Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Scattered Spider strikes again in recent UK retail attacks

by Si West , Director, Customer Engagement
Published

Hundreds of millions of dollars lost as cybercriminal group targets major UK retailers, including Marks & Spencer

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing £700 million wiped from its market value after an attack that has been credited to Scattered Spider. 

Why this surge in retail-focused attacks? While it’s impossible to pin on one specific cause, the answer likely lies in both the value of the data retailers hold and the sector’s relative cybersecurity immaturity. Retailers process millions of customer transactions containing sensitive payment information, while often operating with understaffed security teams, inadequate training programs, and complex networks of third-party vendors.

This combination of valuable data and lack of cybersecurity maturity makes the retail sector an attractive target for cybercriminals. As retailers continue to digitalize and expand their online operations, the risk of cyberattacks will only increase, emphasizing the need for stronger, more proactive cybersecurity measures to protect both consumer information and business operations.

Scattered Spider strikes again

The evolution of threat actors like Scattered Spider illustrates how attackers have refined their approach to social engineering. Initially targeting telecommunication firms for SIM swap attacks, this group has pivoted to large, lucrative targets across multiple sectors, including retail. Cybersecurity investigators have attributed the recent M&S attack to this collective, the same group behind the 2023 MGM Resorts and Caesars Entertainment attacks that cost MGM around $100 million in losses.

What makes Scattered Spider unique is their makeup: many members are reportedly young, English-speaking hackers based in the UK and US; a departure from the typical Russian-speaking ransomware gangs. Their motivations blend financial gain with bragging rights and notoriety in hacker communities.

Their tactics include:

  • Using lookalike domains to conduct sophisticated phishing attacks
  • Creating fake Okta login pages to harvest credentials
  • Threats of real-world violence
  • Directly contacting employees through phone calls for social engineering
  • Bombarding users with multi-factor authentication (MFA) prompts until someone approves a fraudulent login
  • SIM swapping to hijack victims’ mobile numbers
  • Previously collaborating with ransomware groups like BlackCat/ALPHV and now DragonForce

In the M&S breach, attackers reportedly breached the network as early as February 2025, stealing credential databases and quietly expanding their foothold for weeks before deploying the “DragonForce” ransomware payload on April 24. This DragonForce ransomware-as-a-service (RaaS) platform is part of a troubling trend where skilled intruders can rent powerful ransomware tools without needing to build their own.

What we can learn from the UK retail attacks

The recent attacks on major UK retailers demonstrate that technical defenses alone are insufficient. In the words of cabinet office minister Pat McFadden, cybersecurity must be an “absolute priority” for all UK companies. Organizations must embed cybersecurity resilience into their broader enterprise risk frameworks. This means:

  • Digital infrastructure investment: Implement advanced threat detection, real-time monitoring, and modern authentication protocols. However, as these attacks demonstrate, detecting lateral movement within networks is also important. It is believed that M&S’s attackers operated undetected in their systems for months before deploying ransomware.
  • People-centered security: With social engineering and phishing remaining primary attack vectors, employee awareness and training are critical defenses. The human element cannot be overlooked, particularly as Scattered Spider’s tactics rely heavily on tricking employees through convincing phishing emails or phone calls impersonating IT support.
  • Third-party risk management: Strengthen supply chain due diligence and vendor security assessments. Industry insiders suggest the M&S attack may have originated via a service provider rather than a direct breach of M&S’s network. The NCSC now recommends all retailers review their supply chain security as a priority.
  • Rapid response capability: Harrods’ swift action to restrict internet access across its sites at the first sign of unauthorized access likely prevented a full-scale breach. Preparing and testing incident response plans is critical.
  • Industry collaboration: Enhance information sharing with industry peers, government agencies, and cybersecurity experts. The UK’s National Cyber Security Centre is actively working with the affected companies and urging all organizations to follow their guidance on incident response and recovery.
  • Understanding value-at-risk: Retailers must quantify their potential material losses from cyber incidents and develop strategies to manage this risk across the organization. M&S learned this lesson the hard way, with hundreds of millions in market value erased within days of the breach.
  • Leadership involvement: Cybersecurity can no longer be relegated to the IT department. It requires engagement from the entire leadership team, with cyber risk elevated to a board-level concern. The UK’s National Cyber Security Centre (NCSC) has described these retail attacks as a “wake-up call to all organisations,” emphasizing that this is not just an IT issue.

What is cyber insurance’s role?

The financial impact of these recent UK retail attacks puts the value of comprehensive cyber insurance into stark relief. As mentioned above, M&S lost an estimated £3.8 million in online sales per day while their systems were down, with their stock price plunging 6-9% and wiping out over £700 million in market value within a week of the attack. These figures don’t include forensic investigation costs, legal expenses, and potential regulatory fines from the Information Commissioner’s Office (ICO) for data breaches.

While no policy can completely undo the operational and reputational damage caused by a major cyber incident, robust cyber insurance can significantly reduce the risk of material financial losses. A comprehensive policy should cover business interruption losses, forensic investigation costs, and legal expenses.

At Resilience, we work closely with our clients to  reduce the likelihood of large-scale incidents. While no company is immune to cyberattacks, organisations that take proactive steps are better able to withstand, respond to, and recover from them while minimizing losses. In the wake of these high-profile UK retail attacks, insurers expect premiums to rise sharply, especially for companies seen as unprepared or historically vulnerable.

What’s next?

While recent attacks hit major retailers, cybersecurity experts warn that smaller and mid-sized retailers may become more frequent targets as attackers look for weaker defenses and access points into larger supply chains. No organization is immune.

Future cyberattacks are also likely to target not just data but critical operational technology—such as payment systems, stock management platforms, and delivery logistics—causing prolonged service outages and operational gridlock, particularly around peak retail periods like Black Friday and Christmas.

For retailers worldwide, the message from the UK retail attacks is clear: cybersecurity is no longer just an IT issue, but a fundamental business risk that requires enterprise-wide attention. By adopting a holistic, resilience-focused approach, retailers can better protect customer data, maintain operational integrity, and preserve the trust that forms the foundation of their customer relationships.

About the Author
Si West , Director, Customer Engagement

You might also like

See what a cyber attack could really cost your enterprise

Data breaches cost U.S. businesses an average of $9.36 million per breach in 2024, yet many enterprises still struggle to quantify their specific cyber risk exposure in financial terms. How do you translate complex technical vulnerabilities into language that your CFO, board members, and other stakeholders can understand and act upon? We’re excited to announce […]

A decision scientist’s perspective on AI

As the Senior Director of Cyber Resilience at Resilience, I bring a somewhat unconventional perspective to the table. Unlike many in our industry who come from traditional cybersecurity or insurance backgrounds, my expertise lies in decision science. Throughout my career, I’ve been fascinated by one central question: How can we help people make good decisions […]

What enterprises over $10 billion need to know about managing cyber risk

The role of the Chief Information Security Officer has undergone a profound transformation from a purely technical role to a strategic business one in recent years. For CISOs operating in organizations with over $10 billion in revenue—a segment that Resilience has recently expanded its cyber risk solutions to serve—the shift comes with unique pressures and […]

How to create an effective Incident Response Plan

Cyberattacks are no longer a distant threat—they are a certainty. Whether it’s a ransomware attack, data breach, or insider threat, organizations must be prepared to respond quickly and effectively. Without a solid plan in place, even a minor security incident can spiral into a major crisis, leading to financial losses, reputational damage, and regulatory penalties. […]

Understanding the ClickFix attack

Imagine a cyberattack so simple yet so deceptive that all it takes is three keystrokes to compromise your system. This is the reality of the ClickFix attack, a threat that Resilience threat researchers have observed in the wild since 2024 and that seems to be ramping up in recent weeks. ClickFix cleverly manipulates users into […]

How MFA can be hacked

Multi-factor authentication (MFA) represents a significant improvement over single-factor authentication, adding an extra layer of security that has become standard practice across industries. It’s become so popular that many organizations and individuals believe implementing MFA makes their accounts nearly impenetrable to attackers. After all, even if someone steals your password, they would still need access […]