When Hackers Hit High Street: What the 2025 UK Retail Attacks Reveal About Modern Cyberthreats

This spring, what appeared to be a coordinated wave of ransomware attacks rocked the UK retail sector. Among the highest-profile victims: Marks & Spencer (M&S), a household name in British retail, whose customers awoke to headlines alleging their personal data had been compromised—a claim which later proved to be the case 

Retail companies have long been vulnerable to cyberattacks. They have large, distributed infrastructures, high employee turnover and vast troves of customer data, making them irresistible targets. What makes these retail breaches particularly disturbing is how they were likely conducted by a relatively small network of young, skilled attackers using a new generation of malicious tactics 

These incidents were not anomalies. In fact, we believe they are the new normal. And the lessons they offer are crucial for every organization, not just in retail and not just in the UK. 

The Next Generation of Cyberattacks:  

At the center of this storm is a loosely affiliated criminal group known as Scattered Spider, who have been identified as the likely culprits behind this series of attacks. Despite their ominous name, they are a group of semi-organized young cybercriminals who rely heavily on AI-generated phishing, SIM swapping and open-source intelligence to target their victims. 

Scattered Spider attacks succeed because the attackers know how to impersonate employees and leverage native knowledge of UK slang, systems and org structures. And in this specific case, the payload in all three of these breaches appears to have been delivered via a commercially available ransomware kit called “DragonForce,” an up-and-coming Ransomware as a Service (RaaS) cyber-crime tool. 

As we noted in a recent Sky News appearance, this should serve as a true wake-up call. Attackers no longer need nation-state backing or elite hacking skills to bring down large retail organizations.  

A Plan to Counterattack:

Businesses should take away some hard but valuable lessons from these attacks; lessons that extend far beyond retail and far beyond the UK. Here are a few of them. 

1. Response plans must move at the speed of the attackers 

If your IR plan can’t neutralize a full domain compromise in a matter of minutes, it’s probably outdated. In this case, two of the targeted retail organizations, M&S and Co-op, may both have been breached by hackers long before the attack was actually launched  When the attacks came, Co-op was able to catch on and shut down key portions of their own system before hackers had time to complete the attack. The M&S team was not so lucky.  

2. Endpoints remain your single biggest weak spot. 

Most modern breaches begin with compromised credentials. In these recent UK attacks, identity controls on password resets and phone numbers may have failed. This is yet another example of why behavioral detection, just-in-time access and strict MFA policies should no longer be optional for a large organization. 

3. Security tools only work when you let them. 

In many environments, EDR tools remain hamstrung by “do not touch” lists, servers that can’t be shut down in the middle of the night and email rules that whitelist too broadly. Bottom line, if you don’t trust your tools to act when it counts, they won’t help you. 

So how do you put these lessons into practice? One idea we recommend is to run your next tabletop exercise based on the modern attack methods outlined above. If your team can’t detect and contain this mock attack in real time, you have some work to do. 

As you plan, don’t be shy about asking your MSSP some hard questions. What would they have done in this case? Would they have caught it? How would they have handled the situation in real time? 

Ready to put your response strategy to the test? 

Inversion6 helps enterprises operationalize their threat intelligence, harden their identity controls and modernize their incident response. 

If you're wondering whether your team could stop a Scattered Spider-style attack in time, let’s find out together.