What do the M&S, Co-op and Harrods cyber attacks mean for UK retailers?
M&S, Co-op and Harrods have been subject to cyber attacks of late, with wide ranging implications for both shoppers and staff.
M&S, Co-op and Harrods have been subject to cyber attacks of late, with wide ranging implications for both shoppers and staff.
Issues for M&S kicked off over the Easter holiday weekend, with shoppers at the food and fashion giant reporting they were unable to use contactless payments or click and collect services
The retailer’s CEO Stuart Machin went on to inform shoppers that it was “managing a cyber incident,” and that it needed to make “some small changes” to store operations to “protect you and the business”. Since then, the ongoing attack has had wide-reaching implications including stock shortages and WFH staff locked out of IT systems.
On 30 April, fellow grocer Co-op fell victim to a cyberattack, with some of the convenience retailer’s back-office systems and call centre services breached.
Co-op’s staff have since been told to keep their cameras on in remote work meetings, not to record or transcribe calls, or post any sensitive information into Teams chats, according to the BBC. On 4 May it was revealed that hackers had accessed a “significant” amount of customer data.
On 2 May, it also emerged that Harrods had faced a cyber attack, with the department store said to be engaging specialists to help investigate and fix the issue. However, the retailer managed to thwart the attempted intrusion.
These attacks have prompted the chair of the Business and Trade Select Committee to write to the bosses of M&S and Co-op to seek reassurance that they are managing the incidents effectively, and are the latest in an escalating wave of cyber security breaches across UK retail in recent years.
Retailers ranging from JD Sports to Boots and WHSmith have all been targeted in recent years, and insurance firm QBE also found that the number “disruptive and destructive global cyber-attacks” occurring per year had more than doubled from 2020 until 2024.
With a host of attacks plaguing the industry, what could the cyber attacks mean for UK retailers, and what is the industry’s best recourse to defend itself?
‘A constantly moving picture’
The recent torrent of cyber attacks have shaken up the retail industry, exposing its vulnerabilities and prompting businesses to re-evaluate cyber security strategies.
To keep themselves safe, Walker Morris regulatory and compliance partner Andrew Northage emphasises that businesses must avoid “standing still” since hackers are “trying new things all the time”.
“If you think you can stand still and be cyber protected, that would be a big mistake to make,” he says.
“The picture is constantly moving and evolving and you have to move and evolve with it. Internally and externally, you need to make sure you’ve got the best support and advice that you can get using people that are really on top of it, because it’s a constantly moving picture.”
Retail Technology Magazine publisher Miya Knights also highlights the importance of retailers sharing industry knowledge amongst each other once attacks occur and in order to defend themselves in the first place.
“Chief information security officers (CISOs) in retail need to get round a table and talk about what happened and share best practice and knowledge so they can all be better armed against these hackers,” she says.
“What floats all boats can also sink all boats, so I think they need to share knowledge about what’s happened so they can all be better protected.”
The need for knowledge sharing is particularly urgent, as research from cybersecurity firm Cisco found that just one in four UK firms are fully prepared to defend against increasingly complex cyber threats, with nearly half of those surveyed having over ten unfilled cybersecurity roles across their respective organisations.
BRC CEO Helen Dickinson highlights that “retailers spend hundreds of millions every year to mitigate these risks and ensure they can continue to serve customers,” adding that “many businesses continue to work closely with the National Cyber Security Centre to share cyber threat intelligence, and are continually reviewing their systems to ensure they are as secure as possible.”
Regarding how long recovery from the attacks could take, Northage argues: “I would say probably months, it’s unlikely to be weeks, I’d be surprised if it’s years, but you’re probably looking at six months plus.”
“It very much varies on what information they’ve got, how they got into the systems, and how complex the systems are.”
The impacts from the M&S attack in particular have certainly been wide reaching, with issues including empty shelves, the suspension of all online orders, and it shutting its work from home staff out of some of its IT systems.
However, Skillcast CEO Vivek Dodd highlights that the “real damage” to cyber attacks is often to consumers’ trust, “particularly when the attack causes wide-spread public concern”.
Northage notes that while the stock shortages at M&S have affected customers, “it also affects the company in terms of a loss of confidence and shoppers going elsewhere.”
He also points out that M&S and Co-op’s loyalty schemes hold “lots of customer data” which was “the sort of thing that would make your average customer nervous” as to what details of theirs were out there.
Who else is at risk?
With M&S, Co-op and Harrods having hit the headlines with the attacks, shoppers may be left wondering why these particular retailers were vulnerable.
Although Knights says she does not think anyone can definitively say why they were targeted, they had been picked out on one level due to them being “prominent household names”.
“They’re retailers, so security is not core to their businesses in such a way as maybe financial services or the public sector,” she notes.
“But nevertheless their turnover makes them an attractive target in the fact that they’re large organisations and they handle a lot of customer data.”
Despite this, she argues: “I would expect the hackers targeted a number of retailers, and the reason M&S, Co-op and Harrods have hit the headlines is because they were vulnerable.”
Regarding other retailer types that could be at risk, Knights thinks those most vulnerable would be “those that have a sizable business with large tier one scale turnover across many channels”.
“That means they potentially use digital heavily across all of their customer and supplier facing channels, and therefore there is more surface area to secure.”
Northage thinks any other retailers could be at risk of cyber attacks: “When M&S and Co-op were the first two, you think is it grocery?
“But the fact that we’ve now had Harrods as well says to me that it’s maybe supply chain or it’s something to do with customers where they’ve found the vulnerability.
“Obviously lots of other big retailer will have similar systems, particularly if they’re in the FMCG market.”
A ‘wake up call’ for UK retailers
With M&S, Co-op and Harrods being targeted by hackers, it raises the question of whether the UK retail sector is particularly vulnerable to cyber attacks.
Although Knights does not think so, she argues: “This is a wake up call for UK retailers where security may not have been core to their business but it should be.”
She adds that this is particularly pertinent given the growth of online and multichannel retail in the wake of Covid alongside the declining use of cash amongst shoppers, all of which makes the sector “more vulnerable” to future cyber attacks.
“Retail organisations should have the same checks and balances in place as you would expect government organisations and financial services organisations to have,” she concludes.
The recent spate of attacks certainly serves as a warning to the industry that no retailer should rest of their laurels when it comes to cyber security – but securing the talent and pace of innovation required to bring these threats to heel is clearly a sector-wide challenge.
Click here to sign up to Retail Gazette‘s free daily email newsletter
