Headline news has been made this month as three retail giants in the UK have become the unfortunate targets of cyber attacks, launched in an attempt to gain access to personal data. The retailers in question are Marks & Spencer, Co-op, and Harrods, who have all been hit by these incidents within just weeks of each other. So, what are the latest updates regarding these attacks? What data was compromised? And what lessons can we learn from this chaos?
The Marks & Spencer cyber attack
M&S suffered its cyber attack in April, with shoppers left unable to place online orders since the retailer shut these down to contain the incident. The company has been losing millions of pounds in sales each day its online business remains down. At first, M&S stated that they had no evidence of customer data being stolen, but they have now said that customer data was in fact included in what was taken by the attackers. While full card payment information is safely out of the wrong hands, customers have been informed that personal data such as names, email addresses, dates of birth, and online order history was indeed stolen. Initial reporting suggested it was likely a ransomware attack by a group dubbed “Scattered Spider”.
The Co-op cyber attack
On 30th April, Co-op revealed that it had detected hackers attempting to breach its systems. At first, Co-op stated that the attack had only a “small impact” on its operations, and no immediate action was required from customers or members. However, by 2nd May, Co-op confirmed that the attackers “accessed and extracted” customer data from one of its systems. The breached data included information on a significant number of current and past Co-op members – specifically names, contact details, and dates of birth. (Fortunately, like M&S, Co-op reported that no passwords, payment card details or transaction records were taken.)
The Harrods cyber attack
The Harrods department store in London revealed it also faced a cyber attack attempt in the same two-week period, making it the third high-profile UK retailer targeted in a row. Thankfully, it seems that this attack was less successful than the two that preceded it, as Harrods claimed that their IT team managed to take proactive measures to protect their systems and block these attempts to gain unauthorised access.
How could these attacks have happened?
To achieve this, the hackers could have used phishing emails, gained control of a company phone number, or rung up help services pretending to be an employee to gain access to systems. These possibilities are all indicative of an ongoing universal need for more thorough, widespread data protection training in organisations of all shapes and sizes. Having strong cybersecurity measures is important, yes, but if staff are unaware of how hackers can adopt a false identity to gain access to data (otherwise known as “social engineering”), then all security essentially goes out the window.
Twenty years ago, when I included information about “social engineering” in presentations, and the importance of checking who you were talking to on the phone, or the sender when you received an unusual looking email, my audience would smile, roll their eyes and say things like “that doesn’t happen in real life”. Well, it clearly does – doesn’t it?
These tactics need to be taken seriously as a genuine threat to data security and privacy, otherwise catastrophic data incidents like this one are inevitable.
What was the main concern among customers?
What do you think the main concern was with customers? Was their first thought “what data of mine has been compromised?” or “I can’t order the meal for two – what’s happening?”
The reality is, I’m sure that the dinner delivery was considered a priority over the personal data. When you work in data protection, it’s easy to forget that for a large portion of the general public, privacy isn’t as high a priority as you’d initially believe. However, just because many don’t think too much about it, that doesn’t mean it isn’t a fundamental right that must, at all costs, be protected.
The musings in this blog are that the same things are happening, in the same ways that they were happening 20 years ago. Yes, some things have grown more sophisticated, but simple things still work. The reference that “someone may have posed as an employee” brings us back to the human factor time and again. If someone with a high vis tabard came into your place of work, unplugged a PC and walked out with it, would anyone bat an eyelid? Or would they think that it was just someone from IT collecting equipment?
How can businesses mitigate these risks?
While there’s no silver bullet for stopping every cyberattack, there are several practical steps organisations can take to reduce the risk of social engineering and account compromise.
Enforce Multi-Factor Authentication (MFA) across all systems
MFA significantly reduces the risk of unauthorised access, even if login credentials are compromised. It should be mandatory for remote access, admin accounts, email systems, and any platform containing sensitive or personal data.
Maintain secure, offline backups
Regularly back up critical data and store at least one copy offline or in an immutable format. This ensures your organisation can recover quickly in the event of a ransomware attack or data breach, without paying a ransom or suffering prolonged downtime.
Conduct regular cybersecurity audits
A cyber audit provides a comprehensive review of your organisation’s digital defences. It identifies vulnerabilities across systems, processes, and infrastructure, before attackers do. Regular audits help ensure compliance with best practices, test the effectiveness of technical controls, and prioritise areas for improvement based on risk.
Staff training and awareness
From board members to shop floor staff, everyone has a role to play in keeping your organisation secure. This goes beyond ticking the box with the same annual 30-minute eLearning course. Think bigger and bolder. Make training fun, engaging, and rooted in real-world situations that help people spot threats and act with confidence.
- Deliver role-based training by first completing a training needs analysis, educate staff to a level that’s appropriate for their specific job function and risk exposure.
- Use real-world scenarios to help staff recognise red flags and feel confident saying no or escalating concerns.
- Run regular phishing simulations, not just by email, but also through phone calls and IT support desk interactions.
- Keep teams informed by sharing near misses and real incidents in a constructive way. Use posters, screensavers, intranet updates, and quick top-tip emails.
- Create an environment where staff feel safe asking for help if they’re unsure whether something is genuine.
- Embed the message that cyber security and data protection aren’t just someone else’s responsibility, they’re part of everyone’s role.
Regular on-site Business Continuity Plan (BCP) testing:
Having a business continuity plan written down and stored somewhere is not enough – you need to practice it in real-world scenarios. Schedule regular drills where you simulate a cyber crisis: for example, “What if our payment systems go down?” or “What if ransomware knocks out our inventory database?” Engage your staff in these exercises at the actual workplace (not just in a meeting room) so that everyone knows their role when an incident strikes. Ensure that your BCP is printed out – and people have copies of this, if your systems are down – how will you access it?
Data protection procedures embedded in BCPs:
Businesses should pre-define procedures for things like isolating sensitive data stores during an incident, preserving forensic evidence of a breach, and evaluating what regulatory notifications might be required. By including clear data protection steps in the BCP (for example, a checklist for breach notification and a communications plan for affected customers), you ensure that privacy is not an afterthought.
Breach reporting readiness:
Every organisation should be prepared to report a breach promptly and accurately – both to authorities and to those impacted. This means having up-to-date incident response playbooks and templates ready to go. Who contacts the ICO or law enforcement? Who drafts the message to customers explaining what happened? These actions should be pre-assigned and even pre-drafted as much as possible.
Emergency response planning and outside support:
Finally, recognise that sometimes your internal team will need help. An incident response plan should include contact information for external specialists you might need in a crisis – such as cybersecurity forensic firms, legal advisors, public relations consultants, and external data protection consultants. Each person should know their role, whether it’s shutting down systems, coordinating with law enforcement, or briefing the board and media. An effective emergency plan can make the difference between a contained incident and a full-blown disaster.
How can we help you avoid disaster?
Our team offers dedicated services in these areas to boost your organisation’s cyber resilience and incident readiness:
Role-based Cyber Security, AI and Data Protection Training
We provide tailored training sessions for all levels of staff, from the boardroom to the front line. Our support includes real-world case studies, role-specific modules, and awareness campaigns designed to create lasting behaviour change. We can also help you carry out training needs analyses to ensure your team gets the right level of education for their role.
On-site business continuity testing
We simulate realistic cyber attack scenarios to test your organisation’s response in real time. This helps identify gaps in your incident response, communication plans, and data protection procedures, ensuring your team is prepared to act quickly and effectively when it matters most.
Customised eLearning for cyber security and data protection
We design fun, engaging, and interactive eLearning modules tailored to your organisation. No more generic tick-box training, our courses are built to be memorable, relevant, and enjoyable, helping staff actually retain what they’ve learned.
Emergency Data Breach Support
Immediate assistance when a breach or cyber crisis strikes. Our experts can jump in 24/7 to help with data protection advice, secure your systems, assess the damage, and guide you on essential next steps to protect your data.
24/7 Data Breach Response Helpline
Get round-the-clock access to experienced Data Protection Consultants. Cyber incidents don’t stick to office hours — and neither do we. Whether it’s midnight on a weekend or a bank holiday afternoon, our helpline ensures you can speak to a qualified consultant who will support and guide you through the breach from a privacy and compliance perspective.
Interim Data Protection Officer (DPO) Support
If you don’t have a full-time DPO or need additional support, our interim service gives you access to experienced data protection professionals who can step in as needed. They’ll support data protection compliance, lead on breach response and notification, and help shape and review your data protection strategy during critical periods.
Take proactive measures
High-profile attacks on organisations like M&S have shown that cyber preparedness cannot wait. Every day without a plan is a day of risk. By investing in expert support and training, you’re not only protecting your own organisation’s reputation and operations, but also safeguarding your customers whose loyalty you’ve worked so hard to earn.
Don’t wait for a crisis to act. Take proactive steps now. Test your plans, strengthen your data protection, and know who to call in an emergency. The cost of prevention and preparedness is minuscule compared to the losses a major breach can inflict on your business. With the right protocols in place and our team at your side, you can face the cyber threats ahead with confidence.
Contact us today to learn more about how we can help your organisation stay secure, compliant, and resilient, no matter what challenges come your way. Your customers and your peace of mind depend on it.
Written by Teresa Gudge (Privacy Consultant)
