Introduction
In the spring of 2025, several of the United Kingdom’s most recognizable retailers found themselves dealing with the same problem.
Marks & Spencer. Co-op. Harrods.
Different companies, systems, and internal teams, yet all were impacted by a wave of cyberattacks that quickly became one of the most closely watched cybersecurity stories of the year.
What made these incidents particularly noteworthy was not just the scale of disruption they caused. It was how the attackers reportedly gained access in the first place.
According to reporting from Reuters and multiple cybersecurity investigations, the attacks are believed to have involved social engineering tactics in which attackers impersonated employees and contacted IT help desks to convince support staff to reset passwords and account credentials.
In other words, some of the most disruptive cyber incidents of 2025 may have started not with a sophisticated technical exploit, but with a conversation.
What Happened?
The attacks began surfacing publicly in April and May of 2025.
Marks & Spencer was among the hardest hit. The retailer was forced to suspend online clothing and home orders, experienced disruptions to payment systems and store operations, and faced weeks of operational challenges. Analysts estimated the incident would have a significant financial impact, with hundreds of millions of pounds ultimately tied to the disruption.
Shortly afterward, Co-op disclosed its own cyber incident, confirming attackers had attempted to access internal systems and forcing portions of its back-office and call center operations offline.
Harrods also reported cybersecurity issues during the same period, prompting additional scrutiny across the retail sector.
Investigators and security researchers later linked many of the incidents to tactics associated with the cybercriminal group known as Scattered Spider, a threat actor increasingly known for targeting identities, help desks, and employee trust rather than relying solely on technical vulnerabilities.
Exploiting Trust: Not Technical Vulnerabilities
The biggest lesson from these attacks is not that attackers discovered a new technical breakthrough.
It is that they reportedly exploited business processes.
According to reporting on the incidents, attackers were able to impersonate legitimate employees and persuade IT support teams to reset passwords or credentials, providing a pathway into internal systems.
Many organizations spend significant resources strengthening firewalls, endpoint protection, monitoring platforms, and other technical controls. But if an attacker can successfully convince someone to grant access, many of those controls may never have the opportunity to stop the attack.
That is what makes identity-focused attacks so dangerous.
Why These Attacks Were So Disruptive
The operational consequences extended far beyond IT systems. For Marks & Spencer, online ordering was suspended for weeks. Product availability was affected. Internal processes were disrupted. The company later reported substantial financial losses tied directly to the incident. In some reports, organizations were forced to revert to manual processes while systems were restored and investigated.
This highlights an important reality many businesses overlook:
Cybersecurity incidents are no longer just technical events. They are operational events affecting revenue, customer experience, employee productivity, vendor relationships, and business continuity.
Why Every Business Should Pay Attention
It is easy to view incidents involving major retailers as problems unique to large enterprises.
The reality is that the underlying attack methods are surprisingly common.
Most organizations rely on:
- Password reset procedures
- Employee verification processes
- Help desk support
- Vendor communications
- Access approval workflows
These systems exist because businesses need to operate efficiently.
The challenge is that attackers increasingly understand how to exploit them. The same tactics used against major retailers can often be adapted against organizations of any size.
What Businesses Can Learn
The 2025 UK retail attacks reinforce several practical lessons:
Strong Verification Matters
Employees handling account changes, password resets, or access requests should have clear procedures for verifying identities before making changes.
Identity Security Is Critical
Attackers are increasingly targeting credentials and user accounts rather than attempting to break through technical defenses directly.
Business Processes Need Security Reviews
Many vulnerabilities today are operational rather than technical. Approval workflows, support procedures, and access management processes should all be evaluated through a security lens.
Incident Preparedness Impacts Recovery
Organizations with stronger business continuity planning and incident response processes are often better positioned to minimize disruption when incidents occur.
The UK’s National Cyber Security Centre (NCSC) specifically encouraged organizations to review help desk procedures and identity verification processes following the attacks.
Where Security Assessments Make a Difference
One reason incidents like these continue to occur is that many organizations focus heavily on technical vulnerabilities while overlooking operational ones. A comprehensive cybersecurity assessment should evaluate more than systems and software.
It should also examine:
- Help desk workflows
- Identity management controls
- Password reset procedures
- Access governance practices
- Business continuity readiness
These are often the exact areas attackers attempt to exploit.
Identifying weaknesses before they become incidents can significantly reduce organizational risk.
Final Perspective
The 2025 UK retail cyberattacks offer an important reminder that modern cybersecurity is no longer just about protecting networks and systems. It is about protecting the people, processes, and decisions that keep those systems running.
The organizations affected by these attacks were not lacking technology. Instead, attackers found opportunities within the operational workflows businesses depend on every day.
At Secutor, we help organizations identify these types of risks through cybersecurity assessments, governance reviews, and strategic security guidance. By evaluating both technical controls and business processes, businesses can strengthen resilience and reduce exposure to the kinds of attacks increasingly shaping today’s threat landscape.
Because in many cases, modern cyberattacks do not begin with sophisticated code.
They begin with trust.
Connect with an Expert for a Free Consultation
Secutor is your team of world-class problem solvers with vast expertise and experience delivering complete solutions keeping your organization protected, audit-ready, and running smoothly. Use the form below to contact us for a free consultation.


