Why M&S, Harrods and the Co-op were hit by cyber attacks
Cyber security experts have warned that retail’s lack of investment in IT protection, as well as the amount of consumer data it has access to, has put a bullseye on the sector.
The warnings follow a trio of serious attacks at major UK households names – Harrods, Marks and Spencer (M&S) and the Co-op.
“Retailers are prime targets because of the volume of identity and payment data they hold,” Xavier Sheikrojan, senior risk intelligence manager at software firm Signifyd, said.
UK retailers processed over 48 billion payments in 2023, a significant increase on the previous year as cash continued to cede ground to cards.
Nearly 90 per cent on these payments were made by consumers, rather than governments or other businesses.
“As retailers continue to embrace e-commerce and mobile platforms, they also expand their attack surface, making them susceptible to increasingly sophisticated cyber threats including ransomware, phishing, and supply chain attacks,” Anton Yunussov, head of cyber security at Forvis Mazars, said.
“The ongoing incidents… are a stark reminder of how vulnerable the sector has become in today’s digital landscape,” Yunussov added.
With reports M&S that is losing as much as £1m per day in sales and potentially lasting effects on consumer loyalty at all three retailers, the long and short-term risks to businesses are clear.
‘A breakdown in how risk is prioritised at the board level’
Cyber experts have been clear in their analysis of the attacks: security hasn’t been treated as enough of a priority in the last two decades, with limited investment and a lack of forward planning.
Florimond De Tinguy, of digital commerce platform VTEX, said the attacks were a “wake-up call” for the industry to “reassess how cyber security is embedded across operations”.
“This isn’t just an IT failure; it’s a breakdown in how risk is prioritised at the board level. The takeaway is retailers need to treat digital infrastructure as critical infrastructure.
“That means bringing cyber security into the same room as supply chain, marketing and customer experienced leaders, not after a breach, but before it ever happens.”
Forvis Mazars’ Yunussov added that the time has come for retailers to treat cyber security as an “ongoing strategic business priority” and “not just an IT issue”.
“Being well prepared is not just good practice; it’s a competitive advantage, and retailers that take a proactive, strategic approach to cybers ecurity and invest in it, will be better positioned in the long term,” Yunussov said.
Only four per cent of UK firms are fully prepared to defend against today’s complex cyber threats, Cisco has found, with 83 per cent of UK organisations grappling with a shortage of skilled cybersecurity professionals.
“Too many retailers are operating on outdated infrastructure, bolted together over decades with minimal regard for resilience-by-design,” Scott Dawson, CEO of DECTA, said.
“The result is siloed security, disjointed crisis response, and a mounting toll on trust, efficiency, and revenue.
“With any system taken offline—whether it’s hiring platforms, stock logistics, or internal comms—chipping away at consumer confidence.”