UK Authorities Warn of Retail Sector Risks Following Cyberattack Spree

The UK National Cyber Security Centre (NCSC) is urging organizations to remain vigilant following a series of cyberattacks against three leading retail companies, including the iconic Harrods department store based in London. The attacks have left retailers scrambling to respond and recover from the breaches.

Attacks Target Major Retail Brands

Three major retail brands, including Harrods, Marks & Spencer (M&S), and Co-op, have been targeted in recent weeks. Harrods confirmed that it was the target of an attempted hack, which took place days after a threat actor stole data from retailer Co-op. M&S has also suffered a separate attack that disrupted its operations.

NCSC Response

The NCSC is working closely with organizations that reported attacks to develop a better understanding of the intrusions and issue advice to the wider sector. "These incidents should act as a wake-up call to all organisations," said Richard Horne, CEO of the NCSC in a statement. "I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively."

Advice from NCSC Officials

Senior NCSC officials have released guidance on how organizations can mitigate potential ransomware attacks. "Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor or whether there is no link between them at all," wrote Jonathon Ellison, Director of National Resilience and Ollie Whitehouse, CTO in a blog post. They urged security teams to use multifactor authentication, check for risky logins in Microsoft Entra ID Protection and review help desk login procedures, among other steps.

Mysterious Group Claimed Credit

It is not yet clear whether one or more groups are responsible for the hacks, but Bloomberg reported that a group calling itself DragonForce has claimed credit. DragonForce operates as a ransomware-as-a-service operation that provides tools and a dark-web site, while contracted hackers perform the attacks, according to threat researchers at GuidePoint Security.

Link Between Attacks

Bleeping Computer in late April linked the M&S hack to a reconstituted Scattered Spider, the group behind the 2023 MGM Resorts attacks. "Both Alphv and RansomHub have since disbanded, which could mean that Scattered Spider has sought out DragonForce as a new home for their ransomware activities," Justin Timothy, a GuidePoint threat intelligence consultant, told Cybersecurity Dive via email.

Co-op Spokesperson Confirms Hack Details

A Co-op spokesperson confirmed that hackers obtained names and contact information from a "significant amount" of current and past members. The stolen information did not include passwords, bank details or credit card data. "We are continuing to experience sustained malicious attempts by hackers to access our systems," the spokesperson said via email.

Harrods and M&S Business Continues

Despite the attacks, Harrods is continuing to serve customers at its Knightsbridge location, its airport stores, its H beauty locations and Harrods.com. Marks & Spencer did not respond to a request for comment, but the company said in an April 23 statement that it had moved some of its operations offline and was no longer processing contactless payments.