Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Scattered Spider strikes again in recent UK retail attacks

by Si West , Director, Customer Engagement
Published

Hundreds of millions of dollars lost as cybercriminal group targets major UK retailers, including Marks & Spencer

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing £700 million wiped from its market value after an attack that has been credited to Scattered Spider. 

Why this surge in retail-focused attacks? While it’s impossible to pin on one specific cause, the answer likely lies in both the value of the data retailers hold and the sector’s relative cybersecurity immaturity. Retailers process millions of customer transactions containing sensitive payment information, while often operating with understaffed security teams, inadequate training programs, and complex networks of third-party vendors.

This combination of valuable data and lack of cybersecurity maturity makes the retail sector an attractive target for cybercriminals. As retailers continue to digitalize and expand their online operations, the risk of cyberattacks will only increase, emphasizing the need for stronger, more proactive cybersecurity measures to protect both consumer information and business operations.

Scattered Spider strikes again

The evolution of threat actors like Scattered Spider illustrates how attackers have refined their approach to social engineering. Initially targeting telecommunication firms for SIM swap attacks, this group has pivoted to large, lucrative targets across multiple sectors, including retail. Cybersecurity investigators have attributed the recent M&S attack to this collective, the same group behind the 2023 MGM Resorts and Caesars Entertainment attacks that cost MGM around $100 million in losses.

What makes Scattered Spider unique is their makeup: many members are reportedly young, English-speaking hackers based in the UK and US; a departure from the typical Russian-speaking ransomware gangs. Their motivations blend financial gain with bragging rights and notoriety in hacker communities.

Their tactics include:

  • Using lookalike domains to conduct sophisticated phishing attacks
  • Creating fake Okta login pages to harvest credentials
  • Threats of real-world violence
  • Directly contacting employees through phone calls for social engineering
  • Bombarding users with multi-factor authentication (MFA) prompts until someone approves a fraudulent login
  • SIM swapping to hijack victims’ mobile numbers
  • Previously collaborating with ransomware groups like BlackCat/ALPHV and now DragonForce

In the M&S breach, attackers reportedly breached the network as early as February 2025, stealing credential databases and quietly expanding their foothold for weeks before deploying the “DragonForce” ransomware payload on April 24. This DragonForce ransomware-as-a-service (RaaS) platform is part of a troubling trend where skilled intruders can rent powerful ransomware tools without needing to build their own.

What we can learn from the UK retail attacks

The recent attacks on major UK retailers demonstrate that technical defenses alone are insufficient. In the words of cabinet office minister Pat McFadden, cybersecurity must be an “absolute priority” for all UK companies. Organizations must embed cybersecurity resilience into their broader enterprise risk frameworks. This means:

  • Digital infrastructure investment: Implement advanced threat detection, real-time monitoring, and modern authentication protocols. However, as these attacks demonstrate, detecting lateral movement within networks is also important. It is believed that M&S’s attackers operated undetected in their systems for months before deploying ransomware.
  • People-centered security: With social engineering and phishing remaining primary attack vectors, employee awareness and training are critical defenses. The human element cannot be overlooked, particularly as Scattered Spider’s tactics rely heavily on tricking employees through convincing phishing emails or phone calls impersonating IT support.
  • Third-party risk management: Strengthen supply chain due diligence and vendor security assessments. Industry insiders suggest the M&S attack may have originated via a service provider rather than a direct breach of M&S’s network. The NCSC now recommends all retailers review their supply chain security as a priority.
  • Rapid response capability: Harrods’ swift action to restrict internet access across its sites at the first sign of unauthorized access likely prevented a full-scale breach. Preparing and testing incident response plans is critical.
  • Industry collaboration: Enhance information sharing with industry peers, government agencies, and cybersecurity experts. The UK’s National Cyber Security Centre is actively working with the affected companies and urging all organizations to follow their guidance on incident response and recovery.
  • Understanding value-at-risk: Retailers must quantify their potential material losses from cyber incidents and develop strategies to manage this risk across the organization. M&S learned this lesson the hard way, with hundreds of millions in market value erased within days of the breach.
  • Leadership involvement: Cybersecurity can no longer be relegated to the IT department. It requires engagement from the entire leadership team, with cyber risk elevated to a board-level concern. The UK’s National Cyber Security Centre (NCSC) has described these retail attacks as a “wake-up call to all organisations,” emphasizing that this is not just an IT issue.

What is cyber insurance’s role?

The financial impact of these recent UK retail attacks puts the value of comprehensive cyber insurance into stark relief. As mentioned above, M&S lost an estimated £3.8 million in online sales per day while their systems were down, with their stock price plunging 6-9% and wiping out over £700 million in market value within a week of the attack. These figures don’t include forensic investigation costs, legal expenses, and potential regulatory fines from the Information Commissioner’s Office (ICO) for data breaches.

While no policy can completely undo the operational and reputational damage caused by a major cyber incident, robust cyber insurance can significantly reduce the risk of material financial losses. A comprehensive policy should cover business interruption losses, forensic investigation costs, and legal expenses.

At Resilience, we work closely with our clients to  reduce the likelihood of large-scale incidents. While no company is immune to cyberattacks, organisations that take proactive steps are better able to withstand, respond to, and recover from them while minimizing losses. In the wake of these high-profile UK retail attacks, insurers expect premiums to rise sharply, especially for companies seen as unprepared or historically vulnerable.

What’s next?

While recent attacks hit major retailers, cybersecurity experts warn that smaller and mid-sized retailers may become more frequent targets as attackers look for weaker defenses and access points into larger supply chains. No organization is immune.

Future cyberattacks are also likely to target not just data but critical operational technology—such as payment systems, stock management platforms, and delivery logistics—causing prolonged service outages and operational gridlock, particularly around peak retail periods like Black Friday and Christmas.

For retailers worldwide, the message from the UK retail attacks is clear: cybersecurity is no longer just an IT issue, but a fundamental business risk that requires enterprise-wide attention. By adopting a holistic, resilience-focused approach, retailers can better protect customer data, maintain operational integrity, and preserve the trust that forms the foundation of their customer relationships.

You might also like

How ransomware groups are changing the game with double extortion

Double extortion has become the industry standard. According to our recent analysis of Resilience cyber insurance claims, ransomware attacks now routinely involve two distinct ransom demands: one for the decryption key to unlock encrypted systems, and another to prevent stolen data from being published on leak sites or sold to competitors. This shift represents more […]

What the Collins Aerospace outage reveals about vendor risk

On September 19, 2025, chaos erupted at airports across Europe—but not because of weather, strikes, or mechanical failures. Collins Aerospace’s MUSE platform, the digital backbone handling passenger check-in and baggage processing from Heathrow to Dublin, went dark after a ransomware attack. Within hours, major airports including Brussels, Berlin, and Dublin were forced to revert to […]

Does Resilience use your company data to train AI?

In an era where “AI training” has become synonymous with data collection, we get this question a lot: “Does Resilience use our company data to train AI models like ChatGPT?” The short answer? No. But the full answer reveals something more interesting about how we approach cyber risk modeling and why we chose a different […]

New insights on the evolving threat landscape, from our 2025 Midyear Cyber Risk Report 

The cybersecurity world is experiencing an unexpected paradox in 2025. While cyber insurance claims in the Resilience portfolio dropped by 53% in the first half of the year—suggesting that organizations are getting better at preventing attacks—the financial damage from successful incidents has actually increased. Our latest 2025 Midyear Cyber Risk Report reveals that when cybercriminals […]

The seven places you should be looking when building your vendor list

In our first post, we established why comprehensive vendor discovery matters and how most organizations approach it incorrectly. Today, we’re diving into the practical mechanics: the seven data streams that can reveal vendor relationships hiding in your existing systems. The key insight is to start with data you already have rather than surveys or questionnaires. […]

How to get people to care about security when they don’t report to you

Getting executive sign-off on a new control? Hard. Getting peer buy-in on security initiatives when they don’t report to you? Harder. In modern organizations, cybersecurity professionals often find themselves in the ultimate matrix of organizational challenges: you need buy-in from every department within the organization – operations, sales, HR, and finance – but none of […]