#Infosec2025: UK Retail Hack Was 'Subtle, Not Complex,' Says River Island CISO

The recent spate of cyber-attacks on UK retail companies, including Marks & Spencer, Co-op, and Harrods, has sent shockwaves throughout the industry, according to Sunil Patel, Information Security Officer at British fashion brand River Island. Speaking at Infosecurity Europe 2025 on June 3, Patel warned that these attacks are a "wake-up call" for retailers and beyond.

"The techniques used by the threat group linked to these hacks, Scattered Spider, were 'elegant and subtle, but not as complicated as we imagine'," Patel said. "A combination of social engineering – potential manipulation of tech staff into giving access – and powerful off-the-shelf ransomware-as-a-service (RaaS) makes it easier to cripple businesses." He emphasized that once the threat actors gained access, they would watch and wait for weeks or even months before acting.

"These weren't opportunistic attacks; they likely conducted a long reconnaissance work beforehand," Patel said. "And let's be honest, the UK high street is on its knees at the moment." He suggested that UK retail firms were already vulnerable, making them easier prey due to the current economic downturn and the industry's focus on returning to profitability.

"I think it's just the beginning of these low-friction, operationally smart malicious campaigns," Patel said. These attacks could impact any company in any sector, not just retailers.

Empowering Employees on Security Best Practices

When asked about the lessons the retail industry should learn from these cyber-attacks, Patel emphasized the importance of empowering employees to take security seriously.

"We need to keep asking the question: are we empowering our staff to check, verify and challenge?" Patel said. "We need to keep asking people how we can help make their life easier while securing their online presence." This approach should encompass the whole organization, even the CEO and other board members.

Three Primary Measures to Mitigate Threats

"Organizations should focus on implementing three primary measures to mitigate threats posed by actors like Scattered Spider," Patel said. These measures include:

  1. Testing the real-life response of people across the organization to security incidents.
  2. Providing advice on how to avoid risks and empowering employees to take control of their own security.
  3. Implementing robust security controls, including multi-factor authentication, network segmentation, and regular software updates.

"By taking these steps, we can make our organizations more resilient to cyber threats," Patel said. "It's time for the industry to wake up and take security seriously."