Full Report
Harrods, the iconic British luxury department store, has confirmed that it was recently targeted in a cybersecurity incident, becoming the third major UK retailer in just a few days to report a cyber incident. The Harrods cyberattack follows similar breaches at Marks & Spencer and the Co-op. The cyberattack on Harrods prompted the department store to take precautionary steps, including limiting online access while assuring customers that its physical stores and online shopping were still operational. The incident, which occurred in late April 2025, saw hackers attempt to gain unauthorized access to Harrods’ systems. The UK retailer restricted internet access at its sites as a precautionary measure but assured customers that its flagship Knightsbridge store, H Beauty branches, and airport outlets remained open. Additionally, online shopping services continued without interruption. Response to the Harrods Cyberattack In a statement provided to The Cyber Express, the company confirmed the incident, stating, "We recently experienced attempts to gain unauthorized access to some of our systems. Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today. Currently, all sites, including our Knightsbridge store, H beauty stores, and airport stores, remain open to welcome customers. Customers can also continue to shop via harrods.com." Harrods has not yet provided additional details on the scale or potential consequences of the breach, including whether customer data was affected. Customers were reassured that no action was needed on their part at this time, with the retailer promising to provide updates as the situation evolves. Rising Concerns in the Retail Sector The Harrods cyberattack comes on the heels of similar incidents that recently disrupted operations at Marks & Spencer and the Co-op. Marks & Spencer, for example, revealed a cyberattack linked to the hacking group "Scattered Spider" that caused widespread disruptions to online ordering systems and stock shortages in some physical stores. The attack, which reportedly involved the deployment of DragonForce ransomware, has cost Marks & Spencer millions in lost sales. Online orders were suspended for several days, and authorities are still investigating the incident. Meanwhile, the Co-op also reported an attempted network breach, prompting it to take precautionary measures such as shutting down parts of its IT systems and requiring staff to verify their identities during remote meetings. These measures were implemented to mitigate the risk of eavesdropping by cybercriminals. The National Cyber Security Centre (NCSC), which oversees the UK’s cybersecurity efforts, has expressed concern over the growing number of attacks targeting the retail sector. Richard Horne, the NCSC’s CEO, emphasized that these incidents should serve as a wake-up call for retailers to bolster their defenses against cyber threats. He confirmed that the NCSC was collaborating closely with all affected companies to fully understand the nature of these attacks and to offer expert advice to the wider retail sector. Conclusion The ongoing investigations into the recent attacks on Harrods, Marks & Spencer, and the Co-op highlight the advancements of cybercriminals targeting high-profile UK retailers. While no direct link between the incidents has been established, experts speculate that shared vulnerabilities or common suppliers may be involved. This is an ongoing story, and The Cyber Express will be closely monitoring the situation. We'll update this post once we have more information on the incident and or any new statement from the retailer.
Analysis Summary
# Incident Report: Wave of Cyberattacks Targeting UK Retailers (Harrods, M&S, Co-op)
## Executive Summary
A suspected wave of cyberattacks impacted several major UK retailers, including confirmed incidents at Harrods, Marks & Spencer (M&S), and an attempted breach at the Co-op. The incidents led to operational disruption, such as M&S suspending online orders, highlighting a growing trend of threat actors targeting the retail sector. The NCSC is coordinating with affected parties to assess the nature of the attacks, which may stem from shared vulnerabilities or common supply chain weaknesses.
## Incident Details
- **Discovery Date:** Information surrounding discovery is narrative; incidents appear to be ongoing or recently disclosed (May 2, 2025 timeframe).
- **Incident Date:** Occurred recently, as part of a "recent wave" of attacks.
- **Affected Organization:** Harrods, Marks & Spencer (M&S), and Co-op.
- **Sector:** Retail
- **Geography:** United Kingdom (UK)
## Timeline of Events
### Initial Access
- **Date/Time:** Not specified, occurred preceding the public disclosure/response period.
- **Vector:** Not explicitly detailed for all three, but the context suggests sophisticated exploitation targeting the sector.
- **Details:** Harrods was hit, M&S experienced an incident costing millions, and Co-op thwarted an attempted network breach.
### Lateral Movement
- Not detailed in the provided text.
### Data Exfiltration/Impact
- **M&S:** Online orders were suspended for several days. Authorities are investigating.
- **Co-op:** Incident response included taking precautionary measures, such as shutting down parts of the IT system and mandating identity verification for remote staff meetings to mitigate eavesdropping risk.
### Detection & Response
- **Detection:** Unspecified, but subsequent actions indicate breaches or near-breaches were detected.
- **Response actions taken:** M&S suspended online orders; Co-op shut down parts of its IT systems and implemented stricter identity verification. The National Cyber Security Centre (NCSC) is collaborating with affected companies.
## Attack Methodology
*Note: Specific TTPs are not fully detailed for any single incident, but general themes are implied.*
- **Initial Access:** Unknown, potentially common vulnerability exploitation (given the shared retail target pool).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Under investigation by NCSC.
- **Lateral Movement:** Not detailed.
- **Collection:** Not detailed.
- **Exfiltration:** Implied at M&S due to financial impact, but unconfirmed.
- **Impact:** Operational disruption (M&S halted sales) and financial loss (M&S lost millions).
## Impact Assessment
- **Financial:** Marks & Spencer lost millions in sales.
- **Data Breach:** Status unknown, but data security is implied as a concern (Co-op mitigating eavesdropping risk).
- **Operational:** M&S suspended online orders for several days. Co-op implemented partial IT system shutdowns.
- **Reputational:** Increased scrutiny on the security posture of major UK retailers.
## Indicators of Compromise
- No specific, defanged IOCs (IPs, domains, hashes) were mentioned in the provided context.
## Response Actions
- **Containment measures:** Co-op shut down parts of its IT systems.
- **Eradication steps:** Not detailed.
- **Recovery actions:** M&S restored online ordering after several days. NCSC is offering expert advice to the wider sector.
## Lessons Learned
- **Key takeaways:** Cybercriminals are actively and systematically targeting the UK retail sector.
- **What could have been done better:** Experts speculate that shared vulnerabilities or common suppliers may be implicated, suggesting potential gaps in shared third-party risk management or patch management across the sector.
## Recommendations
- Retailers must heed the NCSC's warning and immediately bolster security defenses.
- Conduct thorough investigations into potential shared vulnerabilities or supply chain links identified across the breaches affecting Harrods, M&S, and the Co-op.
- Mandatory and strict verification procedures for remote access and meetings (as adopted by Co-op) should be considered for critical operations.