Retail cyberattacks: Will your be business be next?

Recent cyberattacks on major UK retailers have caused severe operational disruption, data breaches, and lasting reputational damage. But these threats aren’t limited to retail - professional services firms are equally at risk. Cybercriminals increasingly target organisations of all sizes, exploiting sensitive data and weaknesses in governance. The UK Government’s Cyber Governance Code of Practice now places clear responsibility on senior leaders to proactively manage cyber risks and build resilience before their business becomes the next victim.

What happened?
In recent weeks, a wave of cyberattacks has hit UK retailers Marks & Spencer and Co-op, and luxury department store, Harrods. The first incident came over the Easter weekend, when Marks & Spencer announced it was managing a cyberattack. The retailer was forced to suspend orders via its website, app and call centres, severely disrupting its online operations. In-store systems also suffered, leading to stock shortages and significant delays across supply chains.

As M&S worked to contain the issue, Co-op reported an attempted breach on its systems. The retailer shut down parts of its IT network across 2,300 stores, disrupting deliveries, card payments, and stock availability.

Shortly afterwards, Harrods confirmed hackers had attempted to access its internal networks. Though fewer details were disclosed, the scale of these attacks are a stark reminder that no organisation – regardless of sector or size – is immune to highly disruptive cyber threats.

Who is behind It – and what are they after?
The attacks are believed to involve affiliates of DragonForce, a ransomware-as-a-service (RaaS) operation that enables cybercriminals to purchase powerful malware tools. It is understood that the hacking group Scattered Spider used social engineering to gain access to networks and exfiltrate sensitive employee and customer data.

Following the attacks, The UK’s National Cyber Security Centre issued a warning that such groups are becoming more aggressive and organised, and that “attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared”.

While there are various types of attacks – ransomware, business email compromise – the objective is nearly always the same: financial gain. Attackers want to make money, whether through ransom payments, stolen payment card data, or intercepted transactions. Increasingly, stolen data is used as leverage, with victims threatened that information will be leaked publicly unless they pay up quickly.

Costly consequences and reputational damage
It is still early days, but for Marks & Spencer, the consequences of the cyberattack have already proved to be severe. Following the disclosure of the breach, the retailer’s share price dropped by 14%, wiping more than £700 million from its market value. With online orders suspended and in-store systems disrupted, analysts estimated the attack cost the retailer £43 million a week in lost sales and operational downtime. M&S has since confirmed the breach will lead to a £300 million hit to profits and warned that disruption is likely to continue into July, with empty shelves and delays expected for some time.

Recovering from a breach is rarely fast or straightforward – IBM’s 2024 Cost of a Data Breach Report found it took an average of 258 days to identify and contain a breach. Full recovery can take months or even years, as organisations work to rectify the damage and strengthen defences to try and prevent it from happening again.

Both M&S and Co-op confirmed that customer data had been stolen, including names and contact details – the breaches have raised serious concerns around data security.

The Information Commissioner’s Office (ICO) is likely to investigate whether “appropriate technical and organisational measures” were in place to protect personal data. If either retailer is found to have fallen short of their legal obligations, they could face significant penalties.

In addition to regulatory scrutiny, affected customers may also pursue compensation claims – particularly if evidence emerges that their data was shared or misused.

However, by far the most damaging consequence for any business hit by a cyberattack is the loss of customer trust and confidence. Even when financial losses are contained, the reputational fallout can linger for years. Customers may be hesitant to return, unsure whether their data is safe or if the organisation has done enough to prevent future breaches.

Rebuilding that trust takes time, transparency, and a clear demonstration that lessons have been learned and stronger protections are now in place. For brands like M&S and Co-op, the impact on reputation may ultimately outweigh the immediate financial and operational costs.

A wake-up call for high-risk sectors

The recent cyberattacks on major UK retailers have underlined just how serious the consequences of a breach can be — from business interruption and financial loss to long-term reputational damage.

But these incidents aren't just a retail problem. High-risk sectors like professional services and life sciences face equally serious threats — and in some cases, are even more vulnerable.

Following the attacks, NCSC CEO Richard Horne warned:

“The high-profile cyber attacks we have seen in recent weeks must give us pause – not because they are unique, but because they are not. They merely serve to highlight the reality of what the National Cyber Security Centre sees every day.”

Law firms, accountants, and financial services providers routinely handle sensitive client and financial data, making them attractive targets for attackers.
Biotech, pharma, medtech, and clinical research organisations store high-value intellectual property, patient data, trial results, and supply chain information - all of which can be exploited for financial gain or competitive advantage.

While ransomware dominates headlines, many firms in both sectors are hit by less visible but equally damaging threats: business email compromise, payment interception, unauthorised system access, and data theft.

A common (and dangerous) misconception is that smaller firms or early-stage ventures are too small to be of interest. In reality, attackers often view them as easier targets - particularly when cybersecurity is outsourced or treated as a purely technical issue.

The consequences are wide-ranging and potentially devastating:

• For professional services: operational disruption, lost billable hours, leaked client data, regulatory scrutiny, and erosion of trust.

• For life sciences: delayed R&D, lost IP, trial disruption, supply chain impact, and reputational harm that can affect investor confidence and future partnerships.

The lesson is clear: no business — regardless of size or sector — is immune. If your organisation handles sensitive data or relies on digital infrastructure, now is the time to act.

A strategic view: Introducing the Cyber Governance Code of Practice
The release of the UK Government’s Cyber Governance Code of Practice in April 2025 was not timed in response to the recent retail breaches (it was a year in the making) – but its arrival couldn’t be more relevant.

Developed in partnership with the National Cyber Security Centre (NCSC), the Code places clear responsibility for cyber resilience on boards and senior leadership. It recognises that cyber risk is a strategic imperative requiring oversight, accountability, and proactive management at the highest levels.

Built around five governance principles – Risk Management, Strategy, People, Incident Planning & Response, and Assurance & Oversight – the Code provides a framework for boards to strengthen defences and respond effectively to cyber threats. A key theme of the Code is the need for boards to gain assurance (which should be independent of your IT provider) that the right cyber risk management arrangements are in place.

Whether you are a large retailer facing widespread disruption or a professional services firm protecting sensitive client data, the message is the same: robust cyber governance starts at the top.

The time to act is now. Boards must embed these principles to safeguard their organisation’s future and build lasting digital resilience before their business becomes the next victim.

Protect your organisation with Mitigo

Mitigo helps businesses across sectors build strong, practical cyber defences tailored to their unique risks. From risk assessments and training to incident response and ongoing support, we partner with you to reduce vulnerabilities and keep your organisation secure.

Get in touch with Mitigo today to learn how we can help protect your business from cyber threats.