnerabilities. Take control of your cyber defenses today.

Stay vigilant, stay prepared, and stay safe.