Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Scattered Spider strikes again in recent UK retail attacks

by Si West , Director, Customer Engagement
Published

Hundreds of millions of dollars lost as cybercriminal group targets major UK retailers, including Marks & Spencer

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing £700 million wiped from its market value after an attack that has been credited to Scattered Spider. 

Why this surge in retail-focused attacks? While it’s impossible to pin on one specific cause, the answer likely lies in both the value of the data retailers hold and the sector’s relative cybersecurity immaturity. Retailers process millions of customer transactions containing sensitive payment information, while often operating with understaffed security teams, inadequate training programs, and complex networks of third-party vendors.

This combination of valuable data and lack of cybersecurity maturity makes the retail sector an attractive target for cybercriminals. As retailers continue to digitalize and expand their online operations, the risk of cyberattacks will only increase, emphasizing the need for stronger, more proactive cybersecurity measures to protect both consumer information and business operations.

Scattered Spider strikes again

The evolution of threat actors like Scattered Spider illustrates how attackers have refined their approach to social engineering. Initially targeting telecommunication firms for SIM swap attacks, this group has pivoted to large, lucrative targets across multiple sectors, including retail. Cybersecurity investigators have attributed the recent M&S attack to this collective, the same group behind the 2023 MGM Resorts and Caesars Entertainment attacks that cost MGM around $100 million in losses.

What makes Scattered Spider unique is their makeup: many members are reportedly young, English-speaking hackers based in the UK and US; a departure from the typical Russian-speaking ransomware gangs. Their motivations blend financial gain with bragging rights and notoriety in hacker communities.

Their tactics include:

  • Using lookalike domains to conduct sophisticated phishing attacks
  • Creating fake Okta login pages to harvest credentials
  • Threats of real-world violence
  • Directly contacting employees through phone calls for social engineering
  • Bombarding users with multi-factor authentication (MFA) prompts until someone approves a fraudulent login
  • SIM swapping to hijack victims’ mobile numbers
  • Previously collaborating with ransomware groups like BlackCat/ALPHV and now DragonForce

In the M&S breach, attackers reportedly breached the network as early as February 2025, stealing credential databases and quietly expanding their foothold for weeks before deploying the “DragonForce” ransomware payload on April 24. This DragonForce ransomware-as-a-service (RaaS) platform is part of a troubling trend where skilled intruders can rent powerful ransomware tools without needing to build their own.

What we can learn from the UK retail attacks

The recent attacks on major UK retailers demonstrate that technical defenses alone are insufficient. In the words of cabinet office minister Pat McFadden, cybersecurity must be an “absolute priority” for all UK companies. Organizations must embed cybersecurity resilience into their broader enterprise risk frameworks. This means:

  • Digital infrastructure investment: Implement advanced threat detection, real-time monitoring, and modern authentication protocols. However, as these attacks demonstrate, detecting lateral movement within networks is also important. It is believed that M&S’s attackers operated undetected in their systems for months before deploying ransomware.
  • People-centered security: With social engineering and phishing remaining primary attack vectors, employee awareness and training are critical defenses. The human element cannot be overlooked, particularly as Scattered Spider’s tactics rely heavily on tricking employees through convincing phishing emails or phone calls impersonating IT support.
  • Third-party risk management: Strengthen supply chain due diligence and vendor security assessments. Industry insiders suggest the M&S attack may have originated via a service provider rather than a direct breach of M&S’s network. The NCSC now recommends all retailers review their supply chain security as a priority.
  • Rapid response capability: Harrods’ swift action to restrict internet access across its sites at the first sign of unauthorized access likely prevented a full-scale breach. Preparing and testing incident response plans is critical.
  • Industry collaboration: Enhance information sharing with industry peers, government agencies, and cybersecurity experts. The UK’s National Cyber Security Centre is actively working with the affected companies and urging all organizations to follow their guidance on incident response and recovery.
  • Understanding value-at-risk: Retailers must quantify their potential material losses from cyber incidents and develop strategies to manage this risk across the organization. M&S learned this lesson the hard way, with hundreds of millions in market value erased within days of the breach.
  • Leadership involvement: Cybersecurity can no longer be relegated to the IT department. It requires engagement from the entire leadership team, with cyber risk elevated to a board-level concern. The UK’s National Cyber Security Centre (NCSC) has described these retail attacks as a “wake-up call to all organisations,” emphasizing that this is not just an IT issue.

What is cyber insurance’s role?

The financial impact of these recent UK retail attacks puts the value of comprehensive cyber insurance into stark relief. As mentioned above, M&S lost an estimated £3.8 million in online sales per day while their systems were down, with their stock price plunging 6-9% and wiping out over £700 million in market value within a week of the attack. These figures don’t include forensic investigation costs, legal expenses, and potential regulatory fines from the Information Commissioner’s Office (ICO) for data breaches.

While no policy can completely undo the operational and reputational damage caused by a major cyber incident, robust cyber insurance can significantly reduce the risk of material financial losses. A comprehensive policy should cover business interruption losses, forensic investigation costs, and legal expenses.

At Resilience, we work closely with our clients to  reduce the likelihood of large-scale incidents. While no company is immune to cyberattacks, organisations that take proactive steps are better able to withstand, respond to, and recover from them while minimizing losses. In the wake of these high-profile UK retail attacks, insurers expect premiums to rise sharply, especially for companies seen as unprepared or historically vulnerable.

What’s next?

While recent attacks hit major retailers, cybersecurity experts warn that smaller and mid-sized retailers may become more frequent targets as attackers look for weaker defenses and access points into larger supply chains. No organization is immune.

Future cyberattacks are also likely to target not just data but critical operational technology—such as payment systems, stock management platforms, and delivery logistics—causing prolonged service outages and operational gridlock, particularly around peak retail periods like Black Friday and Christmas.

For retailers worldwide, the message from the UK retail attacks is clear: cybersecurity is no longer just an IT issue, but a fundamental business risk that requires enterprise-wide attention. By adopting a holistic, resilience-focused approach, retailers can better protect customer data, maintain operational integrity, and preserve the trust that forms the foundation of their customer relationships.

You might also like

The essential guide to cyber incident response leadership and decision making

When 43% of UK businesses report experiencing a cyber breach or attack in just the past year, the question isn’t whether your organization will face a cyber incident—it’s how well you’ll respond when it happens.  This stark reality was at the center of a recent webinar hosted by Resilience, featuring insights from Scott Tenenbaum, Head […]

Navigating the growing personal liability facing CISOs

Let’s not mince words: The threat of personal liability and potential criminal charges for CISOs has become a legitimate concern. At a recent “CISOs Off the Record” panel hosted by Resilience at the 2025 RSA Conference, three experienced CISOs talked about the growing trend of CISOs being found personally liable for actions they take at […]

Does the proposed UK ransomware payment ban take things too far?

Cowritten with Henry Westwood, Resilience Cyber Underwriting Manager Simon West, Resilience Head of Customer Engagement The UK government recently launched a consultation on legislative proposals to combat ransomware attacks, one of the most significant cyber threats facing organisations today. As cybersecurity professionals working with organisations across various sectors, we’ve carefully examined these proposals and offered […]

North Korea is targeting the job interview process to infiltrate US companies

This post is based on threat intelligence compiled by Resilience Intelligence Analyst Steph Barnes, published May 8, 2025. North Korean hackers have turned the interview chair into a staging ground for cyberattacks. Two sophisticated campaigns—Contagious Interview and WageMole—are actively targeting job seekers and employers alike, with a clear endgame: funneling money back to the North […]

See what a cyber attack could really cost your enterprise

Data breaches cost U.S. businesses an average of $9.36 million per breach in 2024, yet many enterprises still struggle to quantify their specific cyber risk exposure in financial terms. How do you translate complex technical vulnerabilities into language that your CFO, board members, and other stakeholders can understand and act upon? We’re excited to announce […]

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]