The UK retail wave that I noted starting with the M&S disclosure on the 22nd of April has continued through this week. Co-operative Group disclosed on the 30th of April that the company had detected and contained an attempted intrusion (Co-op customer communications). Harrods disclosed yesterday — the 1st of May — that the company had been the target of a similar attempted intrusion and had taken precautionary access-restriction measures (Harrods statement). The attribution across the cases continues to converge on Scattered Spider-affiliate activity operating with the DragonForce ransomware-as-a-service.
The cluster-targeting pattern. The UK-retail-sector targeting through April-May represents a sustained campaign against multiple recognisable UK retail brands by what appears to be a single Scattered Spider-affiliate or coordinated affiliate-grouping. The targeting decisions are consistent — high-visibility consumer-facing brands, time-sensitive operational dependencies (online ordering, payment processing, customer-service workflows), substantial-revenue-per-day-of-disruption that creates ransom-payment-pressure incentives. The customer-organisation conversations across the broader UK retail sector have been substantively elevated through the past two weeks; my own customer-organisation conversations, the wider security-community discussion, and the trade-press reporting have all reflected the heightened operational concern.
The defensive disciplines that respond to this. Help-desk-process strengthening — identity-verification procedures that go beyond the typical employee-name-and-employee-number verification, verification through pre-arranged out-of-band channels for sensitive workflows including MFA-resets and account-changes, manager-approval requirements for elevated-privilege account changes. Phishing-resistant MFA on all authenticated access paths — the FIDO2 hardware-token deployment that customer-portfolio organisations have been working toward through 2022-2024 has been the substantive answer. Privileged-access management with segmented access paths and behavioural-monitoring on privileged-account activity. Comprehensive logging-and-detection across the customer-organisation Active-Directory and identity-management infrastructure. Network segmentation that limits the blast-radius of any successful compromise.
For the customer-portfolio response. The retailer (added October 2017) has been on the post-MGM/Caesars Scattered Spider-pattern defensive work since 2023 and the post-M&S audit has confirmed adequate posture across the customer-organisation operational scope. The customer-organisation incident-response readiness has been re-exercised this week with the latest UK-retail-cluster TTPs. Defensive content has been deployed across customer SOC tenants. The customer-organisation operational status is clean.
The wider UK-retail-sector picture. The cumulative effect of the M&S, Co-op, and Harrods cases plus the wider Scattered Spider-affiliate activity is producing the most substantive UK-retail-sector cyber-resilience conversation in recent years. The British Retail Consortium and various sector-bodies have been visible in the past week organising sector-wide information-sharing arrangements. The UK National Cyber Security Centre has issued sector-specific guidance through April-May. The aggregate operational-and-policy attention to UK-retail-sector cyber-resilience is at a substantive level that previous cycles have not produced.
The recovery-and-restoration timelines for the affected operators are multi-week. M&S's online operational recovery is, as of this writing, partial and ongoing; the customer-experienced disruption continues to be substantive. The aggregate operational-and-financial-cost across the affected UK retailers will, on the early estimates, be in the multi-hundred-million-pound range when the recovery and the secondary effects (customer trust, regulatory engagement, class-action exposure) are accounted.
I will return to this. The UK-retail-sector wave will continue to be a substantive 2025 strategic theme.