Something’s been off at the checkout lines lately—and not just the usual weekend rush.
Over the past ten days, a coordinated wave of cyberattacks has slammed some of the UK’s biggest and best-known retailers. Co-op stores went cash-only. Marks & Spencer’s website ground to a halt. Harrods locked down its internal systems. Behind it all, cybersecurity experts believe, is a group that’s quickly becoming one of the most dangerous names in the game: Scattered Spider.
The first signs of trouble popped up at Co-op. In nearly 200 stores, contactless payments suddenly stopped working, and shoppers were told to pay cash or leave their baskets behind. Store shelves began to thin out, and some locations couldn’t even open their doors. Executives later admitted the company was dealing with a cyberattack and confirmed that customer names, emails, and phone numbers had been accessed—though not financial details, according to The Guardian.
Then came M&S.
On April 25, just as weekend orders began to pick up, Marks & Spencer’s online shopping platform went dark. Store systems were glitchy. Payments failed. Deliveries didn’t go out. What looked at first like a routine tech outage turned out to be far worse. According to Reuters, attackers tricked the company’s IT help desk into handing over internal credentials. That classic social engineering tactic gave the hackers a way inside—and they took full advantage.
Harrods, while not hit as hard, wasn’t spared. The luxury department store reported an attempted breach of its systems and quickly pulled the plug on internal internet access as a precaution. So far, customer transactions seem to be unaffected, and the retailer has insisted that no payment data was compromised. But the incident triggered an investigation by the National Cyber Security Centre and has raised eyebrows across the luxury retail sector (The Register).
The group suspected in all three attacks, Scattered Spider, has a growing reputation for punching above its weight. Young, English-speaking, and unusually slick in their approach, they specialize in gaining trust—posing as employees, calling service desks, and manipulating staff into giving up access. They’ve targeted telecoms, casinos, even tech firms. Now, apparently, they’ve turned their sights on retail.
Worse, Scattered Spider isn’t always acting alone. Security analysts say there are signs the group may be teaming up with ransomware operators like DragonForce, who can encrypt and lock down entire networks once inside. The tag-team approach allows one group to break in, and the other to cash out (BankInfoSecurity).
In response, the UK government isn’t taking chances. The National Cyber Security Centre and the National Crime Agency are actively involved, and ministers are calling for a reassessment of how seriously businesses take their digital defenses. Cabinet Office Minister Pat McFadden didn’t mince words when he said cybersecurity “must be treated as a board-level priority,” not something relegated to the back office (Reuters).
What’s clear is that these aren’t isolated incidents. Retail chains, many of which spent the last decade racing to modernize with mobile apps, loyalty systems, and online ordering, are now facing the uncomfortable reality that their digital footprint makes them vulnerable—sometimes frighteningly so.
For customers, that might mean a checkout delay. For companies, it could mean tens of millions in lost revenue, reputational damage, and legal headaches.
There’s no word yet on whether any ransom demands have been made public. But behind the scenes, incident response teams are working overtime. Patching systems. Resetting credentials. Trying to stay one step ahead of attackers who clearly know where to poke and how hard.
The only certainty? This won’t be the last time the tills go silent.
Image Credit: “Marks and Spencers on Oxford Street” by Londonmatt is licensed under CC BY 2.0.
