What the 2025 UK Retail Cyberattacks Reveal About Modern Business Risk

Introduction

In the spring of 2025, several of the United Kingdom’s most recognizable retailers found themselves dealing with the same problem.

Marks & Spencer. Co-op. Harrods.

Different companies, systems, and internal teams, yet all were impacted by a wave of cyberattacks that quickly became one of the most closely watched cybersecurity stories of the year.

What made these incidents particularly noteworthy was not just the scale of disruption they caused. It was how the attackers reportedly gained access in the first place.

According to reporting from Reuters and multiple cybersecurity investigations, the attacks are believed to have involved social engineering tactics in which attackers impersonated employees and contacted IT help desks to convince support staff to reset passwords and account credentials.

In other words, some of the most disruptive cyber incidents of 2025 may have started not with a sophisticated technical exploit, but with a conversation.

What Happened?

The attacks began surfacing publicly in April and May of 2025.

Marks & Spencer was among the hardest hit. The retailer was forced to suspend online clothing and home orders, experienced disruptions to payment systems and store operations, and faced weeks of operational challenges. Analysts estimated the incident would have a significant financial impact, with hundreds of millions of pounds ultimately tied to the disruption.

Shortly afterward, Co-op disclosed its own cyber incident, confirming attackers had attempted to access internal systems and forcing portions of its back-office and call center operations offline.

Harrods also reported cybersecurity issues during the same period, prompting additional scrutiny across the retail sector.

Investigators and security researchers later linked many of the incidents to tactics associated with the cybercriminal group known as Scattered Spider, a threat actor increasingly known for targeting identities, help desks, and employee trust rather than relying solely on technical vulnerabilities.

Exploiting Trust: Not Technical Vulnerabilities

The biggest lesson from these attacks is not that attackers discovered a new technical breakthrough.

It is that they reportedly exploited business processes.

According to reporting on the incidents, attackers were able to impersonate legitimate employees and persuade IT support teams to reset passwords or credentials, providing a pathway into internal systems.

Many organizations spend significant resources strengthening firewalls, endpoint protection, monitoring platforms, and other technical controls. But if an attacker can successfully convince someone to grant access, many of those controls may never have the opportunity to stop the attack.

That is what makes identity-focused attacks so dangerous.

Why These Attacks Were So Disruptive

The operational consequences extended far beyond IT systems. For Marks & Spencer, online ordering was suspended for weeks. Product availability was affected. Internal processes were disrupted. The company later reported substantial financial losses tied directly to the incident. In some reports, organizations were forced to revert to manual processes while systems were restored and investigated.

This highlights an important reality many businesses overlook:

Cybersecurity incidents are no longer just technical events. They are operational events affecting revenue, customer experience, employee productivity, vendor relationships, and business continuity.

Why Every Business Should Pay Attention

It is easy to view incidents involving major retailers as problems unique to large enterprises.

The reality is that the underlying attack methods are surprisingly common.

Most organizations rely on:

  • Password reset procedures
  • Employee verification processes
  • Help desk support
  • Vendor communications
  • Access approval workflows

These systems exist because businesses need to operate efficiently.

The challenge is that attackers increasingly understand how to exploit them. The same tactics used against major retailers can often be adapted against organizations of any size.

What Businesses Can Learn

The 2025 UK retail attacks reinforce several practical lessons:

Strong Verification Matters

Employees handling account changes, password resets, or access requests should have clear procedures for verifying identities before making changes.

Identity Security Is Critical

Attackers are increasingly targeting credentials and user accounts rather than attempting to break through technical defenses directly.

Business Processes Need Security Reviews

Many vulnerabilities today are operational rather than technical. Approval workflows, support procedures, and access management processes should all be evaluated through a security lens.

Incident Preparedness Impacts Recovery

Organizations with stronger business continuity planning and incident response processes are often better positioned to minimize disruption when incidents occur.

The UK’s National Cyber Security Centre (NCSC) specifically encouraged organizations to review help desk procedures and identity verification processes following the attacks.

Where Security Assessments Make a Difference

One reason incidents like these continue to occur is that many organizations focus heavily on technical vulnerabilities while overlooking operational ones. A comprehensive cybersecurity assessment should evaluate more than systems and software.

It should also examine:

  • Help desk workflows
  • Identity management controls
  • Password reset procedures
  • Access governance practices
  • Business continuity readiness

These are often the exact areas attackers attempt to exploit.

Identifying weaknesses before they become incidents can significantly reduce organizational risk.

Final Perspective

The 2025 UK retail cyberattacks offer an important reminder that modern cybersecurity is no longer just about protecting networks and systems. It is about protecting the people, processes, and decisions that keep those systems running.

The organizations affected by these attacks were not lacking technology. Instead, attackers found opportunities within the operational workflows businesses depend on every day.

At Secutor, we help organizations identify these types of risks through cybersecurity assessments, governance reviews, and strategic security guidance. By evaluating both technical controls and business processes, businesses can strengthen resilience and reduce exposure to the kinds of attacks increasingly shaping today’s threat landscape.

Because in many cases, modern cyberattacks do not begin with sophisticated code.

They begin with trust.

Connect with an Expert for a Free Consultation

Secutor is your team of world-class problem solvers with vast expertise and experience delivering complete solutions keeping your organization protected, audit-ready, and running smoothly. Use the form below to contact us for a free consultation.

Enjoyed this Content?

Share this story on social media!

Andersen Consulting
Scroll to Top

Jason Fruge

Consulting Chief Information Security Officer (CISO)

Jason Fruge is an accomplished Consulting Chief Information Security Officer at Secutor Cybersecurity, bringing over 25 years of deep expertise in information security. His storied career includes leading and managing robust security programs for Fortune 500 companies across retail, banking, and fintech sectors. His current role involves providing strategic guidance and advisory services to clients, focusing on security governance, risk management, and compliance.

Apart from his consulting responsibilities, Jason is an active member of the global cybersecurity community. He is a Villager at Team8, a prestigious collective of senior cybersecurity executives and thought leaders. Additionally, he serves as an Advisor at NightDragon, an innovative growth and venture capital firm specializing in cybersecurity and enterprise technologies.

Jason’s tenure as a CISO is marked by a proven track record in developing and implementing comprehensive security policies and procedures. He adeptly leverages security frameworks and industry best practices to mitigate risks, safeguarding sensitive data and assets. His expertise encompasses incident response and root cause analysis, where he has notably managed cyber incidents to prevent breaches and minimize business disruption and customer impact.

A key aspect of Jason’s role has been the creation and facilitation of executive and board-level cyber risk committees, ensuring organizational alignment and awareness. His responsibilities have extended to maintaining compliance programs for standards such as PCI and SOX, as well as leading privacy and business continuity programs. Holding prestigious certifications like CISSP, QSA, and QTE, Jason is also a recognized thought leader, contributing articles on cybersecurity to InformationWeek.

Jason’s passion lies in driving innovation and fostering collaboration in the cybersecurity field. He is currently seeking an executive CISO role in a leading retail, finance, or fintech organization, where he can continue to make significant contributions to the cybersecurity landscape.

Jennifer Bayuk

Cybersecurity Risk Management Expert

Jennifer Bayuk is a highly esteemed cybersecurity risk management thought leader and subject matter expert at Secutor Cybersecurity. Her extensive experience encompasses managing and measuring large-scale cybersecurity programs, system security architecture, and a wide array of cybersecurity tools and techniques. Jennifer’s expertise is further deepened with her proficiency in cybersecurity forensics, the audit of information systems and networks, and technology control processes.

Jennifer’s skill set is comprehensive, including specialization in cybersecurity risk and performance indicators, technology risk awareness education, risk management training curriculum, and system security research. Her academic achievements are noteworthy, holding Masters degrees in Philosophy and Computer Science, and a Ph.D. in Systems Engineering. This strong academic background provides a solid foundation for her practical and strategic approach to cybersecurity challenges.

Certified in Information Systems Audit, Information Systems Security, Information Security Management, and IT Governance, Jennifer is a well-rounded professional in the field. Her credentials are further enhanced by her license as a New Jersey Private Investigator, adding a unique dimension to her cybersecurity expertise.

At Secutor, Jennifer plays a pivotal role in steering cybersecurity initiatives, aligning them with organizational risk appetites and strategic objectives. Her ability to educate and train in the realm of technology risk has been instrumental in raising awareness and enhancing the cybersecurity posture of our clients. Her dedication to research and continual learning makes her an invaluable resource in navigating the ever-evolving cybersecurity landscape.

Jennifer Bayuk’s blend of academic prowess, practical experience, and certifications make her an indispensable part of our team, as she continues to drive forward-thinking cybersecurity solutions and risk management strategies.

Steve Blanding

CISO Consultant

CISSP, CISA, CGEIT, CRISC

Steve is an IT management consultant living in Dallas, TX. Steve has over 35 years of experience in executive IT leadership, IT governance, risk and compliance (GRC), systems auditing, quality assurance, information security, and business resumption planning for large corporations in the Big-4 professional services, financial services, manufacturing, retail electronics, and defense contract industries. He has extensive experience with industry best practices for adopting and implementing new technologies, IT service management frameworks, and GRC solutions that have dramatically improved customer satisfaction while reducing cost.

Industry Experience

  • State Government: 5 years
  • Retail: 5 years
  • Defense Contract: 5 years
  • Manufacturing: 2 years
  • Health Care: 2 years
  • Local Government: 2 years
  • Public Accounting (Big 4): 7 years
  • Insurance: 3 years
  • Financial Services: 5 years

Key Career Accomplishments

  • Conducted a full-scale ISO27000 audit 4 times over the past 6 years.  Also, conducted a “light” ISO27000 review of a small Dallas-based company in 2007.
  • Developed and authored a comprehensive IT security policy manual, incident response plans, training programs, security contingency plans and configuration management plans for FedRAMP regulatory compliance.
  • Conducted multiple DR and operational backup and recovery IT risk assessments of critical business systems on mainframe, LAN, and distributed system networks located across North America.
  • Conducted data centers audits for Tyco Corporation (Brussels, 2005 and Denver, 2006), Farmers Insurance (Los Angeles, 2006), Zurich Financial Services (Chicago, Kansas City, and Grand Rapids, 2006), and Convergys Corporation (Dallas, 2010, 2011, and 2012).
  • Led a project to remediate segregation of duties and streamline user access system security and HIPAA compliance administration across 5 regions in North America, resulting in cost savings of $700,000 per year (Kaiser Permanente).
  • Implemented Sarbanes-Oxley Section 302 and 404 IT general and application controls, reducing security administration costs and improving operational performance by 50% or $500,000 annually (Tyco Corporation).
  • Led the global SAP business-IT alignment, process re-design implementation initiative for financial accounting, materials management, production planning, quality management, sales and distribution, warehouse management, and plant maintenance, which resulted in creating $2,000,000 in cost savings.
  • Engaged by Arthur Andersen in Houston to transform the local IT organization and then direct 3 organizational mergers/consolidations, which resulted in a 25% reduction in operating costs, or $3,250,000, while improving customer satisfaction by 30%, and improving employee morale, technology availability and the quality of IT infrastructure and service delivery.
  • Assigned by Arthur Andersen global leadership to lead global project teams responsible for data center and customer support call center consolidation, which resulted in annual operational cost savings of 45% or $4,000,000.
  • Implemented ITIL service management practices for problem management, incident management, help desk, project management, and operations management.
  • Conducted SOX 404 audits at Duke Energy (6 months), Red Hat (3 months), Tyco (9 months), Zeon Chemicals (4 months), and Convergys (2 months). Experience includes control design/documentation and effectiveness testing.

Publications:

Author, various articles in EDPACS and Auerbach’s IT Audit Portfolio Series, 1981 – 2001

Author, various articles in the Handbook of Information Security Management, 1993 – 1995

Editor, Auerbach’s Enterprise Operations Management, 2002

Editor, Auerbach’s IT Audit Portfolio Series, 2000 – 2002

Consulting Editor, Auerbach’s EOM Portfolio Series, 1998 -2001

Ready to Find Your Solution?

Reach out using the form below, and we’ll contact you as soon as possible to schedule your consultation.

Ready to Find Your Solution?

Use the form to schedule a consultation, and we’ll reach out within 48 hours to confirm the appointment.

Considering this delay, please only select meeting dates 48 hours or more in advance. Your information will only be used to facilitate a meeting.