M&S Cyberattack and Co-op Breach: A Wake-Up Call for UK Retail Cybersecurity
In a matter of weeks, coordinated supermarket cyberattacks have shaken up the retail industry. The recent M&S cyberattacks, alongside those targeting the Co-op and Harrods, have exposed how vulnerable even the UK’s most recognised retailers are to human-driven breaches.
The cyberattack on M&S alone resulted in a loss exceeding £300 million, a reduction of over £1 billion in market value, and nearly six weeks of severe operational disruption. Full recovery has taken months.
The Co-op and Harrods were targeted around the same time – clear evidence that these were not isolated incidents, but part of a growing trend of cybercriminals systematically exploiting people, processes, and third-party suppliers to bypass technical defences.
These retailers are not the only ones to have been targeted. Similar tactics have disrupted major retailers across the UK, Europe, and beyond, highlighting a global surge in cybercriminals exploiting people, not technology, to breach businesses.
According to PureCyber, in the UK alone:
- Ransomware attacks on retail surged by 75% in the first quarter of 2025.
- 41% of retail organisations reported breaches so far this year.
Retailers face heightened risk due to complex digital infrastructure, reliance on third-party suppliers, and large, often undertrained workforces. Attackers know that the quickest way into your systems is to target your people.
This article explores what happened in the M&S and Co-op breaches, why UK retail is facing an unprecedented cyber threat, and the practical actions businesses must take to protect their people and their bottom line.
How the M&S & Co-op Cyberattacks Happened
The M&S cyberattack began with social engineering – attackers impersonated staff and tricked a third-party helpdesk into resetting credentials. With admin access in hand, they deployed DragonForce ransomware across M&S’s systems.
This functioned as a double-extortion tactic, not just encrypting devices and causing weeks of operational disruption, but also stealing data – potentially 150GB worth – then threatening to publish it if a ransom was not paid.
Just days later, the Co-op suffered a similar breach. Attackers used stolen VPN credentials to access internal systems, triggering payment outages and delivery delays. While ransomware was contained, the group later claimed that they were able to access the personal information of 20 million people who signed up to the Co-op’s membership scheme, with the firm later confirming that all 6.5 million of its members had their data stolen in the attack.
Human Error in Cybersecurity: How Social Engineering Fuelled the M&S Breach
The most dangerous aspect of the M&S data breach phishing incident wasn’t just the technical sophistication – it was the simplicity of how attackers gained access. Despite significant investment in IT defences, M&S fell victim to human-driven exploitation.
The group behind the supermarket cyberattacks didn’t rely on complex code or software vulnerabilities. They used phone calls, fake emails, and impersonation tactics to trick real people inside organisations.
In a briefing to MPs, M&S chairman Archie Norman explained how this worked:
“In our case the initial entry, which was on April the 17th, occurred through what people now call social engineering. As far as I can tell that’s a euphemism for impersonation.
“And it was a sophisticated impersonation. They just didn’t walk up and say will you change my password. They appeared as somebody with their details.”
Retail leaders cannot afford to view cybersecurity as purely a technical challenge. The greatest vulnerability – and the greatest line of defence – is your people.
The Cost of a Click
Our free guide to why your people are your biggest cybersecurity vulnerability.
Learn the true cost of human error in cybersecurity – and what you can do to reduce your risk.
DOWNLOAD YOUR GUIDEWhy UK Retail is a Top Target for Cyberattacks in 2025
The coordinated supermarket cyberattacks on M&S and the Co-op were not isolated events. They’re part of a broader, rapidly escalating threat facing the entire retail sector – from the high-street through to logistics.
The structure of the retail industry creates ideal conditions for attackers:
- Vast, complex supply chains with varying security standards.
- Often high volumes of perishable goods incentivising firms to pay ransoms quickly.
- Large, dispersed workforces – including seasonal and temporary staff – with inconsistent cyber awareness.
- Heavy reliance on third-party IT providers, often with privileged system access.
- Significant amounts of sensitive customer data, including personal details, loyalty schemes, and order histories.
The commercial fallout is substantial. What might be even harder to recover from is the potential damage to reputation that comes following such a severe breach and disruption to operations:
- Cyberattacks erode hard-earned customer trust – only 18% of consumers say they trust retailers to handle their data securely
- Retailers like Next and John Lewis gained market share during M&S’s outage, as frustrated customers shifted their spending
- Research shows 1 in 10 Britons say they’ll never trust a brand again after a data breach
Retailers cannot afford to ignore these risks. As cybercriminals increasingly exploit human weaknesses, businesses must shift focus. Resilience now depends on strengthening people, processes, and partnerships at every level.
Retail Cybersecurity Lessons from the M&S Attack: How to Build Resilient Teams
The attacks on M&S, Co-op, and other retailers exposed critical gaps – not only in technology, but in how people, processes, and supplier relationships are managed.
These incidents weren’t inevitable. They reflect a pattern of cybercriminals exploiting human factors – at helpdesks, within supply chains, and across frontline teams – to bypass sophisticated defences.
Industry experts are clear: the era of reactive cybersecurity is over. As experts quoted by iotinsider warn:
“Retailers can no longer afford to treat resilience as optional.”
“Firming up defences, educating staff, and understanding what the latest threats look like are all crucial steps for businesses to protect themselves and ensure resilience.”
If retail leaders want to avoid being the next headline, resilience can’t be an afterthought. It must be designed into every layer of your business – before an attack happens.
Secure the Human Firewall
Research shows up to 95% of successful cyberattacks exploit human error or manipulation.
Policies and tools only go so far. Without a capable, cyber-aware workforce, the gaps remain wide open.
Practical actions include:
- Strengthening helpdesk protocols: multi-step verification and clear processes to stop impersonation attempts.
- Deploying phishing-resistant MFA across systems, not just for senior staff.
- Running realistic phishing simulations tailored to retail roles.
- Educating frontline teams on evolving tactics – deepfakes, AI-generated phishing, social engineering via Teams or Slack.
By training frontline teams, support staff, and helpdesks to recognise threats and challenge suspicious activity, you can turn a potential entry point into an active part of your defence.
Strengthen Third-Party Oversight
60% of retail breaches originate through suppliers or service providers. Managing this risk means:
- Reviewing all supplier access rights – applying strict least-privilege principles.
- Requiring vendors to meet security standards (e.g., Cyber Essentials, ISO 27001).
- Including cybersecurity expectations in contracts.
- Conducting regular audits and penetration testing that cover supplier integrations.
Retail is only as secure as its weakest link. Supply chain resilience is just as critical as your own internal defences.
Develop Internal Cyber Capability
Even with good suppliers and strong processes, undertrained teams remain a vulnerability. The UK’s cybersecurity skills gap leaves many retailers exposed – 44% lack even basic internal cyber expertise.
Workforce development is essential:
- Training existing IT and support staff on modern threats and secure processes.
- Upskilling helpdesks to verify requests and challenge suspicious activity.
- Building long-term capability through apprenticeships and junior talent pipelines.
Research shows effective security awareness programs can cut a company’s breach risk by up to 65%: investing in systems matters, but building internal capability – the people who can detect, respond, and prevent attacks – is what makes resilience sustainable.
At Baltic, our IT apprenticeships embed practical, cyber-resilient skills into every module. That way, new recruits build technical confidence and contribute to organisational resilience from day one.
Cyber-first IT Apprenticeships
Our IT training courses are designed to train cyber-conscious Technicians and Engineers who understand that every user interaction, system access request, and technical decision carries security implications. Cybersecurity awareness is built into every module of every programme, producing skilled IT specialists with ingrained cyber capabilities.
IT Support Technician
The Level 3 IT Support Technician apprenticeship embeds secure working practices into every aspect of technical support. Apprentices learn to identify threats early, maintain secure configurations, support cloud and remote systems safely, and troubleshoot with data protection front of mind.
Instead of reacting to uncertainty, apprentices are trained to follow process, spot inconsistencies, and act with confidence.
LEARN MORENetwork Engineer
The Level 4 Network Engineer apprenticeship equips organisations to build secure-by-design infrastructure from within. Apprentices gain industry standard CompTIA Network+ and Security+ certifications, layered defence expertise, and the skills to manage risk across complex IT networks.
These skills help reduce reliance on reactive fixes and support more proactive risk management across the IT estate.
LEARN MOREHow UK Retailers Can Strengthen Cyber Defences After the M&S and Co-op Breaches
The cyberattacks on M&S and the Co-op showed how quickly businesses can be brought to a standstill when attackers exploit the human element – whether that’s a helpdesk reset, a weak supplier access point, or a momentary lapse in process.
Technology still matters, but no technical defence can succeed if the people behind it aren’t equipped to play their part.
That’s why strengthening your workforce is just as critical as patching systems or upgrading infrastructure. At Baltic, we support businesses to build the practical skills and awareness needed to reduce human-driven risk – whether that’s through embedded apprenticeships or developing internal IT capability.
Ready to understand your cyber vulnerabilities?
For retail leaders who want to take action, we offer a consultation with our in-house cybersecurity specialist, Michael Carrick. This is a practical session focused on your workforce, your suppliers, and the day-to-day processes that often get overlooked when it comes to cyber preparedness.
We’ll help you assess where vulnerabilities sit, where existing defences may be exposed, and how to strengthen your frontline.
M&S didn’t expect to be the next headline – and neither did Co-op. But the attackers are already looking for their next opportunity. Now is the time to close the gaps.