AlenKadr - stock.adobe.com

Retail cyber crime spree a “wake-up call”, says NCSC CEO

The NCSC confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers

The UK’s National Cyber Security Centre has spoken out following a wave of cyber attacks against British retailers that has stricken household names such as Marks and Spencer (M&S), Co-op, and Harrods, warning others to be on their guard against similar intrusions.

The current series of incidents – which are not yet confirmed to be linked – began over the Easter weekend at M&S, forcing the organisation to close down its online services. Just over a week later, on 30 April, Co-op revealed it had proactively taken systems offline following a series of hacking attempts. Then, barely 48 hours later on 1 May, a similar incident beset luxury department store and tourist icon Harrods.

Computer Weekly understands that all three retailers affected in the current spate of cyber attacks are currently receiving incident response support from the NCSC, meaning the GCHQ-backed agency likely has much more detail on the nature of the attacks than is currently public.

“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public,” said NCSC CEO Richard Horne.

“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.

“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”

The Information Commissioner’s Office has also now confirmed it is actively involved in both the M&S and Co-op incidents, according to deputy commissioner Stephen Bonner.

“We have received reports from Marks and Spencer plc and the Co-op Group. We are making enquiries with these organisations and working closely with the NCSC,” said Bonner.

“We recognise that seeing cyber attacks in the news can be concerning, especially if you are a customer,” added Bonner.

“If you are worried about your personal information, you can visit our website for advice and support. Make sure your accounts are protected by a strong password and that you are not using the same password across multiple accounts. We also advise checking regularly for updates from the organisation and following their advice if they confirm that your personal information has been impacted by a cyber attack.” 

Working day and night

As the extent of the cyber attacks continues to spread, M&S chief exec Stuart Machin today again apologised to the high street mainstay’s customers for not being able to offer its usual services.

“We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible,” said Machin.

“Thank you from me and everyone at M&S for all the support you have shown us. We do not take it for granted and we are incredibly grateful.

“Our teams are doing the very best they can, and are ready to welcome you into our stores … this bank holiday weekend,” he added.

MP Matt Western, chair of the Joint Committee on the National Security Strategy, said: “These serious attacks threaten not just the bottom line of the businesses involved but also the wider food supply chain. If shelves are left empty and deliveries unfulfilled, local communities will suffer.

“Ransomware is a real and growing threat to many aspects of our daily lives. Cyber security affects us all, and we must do more to prevent these attacks knocking out whole sectors of our economy in future.

“As the government concludes its consultation on proposals to counter ransomware, I hope its response treats these threats with the seriousness they clearly deserve, and I look forward to the Committee scrutinising the government’s next steps in detail,” he said.

Timeline: UK retail cyber attacks

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: The infamous Scattered Spider hacking collective may have been behind the ongoing cyber attack on Marks and Spencer that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.

Read more on Data breach incident management and recovery