M&S, Co-op & Harrods cyber-attacks — key cybersecurity lessons for retailers

Three major retailers — Marks & Spencer (M&S), Co-op and Harrods — were subjected to major cyber-attacks in the past week as part of apparent blackmail schemes, with the hackers themselves warning that further attacks to UK retailers are in the works.

Such attacks highlight the importance of having solid cybersecurity measures in place as well as transparent communications with customers in the aftermath of an attack.

Here, cybersecurity and data protection expert Eleanore Beard and Irem Tarasek from our RetailTech sector team delve further into these attacks and outline five key steps to take in any cyber-attack preparedness and response plan.

Operational chaos & data security concerns

Knowledge of the cyber-attack on M&S surfaced over the Easter weekend, when customers began reporting issues with ‘click & collect’ and contactless payment options. 

In response, M&S suspended online orders. However, it has been reported that the incident has affected other parts of is operations, such as stock management and bulk orders.

Additionally, the cyber-attack has impacted its recruitment platform — forcing M&S to pull all vacancy adverts and preventing candidates from applying for jobs. 

It has also been reported that the Co-op and Harrods shut down parts of their IT systems in response to hackers attempting to gain access.

All this has led to financial losses, operational chaos and concerns over data security for the targeted retailers.

The attack on M&S is believed to be the work of ransomware group DragonForce, a cybercriminal syndicate that operates ransomware which is then used to carry out attacks and extortions. 

DragonForce may be linked to the infamous hacking group Scattered Spider, which is said to be behind over 100 targeted attacks since 2022 including on casino operator Caesars Entertainment, which paid a £11.2m ransom to restore its network.

Cyber-attack responses — five key steps

These incidents reflect the growing threat of cyber-attacks and serve as a reminder to constantly reassess your security measures and ensure you are able to implement effective response strategies. 

One of the risks of any internet-connected services is the potential for a severe breach or security incident. Even if you have top cybersecurity experts on the books, cybercrime remains a major threat — and how your organisation responds to an attack is crucial. The longer it takes to resolve issues, the greater their potential impact. 

Here are five key steps to ensure a prompt and effective response to any cyber-attack.

1. Implement proactive threat monitoring

Implement continuous monitoring and advanced threat detection to identify breaches early. You should also ensure that any third-party suppliers you use — and your entire supply chain — have adequate security measures in place.

Your business should also use pseudonymisation and encryption to secure personal data and conduct regular audits and penetration tests to identify vulnerabilities and improve security measures.

2. Ensure appropriate staff training

With the DragonForce attacks purporting to be stemming from hackers impersonating IT help desks, it’s vital to conduct regular training across the business to ensure that all employees are aware of threats and can identify suspicious emails, links or attachments. This will help to prevent human errors that could lead to breaches.

Across the business, all employees should be encouraged to use strong passwords and multi-factor authentication as part of stringent guidelines for ensuring security.

3. Prepare an incident response plan

Establish a clear incident response plan and protocols to minimise disruption. The prolonged disruption of M&S demonstrates the importance of having resilient systems and backup strategies to restore operations quickly. 

You should always conduct a detailed post-incident analysis to understand the root cause and prevent future occurrences before revising your cybersecurity policies and procedures based on the lessons learned.

4. Develop a crisis communications strategy

Transparent communications are crucial for maintaining trust and managing reputational damage. This can reassure stakeholders and demonstrate accountability, while providing an opportunity for customers to protect themselves.

5. Consider legal compliance

When a cyber-attack occurs, organisations must navigate a complex legal landscape to ensure compliance with the relevant regulations, regulators and organisations. 

Regulators and organisations to involve may include: 

• National Cyber Security Centre (NCSC) — the NCSC provides guidance and support for cyber incidents affecting businesses and organisations.
• Action Fraud — the UK’s national reporting centre for fraud and cybercrime.
• Information Commissioner's Office (ICO) — organisations that handle personal data must comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If a breach occurs, you may have to report the breach to the ICO within 72 hours. You may also be obliged to inform individuals whose data may have been compromised, outlining the nature of the breach and the protective measures they can take. 

ICO guidelines for data breach responses

The ICO provides comprehensive guidelines for responding to data breaches. 

It has emphasised the importance of ensuring ongoing confidentiality, integrity and availability surrounding personal data.

• Confidentiality — ensure ongoing confidentiality by pseudonymising or encrypting personal data.
• Integrity — implement appropriate technical and security measures to deal with risks and regularly test to evaluate effectiveness.
• Availability — ensure that you’re able to restore the availability and access to personal data in a timely manner.

The British Library

While the M&S attack has revealed significant deficiencies in its cybersecurity measures and the whereabouts of its data, it's helpful to consider how others have managed similar crises. 

One notable example is the British Library. Following a catastrophic ransomware cyber-attack in October 2023, its response in how it dealt with affected data subjects received widespread praise.

Despite the attack leading to the theft of 600GB of internal data and significantly disrupting its operations, the British Library issued regular, comprehensive updates about its recovery status and published a detailed cyber incident review that outlined its IT weaknesses and lessons learned, which helped to build back trust with its data subjects. 

The ICO commended the British Library for its transparency and its commitment to improving security measures.

However, it’s sobering to note that despite these commendations, the British Library’s IT systems have still not been fully restored more than 18 months later.

Talk to us 

By adhering to ICO guidelines and maintaining transparency, organisations can address the complexities of cyber-attacks while preserving trust and integrity.

Our specialist cybersecurity lawyers advise on the full life cycle of incidents — from building resilience by developing proactive governance and risk management measures to assisting with incident response management and disclosure to the NCSC and ICO. 

For businesses looking to navigate the complexities of cybersecurity, legal guidance is essential. We’re uniquely positioned to help organisations transform challenges into opportunities while ensuring compliance. 

Talk to us by giving us a call on 0333 004 4488, sending us an email at hello@brabners.com or completing our contact form below.