Reasons M&S and Co-op were hacked - and why more retailers might be next

Metro

20-05-2025

Marks & Spencer (M&S). Co-op. Harrods. Dior. A government legal aid office. A food distributor that supplies Tesco, Sainsbury's and Aldi.
A raft of retailers and suppliers have been the targets of cyber incidents in recent weeks.
Today alone, it has emerged that the logistics firm Peter Green Chilled and the Danish food giant Arla Foods have been hit by cyber crooks.
Hackers wriggled into computer systems and stole some customer data, like dates of birth and addresses.
Co-op shut down its IT system to prevent hackers from snatching personal and financial information like shopper passwords or bank details.
The cyber incidents caused company stocks to tumble, and shoppers were contending with empty shelves and deliveries being paused.
But why are these retailers being targeted?
Joe Jones, CEO of the cybersecurity attack simulation company Pistachio, said that while the upmarket retailer seems like a rogue choice for hackers to go for, it makes a lot of sense.
'M&S is a household name with a vast and loyal customer base, which makes it a high-value target for cybercriminals,' he told Metro.
'Large retailers hold enormous amounts of personal data, everything from names and addresses to detailed purchase histories. That kind of data is gold dust for attackers running social engineering scams or looking to sell verified profiles on the dark web.'
M&S, like many retailers, isn't just a brick-and-mortar store. It's websites, mobile apps, marketing emails and delivery services that amount to more 'digital touchpoints that can be exploited'.
'It's not necessarily that M&S was uniquely vulnerable; rather, it's a classic case of 'big brand, big data, big target',' he added.
James Hadley, the founder of the Bristol-based cybersecurity firm Immersive, said M&S isn't alone.
'Retail isn't as heavily regulated as, say, financial services, so the burden of proof is lower on how you demonstrate and prove cyber security,' he told Metro.
'It's impossible to be 100% secure and all it needs is one supplier, one connection, one partner, one employee, one misconfiguration, and the attackers can get in and detonate the malware,' he added, referring to malicious software.
Hackers who claim to be behind the cyber attack on Co-op said they infected the grocer's IT systems with ransomware, which involves breaking into a computer network and locking up information until the victim pays.
Hadley added: 'You could have 1,000 technical controls and, if one person gets in, it's all over.'
In other words, retailers are easy targets. M&S, founded in 1884, has had decades to build a 'sprawling IT estate'.
Stressing that he's speaking 'hypothetically', Hadley said: 'You have all this breadth and depth… that is a much harder thing to prove security compared to an organisation that is only five years old and doesn't have this legacy IT estate.'
None of the victims of the breach has revealed the details of how crooks jimmied open their systems. The National Cyber Security Centre said that officials aren't sure if the attacks are linked.
But Hadley believes, as other analysts have said, that the hijackers used 'social-engineering attacks on service desks' to gain initial access.
A social-engineering attack is the practice of deceiving someone, often with email but also with phone calls, to get information.
'Someone calling and saying, 'Hey, it's the service desk here, you need to reset your password',' Hadley said.
'That person is tricked by someone impersonating M&S into giving details, enough to open the door into someone getting access and, from there, deploy their ransomware.'
As ominous as this sounds, this cyber attack wasn't 'sophisticated', said Jones.
'It came down to human error,' he said.
'According to reports, the attackers gained access through a third-party contractor, then spent more than two days inside M&S's systems before anyone noticed. That kind of dwell time is concerning, but unfortunately, not uncommon.
'We see this pattern time and time again. Most breaches don't start with Hollywood-style hacking.'
The attacks have been linked to a loose hacking collective called Scattered Spider. DragonForce, a 'ransomware cartel' whose previous targets include Coca-Cola, Yakult and the government of Palau, is believed to have made the ransomware.
Both M&S and Co-op are working to restore their systems, 'working around the clock to get things back to normal', M&S said in an Instagram post.
From phoney emails saying our parcel has been delayed to texts claiming to be from your mum, scams come in many forms these days.
And the reason, more often than that, that you receive these dodgy messages is because a hacker snatched your data.
'M&S has a very diverse range of customers and ages, and technical abilities,' explained Hadley.
'They can then pretend to potentially be M&S by telephone and email, and then share some information with the individual that would make them believe it is M&S.
All customers should be 'hyper-aware' over the coming months, warned Jones, even though no financial data was swiped.
Jones recommended people: Change their passwords – and don't, as one expert recently told Metro , don't have your password be '123456'.
, don't have your password be '123456'. Enable 'stronger security where possible, think two-factor authentication that involves an app or use a physical authenticator called a hardware key.
'Adopt a zero-trust mindset.' Be wary of any unexpected communication from M&S, like an email about a delivery, and try to verify it by going directly to the M&S website.
'So, 'hey, this is Marks and Spencer. Can you confirm an order you placed with this in the past six months?''
But don't expect these cyber-incidents to stop anytime soon, he warned: 'When we look at the retail supply chain, we can see more of this happening now,
'Now this particular one has been impacted, when the attackers might start surging into retail, recognising that it might be an unprotected space.'
And don't expect them to only happen to supermarkets, warned Robert Cottrill, a technology director at the digital transformation company, ANS.
M&S and Co-op are 'merely the incidents that made headlines', he said.
'In reality, organisations across all sectors and geographies are at risk,' Cottrill added.
'Cybersecurity must be a priority, because cyber criminals aren't waiting, and neither should you.'
Get in touch with our news team by emailing us at webnews@metro.co.uk.
For more stories like this, check our news page.
MORE: These are the 9 best (and most comfortable!) ballet flats to wear this summer
MORE: The unhealthiest supermarket sandwiches with more calories than a Big Mac
MORE: I rarely buy drinks from Co-op — but £7.35 bottle blew me away