Digital Risk: Enterprises Need More Than Cyber Insurance
Threatonomics

Scattered Spider strikes again in recent UK retail attacks

by Si West , Director, Customer Engagement
Published

Hundreds of millions of dollars lost as cybercriminal group targets major UK retailers, including Marks & Spencer

In the past two weeks, the UK retail industry has faced an unprecedented wave of sophisticated cyberattacks, exposing critical vulnerabilities across the sector. The high-profile breaches at Marks & Spencer, Harrods, and others have sent shockwaves through the industry, with M&S alone suffering an estimated £3.8 million in lost online sales per day and seeing £700 million wiped from its market value after an attack that has been credited to Scattered Spider. 

Why this surge in retail-focused attacks? While it’s impossible to pin on one specific cause, the answer likely lies in both the value of the data retailers hold and the sector’s relative cybersecurity immaturity. Retailers process millions of customer transactions containing sensitive payment information, while often operating with understaffed security teams, inadequate training programs, and complex networks of third-party vendors.

This combination of valuable data and lack of cybersecurity maturity makes the retail sector an attractive target for cybercriminals. As retailers continue to digitalize and expand their online operations, the risk of cyberattacks will only increase, emphasizing the need for stronger, more proactive cybersecurity measures to protect both consumer information and business operations.

Scattered Spider strikes again

The evolution of threat actors like Scattered Spider illustrates how attackers have refined their approach to social engineering. Initially targeting telecommunication firms for SIM swap attacks, this group has pivoted to large, lucrative targets across multiple sectors, including retail. Cybersecurity investigators have attributed the recent M&S attack to this collective, the same group behind the 2023 MGM Resorts and Caesars Entertainment attacks that cost MGM around $100 million in losses.

What makes Scattered Spider unique is their makeup: many members are reportedly young, English-speaking hackers based in the UK and US; a departure from the typical Russian-speaking ransomware gangs. Their motivations blend financial gain with bragging rights and notoriety in hacker communities.

Their tactics include:

  • Using lookalike domains to conduct sophisticated phishing attacks
  • Creating fake Okta login pages to harvest credentials
  • Threats of real-world violence
  • Directly contacting employees through phone calls for social engineering
  • Bombarding users with multi-factor authentication (MFA) prompts until someone approves a fraudulent login
  • SIM swapping to hijack victims’ mobile numbers
  • Previously collaborating with ransomware groups like BlackCat/ALPHV and now DragonForce

In the M&S breach, attackers reportedly breached the network as early as February 2025, stealing credential databases and quietly expanding their foothold for weeks before deploying the “DragonForce” ransomware payload on April 24. This DragonForce ransomware-as-a-service (RaaS) platform is part of a troubling trend where skilled intruders can rent powerful ransomware tools without needing to build their own.

What we can learn from the UK retail attacks

The recent attacks on major UK retailers demonstrate that technical defenses alone are insufficient. In the words of cabinet office minister Pat McFadden, cybersecurity must be an “absolute priority” for all UK companies. Organizations must embed cybersecurity resilience into their broader enterprise risk frameworks. This means:

  • Digital infrastructure investment: Implement advanced threat detection, real-time monitoring, and modern authentication protocols. However, as these attacks demonstrate, detecting lateral movement within networks is also important. It is believed that M&S’s attackers operated undetected in their systems for months before deploying ransomware.
  • People-centered security: With social engineering and phishing remaining primary attack vectors, employee awareness and training are critical defenses. The human element cannot be overlooked, particularly as Scattered Spider’s tactics rely heavily on tricking employees through convincing phishing emails or phone calls impersonating IT support.
  • Third-party risk management: Strengthen supply chain due diligence and vendor security assessments. Industry insiders suggest the M&S attack may have originated via a service provider rather than a direct breach of M&S’s network. The NCSC now recommends all retailers review their supply chain security as a priority.
  • Rapid response capability: Harrods’ swift action to restrict internet access across its sites at the first sign of unauthorized access likely prevented a full-scale breach. Preparing and testing incident response plans is critical.
  • Industry collaboration: Enhance information sharing with industry peers, government agencies, and cybersecurity experts. The UK’s National Cyber Security Centre is actively working with the affected companies and urging all organizations to follow their guidance on incident response and recovery.
  • Understanding value-at-risk: Retailers must quantify their potential material losses from cyber incidents and develop strategies to manage this risk across the organization. M&S learned this lesson the hard way, with hundreds of millions in market value erased within days of the breach.
  • Leadership involvement: Cybersecurity can no longer be relegated to the IT department. It requires engagement from the entire leadership team, with cyber risk elevated to a board-level concern. The UK’s National Cyber Security Centre (NCSC) has described these retail attacks as a “wake-up call to all organisations,” emphasizing that this is not just an IT issue.

What is cyber insurance’s role?

The financial impact of these recent UK retail attacks puts the value of comprehensive cyber insurance into stark relief. As mentioned above, M&S lost an estimated £3.8 million in online sales per day while their systems were down, with their stock price plunging 6-9% and wiping out over £700 million in market value within a week of the attack. These figures don’t include forensic investigation costs, legal expenses, and potential regulatory fines from the Information Commissioner’s Office (ICO) for data breaches.

While no policy can completely undo the operational and reputational damage caused by a major cyber incident, robust cyber insurance can significantly reduce the risk of material financial losses. A comprehensive policy should cover business interruption losses, forensic investigation costs, and legal expenses.

At Resilience, we work closely with our clients to  reduce the likelihood of large-scale incidents. While no company is immune to cyberattacks, organisations that take proactive steps are better able to withstand, respond to, and recover from them while minimizing losses. In the wake of these high-profile UK retail attacks, insurers expect premiums to rise sharply, especially for companies seen as unprepared or historically vulnerable.

What’s next?

While recent attacks hit major retailers, cybersecurity experts warn that smaller and mid-sized retailers may become more frequent targets as attackers look for weaker defenses and access points into larger supply chains. No organization is immune.

Future cyberattacks are also likely to target not just data but critical operational technology—such as payment systems, stock management platforms, and delivery logistics—causing prolonged service outages and operational gridlock, particularly around peak retail periods like Black Friday and Christmas.

For retailers worldwide, the message from the UK retail attacks is clear: cybersecurity is no longer just an IT issue, but a fundamental business risk that requires enterprise-wide attention. By adopting a holistic, resilience-focused approach, retailers can better protect customer data, maintain operational integrity, and preserve the trust that forms the foundation of their customer relationships.

About the Author
Si West , Director, Customer Engagement

You might also like

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]

The false promise of paying criminals to delete your data

On October 6, 2025, hackers demanded ransom from Salesforce for nearly one billion stolen customer records. The company’s response was unequivocal: no payment, no negotiation. While the refusal made headlines, the more important question is why Salesforce—and increasingly, other mature organizations—are walking away from the table when criminals offer to “suppress” stolen data. The answer […]

A CISO’s guide to winning the annual budgeting battle

It’s that time of year again. Finance has sent the email with the budget template attached. Your CFO wants preliminary numbers by next week. And you’re staring at a spreadsheet wondering how to justify the security investments your organization desperately needs when last quarter’s board meeting included the phrase “do more with less.” Welcome to […]

How brokers and CISOs can lead the charge for Cybersecurity Awareness Month 2025

October is Cybersecurity Awareness Month, and this year’s theme—”Building a Cyber Strong America“—has never been more relevant. For over two decades, this initiative led by CISA and the National Cybersecurity Alliance has spotlighted the importance of taking daily action to reduce online risks. In 2025, the focus shifts to the government entities and small-to-medium businesses […]