Harrods, M&S Hit by Cyberattack: What Happened, Who's Behind It?

Harrods, M&S Hit by Cyberattack: What Happened, Who's Behind It?

British retail giant Marks & Spencer (M&S) and the iconic Knightsbridge department store, Harrods, have become the latest to be hit by cyberattacks in the UK. Online orders at M&S remain paused, while the attack has already cost the company millions of pounds in lost revenues.

Here's what we know about the incident, its effect, and where things stand:

The attack on Harrods and Marks & Spencer points to a likely ransomware incident. Ransomware is a type of malicious software that blocks access to files or systems until a ransom has been paid – usually in cryptocurrency.

This sort of software can shut down operations and hold critical data hostage. Both the Metropolitan Police and the National Cyber Security Centre (NCSC) are investigating the cyber attacks. The NCSC has urged all retailers to tighten their cybersecurity and advised consumers to check bank activity and update passwords.

Who is Behind the Latest Cyberattack?

The attack on M&S has been linked by cybersecurity observers to a group called Scattered Spider, which is also known as Octo Tempest. This is a loose network of mostly young, English-speaking hackers who use tricks like phishing (messages through which criminals trick recipients into handing over sensitive information such as login details), SIM swapping (taking control of someone’s phone number) and Multi-Factor Authentication fatigue (sending repeated login requests until someone accidentally approves one) to break into company systems.

Scattered Spider is believed to have accessed M&S systems using ransomware called DragonForce. One of the most common ways ransomware infiltrates a system is through phishing emails, according to cybersecurity firm Akamai.

Cybersecurity firm Akamai explains that common to all the methods is “the aim of exploiting either a human error or a technical vulnerability”. Once inside, the malware spreads and encrypts important files, locking them so the company can’t access or use them. The hackers then demand a ransom in exchange for a key to unlock the data.

Tim Mitchell, a senior security researcher at Secureworks, told the UK’s Guardian newspaper that Scattered Spider is an unusual hacking group because most cybercriminal networks tend to operate out of countries like Russia, where looser enforcement provides a more “permissive environment” for cybercrime.

The Cost of the Attack

Since the attack, more than 700 million pounds ($930m) has been wiped off Marks & Spencer’s market value, with its share price falling 6.5 percent – including a 2.2 percent drop on the first day of disruptions alone.

Online shopping, which makes up about one-third of M&S’s clothing and home sales, generates roughly 3.8 million pounds ($5.05m) in daily revenue – a stream now halted due to the ongoing shutdown. The company has also paused recruitment, removing nearly 200 job listings from its website.

Harrods, meanwhile, has not disclosed any financial losses. As a privately held company, it does not have a stock price and typically does not make its financial information public.

How Have Harrods and M&S Responded?

M&S initially responded promptly to the cyberattack, informing customers of the breach and pausing affected services early on. However, communication has since stalled, with only two official statements released – the last on April 25.

The retailer confirmed it took down the compromised servers to prevent further damage, but was unable to provide more information at this time.

Other Cyberattacks

Other recent cyberattacks include:

  • Synnovis, a Russian-linked cybercriminal group, demanded $50m from the National Health Service in June 2024, but refused to pay. The group posted the stolen data online, including names, dates of birth, NHS numbers and details of blood test results.
  • The Information Commissioner’s Office recorded a 40 percent rise in data breaches in the retail sector in 2023 alone.
  • According to the UK government’s Cyber Security Breaches Survey, 74 percent of large businesses were targeted in cyberattacks in 2024.

This highlights the growing threat of cyberattacks on businesses and individuals. It is essential for companies to prioritize cybersecurity and take proactive measures to protect themselves from these types of attacks.

Stay safe online by being vigilant, using strong passwords, and keeping your software up-to-date. If you suspect a business has been affected by a cyberattack, report it to the relevant authorities immediately.