The recent retail ransomware breaches and what organisations must do next
In recent months, UK retail giants Marks & Spencer, Co-op, and Harrods were all hit by significant cyber security breaches. These retail cyber attacks, reportedly involving ransomware and groups such as Scattered Spider and DragonForce, disrupted operations, sparked investigations by the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO), and have drawn attention to vulnerabilities in enterprise cyber resilience.
The estimated financial impact? Up to £300 million in the case of M&S alone. More recently in Australia, QANTAS has been similarly impacted with nearly six million customer records being compromised.
These high-profile breaches reveal more than just the immediate disruption to supply chains and customer services. Approximately 50% of UK businesses reported experiencing a cyber incident in the past 12 months, with many organisations facing challenges such as unpatched software and insufficient formal risk assessments. This leaves them, their leaders and their stakeholders vulnerable to significant operational, financial and reputational risk.
Why Retailers Were Targeted, and Why It Matters
While the affected organisations are known for retail, they also offer financial and legal services. As a result this makes them valuable targets for attackers seeking both disruption and data. In the case of Harrods and M&S, their involvement in credit card and insurance products expands the attack surface significantly. Co-op’s broader remit includes banking, funeral care, and legal services, further complicating the breach response. While retail and associated services programs are brimming with personal information, so too are airlines and other organisations with loyalty programs that contain valuable data.
Early speculation suggested the motive could have been financial data theft rather than pure disruption, but ransomware has since been confirmed as a key factor. While DragonForce and Scattered Spider operate with differing motivations, the result was the same: significant downtime, operational disruption, and mounting reputational risk.
Lessons from the Fallout: Visibility, Speed, and Control
The disruption caused by the M&S breach was particularly visible, with empty shelves in stores for days. Co-op faced service disruptions across its non-retail arms. These operational impacts are not only expensive; they impact customer trust in an increasingly digital and convenience-driven market. They also suggest that the ability of a cyber security attack to so dramatically disrupt the operation of business is still not recognised by many businesses. If nothing else these incidents confirm that cyber security risk mitigation efforts need to extend beyond the technical realm to those responsible for business continuity and resilience.
What makes these breaches especially alarming is that experts agree they were preventable. And secondly, that they are disruptive to the business.
Reports suggest weaknesses common to the retail sector may have been exploited:
- Poor administrative account controls
- Gaps in patching
- Third-party vulnerabilities
The core problem? Businesses struggle to understand and maintain foundational cyber hygiene at scale. Apparently, some also fail to connect the dots from the IT department to the operations team and ultimately the board.
What Should Organisations Be Doing?
The NCSC, along with global counterparts like NIST (US) and ACSC (Australia), continue to issue consistent guidance on countering ransomware. In the case of QANTAS, which occurred some time after the retail rout in the UK, there were even warnings from the FBI that other airlines’ customer data had been compromised. It seems that the real challenge is for organisations to operationalise this ongoing guidance at speed, and systematically across increasingly complex environments. Because connecting these cyber security events with the operational, financial and reputational welfare of enterprise is not going to abate.
The Role of Exposure Management and Automation
This is where Continuous Threat and Exposure Management (CTEM) comes in. This emerging field aims to close the visibility and control gap between business operations and effective threat management:
- Rapidly identifying exposures through automation
- Prioritising remediations that matter most
- Delivering executive-level reporting to show progress over time
CTEM tools give security, and ultimately executive teams, the ability to act before a breach occurs. This is done by spotting misconfigurations, outdated patches, and over-permissioned users, all without overwhelming already stretched teams. And recent retail cyber attacks have provided a salutary lesson in how the implementation of such tools can make the difference between disruption and business as usual.
From Awareness to Action
The lesson is clear: basic security controls are no longer optional, and hope is not a strategy. Prevention, detection, and rapid response capabilities must be automated and continuously monitored to avoid the increasing choruses of” apology and mea culpa” that frequently precedes a corporate announcement that another data loss has impacted the operations, value and reputation of the business and the welfare of its stakeholders.
With cyber talent scarce and threat actors becoming more sophisticated, businesses must lean on the right tooling to do the heavy lifting. Recent retail cyber attacks highlight the real cost of inaction is: operational disruption, customer dissatisfaction, reputational damage—and multimillion-dollar losses.
Products
Solutions
Learning & Resources
About Huntsman
