The great retail cyberattacks of 2025: What really happened? 

Executive Summary 

  • In April 2025, UK retail giants (M&S, Harrods, and Co-op) were hit by co-ordinated cyber incidents, causing payment glitches, site shutdowns, and empty shelves. 
  • Experts believe a hacking gang (“Scattered Spider”) used DragonForce ransomware to lock M&S’s systems, forcing a major outage and wiping hundreds of millions off its market value. 
  • Every business needs robust cyber defences – from employee training to incident planning. As one law firm warned, it’s no longer if but when you’ll face an attack.  

Introduction 

It’s not been a great week for M&S.  

What started as a normal spring sale over Easter Weekend turned into a full-blown cyber meltdown for one of the UK’s biggest high-street names. To make matters worse, as of May 2nd 2025, things still haven’t been entirely rectified, with orders still disabled on the M&S website. 

But what actually happened, who got caught in the crossfire, and was this really ransomware at work?  

Let’s answer these questions and look at what lessons small businesses should take from this retail crisis… and how Get Support can help make sure you never end up in the headlines for all the wrong reasons. 

The M&S cyberattack: a timeline of events 

Naturally, this is an evolving situation, so let’s first summarise what’s happened so far to see just how it became the crisis at hand.  

  • February 2025. Hackers reportedly infiltrate M&S systems and begin quietly exfiltrating data. Experts believe the “Scattered Spider” group had access for weeks before anything went public. 
  • Easter weekend (20-21 April). M&S customers notice problems at checkouts. Contactless payments fail, and Click & Collect orders are suspended. 
  • 22-24 April. M&S begins investigating what it calls a “cyber incident”. Behind the scenes, it’s believed the attackers deploy DragonForce ransomware, encrypting key systems. 
  • 24th April. M&S pulls its website and mobile app offline. Online orders, returns, and tracking are halted. Reports of empty shelves begin to surface in-store. 
  • 25th April. M&S issues a short public statement confirming the breach, but details remain vague. The story hits national headlines. Harrods confirms it too faced attempted cyber intrusions. 
  • 26-28 April. The Co-op reveals that it also shut down parts of its internal IT network after detecting suspicious activity. Analysts confirm M&S has lost hundreds of millions in share value. Security experts identify Scattered Spider and DragonForce as likely culprits. 
  • Late April – 2nd May. M&S recruitment freezes, with over 200 job listings quietly removed. CEO Stuart Machin apologises and says teams are “working day and night” to restore services. The website and app remain offline. The NCSC urges retailers to check defences and monitor accounts. 

So, who’s behind this highly targeted attack? Security experts point to a gang of hackers known as Scattered Spider. According to various sources, they quietly stole data from M&S as early as February and then deployed an “encryptor” on 24 April – a Ransomware-as-a-Service (RaaS) tool called DragonForce, which essentially locks an organisation’s files until the ransom is paid. 

In short, this looks very much like a classic ransomware play: infect key systems, lock everything down, and demand a ransom. The UK’s National Cyber Security Centre (NCSC) and police are now on the case, investigating M&S and other retailers including the Co-op and even Harrods. 

The NCSC has even urged all retailers to tighten their cybersecurity and advised consumers to watch their accounts during the chaos. In a statement on their website, CEO Dr Richard Horne said: “The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.” 

Who has been affected and to what extent? 

The biggest victim so far is Marks & Spencer.  

The breach forced M&S to pause the collection of Click & Collect orders and stop all contactless payments. Stores suddenly had to rely on chip-and-PIN and cash, with staff putting up signs like “Please bear with us while we fix technical issues”. By late April, some M&S food halls were looking bare – customers reported empty shelves for bananas, fish, and even those cult classics, Percy Pigs.  

The retailer’s website and app went offline entirely, halting online orders and returns. This hit M&S’s bottom line hard: its share price fell sharply, wiping out an estimated £500 – 700 million of market value in just a few days. Even hiring plans were scrapped – about 200 job adverts vanished from the M&S careers site as recruitment was “paused” during the incident. 

Harrods fared a bit better. The luxury department store confirmed it had “recently experienced attempts to gain unauthorised access” and quickly locked down some systems. Crucially, Harrods’s shops stayed open and online sales continued normally. In other words, Harrods’ team kept calm: investigating quietly and keeping customers shopping. So far, the public hasn’t seen major data losses at Harrods – its bosses say they’re working closely with leading cybersecurity experts and law enforcement to be safe.  

The Co-operative Group were also targeted around the same time. The Co-op shut parts of its internal networks (back office and call-centres) as a precaution but kept its stores open. No products or payment systems went down in-store, fortunately.  

What are the lessons here? 

This whole episode is a wake-up call for pretty much every business, but especially retailers. So what are the lessons we can learn? 

First up, retailers are prime targets in today’s tech-driven world. As most people working in cybersecurity know, it’s no longer a question of if a cyberattack will happen, but when. Retailers hold tons of customer data and rely on digital services for payments, inventory and logistics. Attackers know that crippling a shop (or food hall) can force a quick payday. 

Second, supply-chain risks are real. The Guardian reports insiders thinking the attack may have started at an M&S contractor or supplier. That means even if your own systems seem secure, a breach of a partner can pull you in. SMEs, in particular, should check who has their credentials and how those vendors protect data. 

Third, patch, train, and test relentlessly. This hack potentially used phishing, multi-factor fatigue, and other social tricks to slip in. Regular staff training and simulated phishing exercises can help prevent the initial break-in. Behind the scenes, tools like up-to-date firewalls, segmented networks and secure Active Directory setups (the attackers reportedly got domain passwords early on) are crucial. As the UK’s Department for Science, Innovation, and Technology recently found, a worrying 74% of large firms had a breach last year – yet 44% of retail companies still treat cybersecurity as a low priority. We think that has to change. 

Finally, don’t underestimate the downtime cost. M&S is losing several million pounds of sales per day while its site is down, on top of reputational damage. Smaller businesses (especially on busy weekends or promo seasons) could be devastated by even a few hours offline. If your business depends on digital services, it’s time to assume you could be next. 

Get peace of mind with Get Support 

The great news for SMEs is that you don’t have to fight cyberthreats alone.  

At Get Support, we specialise in exactly this – keeping UK businesses safe from cyber nasties. Our experts can run vulnerability checks, handle patching, and even rehearse an incident response – all tailored to your needs. Bottom line: we’ve helped dozens of companies weather digital storms like this one, and we can help you, too. 

Don’t wait until you’re in the headlines. For a friendly chat about shoring up your cyber defences, reach out to your Get Support Customer Success Manager, or call the team on 01865 594000. Your business (and your customers) will thank you.