COMMENTARY: Over the past several weeks, the retail sector has faced a significant wave of cyberattacks that targeted UK household names such as Marks & Spencer (M&S), Co-op, and Harrods—and more recently a breach that hit German-based Adidas.Just yesterday, news broke that Ohio-based Victoria’s Secret sustained a cyber incident that forced it to shut down its website, proving out a warning earlier this month from the Google Threat Intelligence Group (GTIG) that the attacks on retailers would expand to North America.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]These incidents have exposed not only significant vulnerabilities in even the most mature organizations, but also the sophisticated, and often surprisingly professional tactics used by cyber criminals today.As someone who’s analyzed these breaches in real-time, these events offer critical lessons for security professionals across industries. Many of these attacks, led by ransomware groups operating in cartel-like structures and carried out by skilled social engineers, demonstrate how technical compromise and human manipulation go hand in hand.Retail giants in the crosshairsIconic brands deeply embedded in consumers’ daily lives have become prime targets in the latest wave of cyberattacks. For cyber criminals, it all comes down to how they can get the most data and cause the most disruption in the easiest way possible. With the sheer volume of sensitive customer data moving through retail and supply chains, these industries have become easy, valuable targets for cyberattacks. Once one sector gets hit, we often see a flood of imitations as they share similar processes and technology stacks.This wave of retail cyberattacks began in the UK on April 19, when M&S reported contactless payment issues. By April 21, it confirmed a cyber incident that escalated quickly, halting online transactions and hitting its share price. Days later, Scattered Spider was linked to the breach. In early May, Co-op was attacked, prompting system shutdowns and warnings about impersonation attempts via VPNs and video calls. On May 1, Harrods also activated emergency cybersecurity measures.The UK’s National Cyber Security Centre (NCSC) issued vague guidance, advising against ransom payments—sound in principle, but often misaligned with the harsh realities of operational paralysis.Behind the scenes, the campaign was powered by a two-tiered model: DragonForce, a Ransomware-as-a-Service group, supplied infrastructure and took a cut of ransom payments, reportedly even handing stolen Co-op data to the BBC to counter denial.Scattered Spider affiliates used DragonForce tools and relied on phishing and impersonation tactics, posing as IT staff to trick employees into resetting credentials and logging into spoofed portals, exfiltrating data before deploying ransomware. This isn’t cybercrime as usual. It’s strategic, scalable, and alarmingly professional.Reputational, financial, and operational DamageThe financial and operational toll has been severe. M&S said their cyberattack will wipe out more than one-third in its annual profits. Co-op faces scrutiny for a breach involving 20 million user credentials. The group’s initial denials were undermined by DragonForce’s leak to the press. Harrods issued standard reassurances, but simply “restricting internet access” is insufficient when attackers have persistent access inside the network. And when Victoria’s Secret’s breach disrupted online sales for days, it sent the lingerie company’s share price lower.It’s been several weeks since the M&S breach, and with some services expected down until July, customer trust has showed signs of strain. The longer the disruption continues, the more it will appear that the situation hasn’t been handled effectively. To their credit, M&S handled crisis communications effectively, remaining calm, avoiding spin, and striking the right balance of transparency during an active investigation.Cyber resilience starts with people—not technologyEven beyond the potential cost of GDPR and ICO fines, recent data breaches are a stark reminder that the most advanced tech stack means nothing if attackers can trick employees into granting access. As long as breaches can have this level of financial impact, and retailers are caught off guard in their cyber readiness, attacks targeting the retail and supply chain sectors will remain highly valuable to threat actors and show no signs of slowing down.And while third-party support can help retailers and suppliers, it ultimately comes down to people. Can the company trust them to make the right call—and quickly—when faced with a breach? If not, the organization’s cyber strategy was doomed from the start.Companies need to regularly battle-test their teams for crises so they can build a true cyber resilience strategy that incorporates all facets of a business. Without it, businesses can find themselves in a similar position to these retailers, with costly disruptions to their operations and a loss of customer trust.What’s most alarming about today’s cyberattacks isn’t just their scale, but the professionalism of the attackers: the attacks are complete with service tiers, SLAs, and support. Some groups even market themselves as “honorable,” offering proof of data deletion for payment. But make no mistake: any organization they hit should prepare for a potential follow-up attack.Defenders must match this level of sophistication to keep pace. This requires the following:
Conduct regular crisis simulation training, particularly for IT and security staff most likely impersonated.
Adhere to strict enforcement of zero-trust and least privilege models.
Prepare well-rehearsed incident response playbooks.
Keep the team informed on the latest threats and maintaining high standards for continuous upskilling.
Create a culture of secure communication, even for internal conversations.
In the aftermath of an attack, it’s critical to have clear and actionable communication. Customers need transparency about the impact on their personal data and guidance on how to protect themselves from further harm. While it’s often complex to weigh the pros and cons of paying a ransom, try to avoid reaching that point at all by making it as difficult as possible for attackers to succeed.The battlefront has shifted: It’s no longer just about keeping the bad actors out. It’s about properly battle-testing the company’s teams so they know what to do and respond effectively when a crises does arise.Max Vetter, vice president of cyber, Immersive LabsSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
