Hackers come for big British retailers

Welcome to the Sensemaker, our daily newsletter. It features calm and clear analysis on the stories driving the news across tech, politics, finance, culture and more. The Sensemaker will appear here every morning, but to receive it in your email inbox, sign up on our newsletters page.

Marks & Spencer lost roughly £300 million in profits from a “highly sophisticated and targeted cyberattack” and expects disruptions to continue until July.

So what? That might just be the cost of doing business in 2025. Other retailers have also been hit by ransomware attacks in recent weeks, among them

• Co-op
• Harrods
• Dior, and
• Peter Green Chilled, which supplies Tesco, Aldi and other supermarkets.

Not just any cyberattack. Harrods has not released any information about the impact of its cyberattack but its shops are operating as usual, suggesting the disruption was minimal. M&S wasn’t quite so lucky. Its attack, made public on 22 April, has

• suspended online purchases for weeks;
• left M&S supermarket shelves empty of food; and
• wiped more than £1 billion off the company's market value.

Data breach. Both M&S and Co-op said the hackers stole the personal information of thousands of customers – including emails, addresses and dates of birth – but didn’t manage to get hold of credit card or bank details.

Lapse. Data from the research firm Zeki suggests that M&S, Co-op and Harrods have cut corners on their in-house cybersecurity teams over the past decade. In its last annual report, M&S said it relies on third-party suppliers “for selected services and/or hosting of data” and acknowledged this practice exposed it to “vulnerabilities in their cyber and data controls”. Tom Hurd, Zeki’s founder, offers a more succinct verdict: “They have taken their eye off the ball.”

Shaking it off. The damage is extensive, but not existential. M&S’s share price has fallen by 7 per cent. In April, it posted increased sales and profits, building on several years of steady growth, and customers are sticking with the 140-year-old brand. Its chief executive, Stuart Machin, told the FT the attack was “a bump in the road”.

Who. Google believes a group named the “Scattered Spider” is behind the attacks on M&S, Harrods and Co-op. It emerged in 2022 and has carried out 100 high-profile cyber raids, including extorting a string of Las Vegas resorts and casinos in 2023.

Where. Scattered Spider is a loose group of teenage and 20-something hackers from the US, UK and Canada, who operate on messaging apps like Telegram and Discord. Hurd says this makes them “anomalous”, since most organised attacks come from Russia and Ukraine. Five members of the group (four Americans, one Brit) were charged with hacking last year in the US.

How. The ruse against M&S was a simple one, requiring little technical know-how. The hackers pretended to be an employee and tricked IT staff into changing passwords to get into the company’s system.

Why. It’s not clear if any of the three retailers handed over ransoms, but it is common for hackers to demand payments while threatening to release sensitive material. A gang that gained access to the British Library’s servers in 2023 demanded £600,000.

Retail companies are an obvious target for hackers, according to Ollie Dent, a lawyer specialising in cybersecurity. “If they can cause disruption that impacts potentially millions of people... that helps them get more leverage at the negotiation table,” he says.

Widespread. More than 40 per cent of UK businesses and 30 per cent of charities have suffered a cybersecurity breach or attack in the past 12 months, according to government figures. For big companies, the proportion is even higher: 75 per cent. Several factors are at play, including

• the spread of cryptocurrencies that allow criminals to receive ransom payments anonymously;
• artificial intelligence that makes hacking faster and more efficient; and
• the increasing involvement of sophisticated criminal gangs.

“These groups are not all about people with hoodies sitting in darkened basements writing code,” Hurd says. “There are people in suits who finance this.”

What’s more… markets are starting to price in the cost of cyberattacks to businesses, but public institutions like hospitals cannot. An attack on them could cost thousands of lives as well as millions of pounds.

Photograph by Chris Ratcliffe/Bloomberg via Getty Images