- Why this Bose portable speaker is my top recommendation for most people (and it's on sale)
- Are VPN-ready routers the best home Wi-Fi upgrade? My buying advice after testing one
- This Lenovo ThinkPad ditches its traditional design for one that would make my MacBook jealous
- This portable laptop accessory solved my biggest problem with working from home
- Your TV's USB port has an underutilized feature that can save movie nights
Harrods Latest UK Retailer to Fall Victim to Cyber-Attack
UK retailers face mounting cyber threats, as Harrods is the latest to confirm a cyber incident, following earlier cyber-attacks involving the Co-operative Group (Co-op) and Marks and Spencer (M&S).
Luxury retailer Harrods confirmed on May 1 that it experienced attempts to gain unauthorized access to some of its systems, leading it to take some of its systems offline as a proactive response step.
“Currently all sites including our Knightsbridge store, H beauty stores and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com,” a Harrods spokesperson told Infosecurity.
At this time, none of the retailers affected have instructed customers to take any action.
Exploring a Common Link
The trio of incidents in quick succession have led some to surmise that there could be a link connecting them, like a third-party supplier.
Commenting on the incidents, Toby Lewis, Head of Threat Analysis at cybersecurity firm Darktrace, commented: “Details of the cyber-attack at Harrods are still low and we shouldn’t rule out that the three incidents impacting M&S, Co-operative and Harrods are coincidences.”
However, he noted that with the information publicly available there could be two likely scenarios connecting the incidents.
“Either a common supplier or technology used by all three retailers has been breached and used as an entry point to big name retailers; or the scale of the M&S incident has prompted security teams to relook at their logs and act on activity they wouldn’t have previously judged a risk,” he said.
Jake Moore, Global Cybersecurity Advisor at ESET, noted that it is typical for similar companies in the same sector to become secondary targets after a huge cyber-attack.
This will especially be the case if multiple organizations have the same vulnerability within their networks that can be exploited by ransomware groups.
Co-op confirmed on May 1 that it has been forced to shut down part of its IT systems after experiencing unauthorized attempts to gain access to some of its systems.
M&S has been grappling with an incident since public disclosure on April 22.
The latest update from M&S Chief Executive Stuart Machin posted on May 2 confirmed the retailer is continuing to tackle the incident and is working “day and night” to get things back to normal.
The incident has impacted M&S click and collect services, online orders and job searching site, which appears offline at the time of writing.
Scattered Spider Potentially Behind M&S Incident
The M&S incident has been linked in media reports to the hacking group Scattered Spider which has deployed the DragonFroce encryptor.
According to researcher by cybersecurity firm, Silent Push, published earlier in April 2025, the group has targeted brands including Luis Vuitton, Nike and Vodafone in 2025 already.
The group was also behind the infamous MGM International and Caesars Entertainment ransomware attacks in 2023.
Scattered Spider is also tracked under the monikers UNC3944, Scatter Swine, Octo Tempest and Muddled Libra
ESET’s Moore explained that the DragonForce tool can simply be purchased on the dark web in the Ransomware-as-a-Service (RaaS) ecosystem.
“Attacks involving the DragonForce ransomware most commonly start by targeting known vulnerabilities such as attacking systems that have not been kept up to date with the latest security patches so businesses need to be extra vigilant and improve how quickly they update their networks.”
Silent Push’s analysis noted that the tactics, techniques and procedures (TTPs) of the group have continued to evolve in the last year with at least four phishing kits updated in 2024.
The latest phishing kit, the fifth, was observed in 2025 and has additional content changes and was hosted on Cloudflare.
NCSC Offers Support and Advice
On May 1, National Cybersecurity Center (NCSC) CEO Richard Horne issued a statement relating to the trouble: “The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers and the public.”
The NCSC CEO said the agency is working closely with organizations that have reported incidents to them to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
“These incidents should act as a wake-up call to all organizations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively,” Horne concluded.
Image credit: Tupungato / Shutterstock.com
