London, UK – In a disturbing escalation of cybercrime against critical retail infrastructure, Marks & Spencer (M&S) and the Co-operative Group (Co-op) have fallen victim to a highly coordinated cyberattack allegedly carried out by members of the Scattered Spider network — a well-known hacking syndicate spanning the UK and US. The breach, executed using social engineering tactics, resulted in major business disruptions, including operational outages, data exposure, and a loss of £650 million in market value for M&S within days.
The attackers manipulated IT helpdesk processes to gain unauthorized access to internal networks, exposing vulnerabilities in password reset mechanisms and administrative account protections. The National Cyber Security Centre (NCSC) has since issued urgent guidance to organizations across the UK to bolster their cyber defenses.
Social Engineering: The “Front Door” Approach to Network Compromise
According to cybersecurity reports from, the attacks began with deceptive communications targeting IT staff, tricking them into resetting employee passwords. In Co-op’s case, this allowed hackers direct access to their internal systems, while a similar strategy crippled M&S’s digital operations, including online shopping, contactless payment systems, and click-and-collect orders.
The tactic is part of a broader modus operandi used by the Scattered Spider group, a loosely connected but potent cybercriminal network infamous for penetrating networks before handing them off to ransomware affiliates who demand large sums to unlock compromised systems.
Business Fallout: Staff Sent Home, Customers Disrupted, Data at Risk
The fallout was immediate and severe. M&S had to suspend operations for hundreds of agency workers, instructing them not to report to work as IT systems remained non-functional. CEO Stuart Machin publicly addressed customers, apologizing for the disruption and outlining “temporary changes” in-store while the retailer scrambled to contain the cyber incident.
At the Co-op, customer data was reportedly accessed by the attackers, prompting an official apology and a swift response involving data protection authorities. The breach raised serious concerns about data privacy, consumer trust, and the resilience of essential retail services in the face of modern digital threats.
Both companies have since filed reports with the Information Commissioner’s Office (ICO) and engaged with the NCSC as part of a broader investigation into the breach.
Authorities React: UK Issues Cybersecurity Alert as Attacks Grow in Frequency
The NCSC, in a joint blog post by Jonathon Ellison, National Resilience Director, and Ollie Whitehouse, Chief Technology Officer, warned that attacks like these are “becoming more common” and that “all organizations, of all sizes, need to be prepared.”
Their recommendations include:
-
Reviewing IT helpdesk protocols for password resets.
-
Implementing stricter controls for admin-level accounts.
-
Enhancing employee training on phishing and impersonation tactics.
-
Deploying multi-factor authentication (MFA) across all critical systems.
The warning comes amid increasing concerns that UK businesses — especially large-scale retailers — are becoming prime targets for cyber extortion and data breaches, particularly those with weak employee verification procedures and limited cybersecurity readiness.
A Shadow Network: Scattered Spider’s Ongoing Threat
The Scattered Spider group gained notoriety in September 2023 for breaching Caesars Entertainment and MGM Resorts International, prompting Caesars to pay an estimated $15 million ransom. The group’s latest activities in the UK reveal their evolving strategy: targeting IT frontlines through human deception rather than brute force.
One alleged member, Tyler Buchanan, a Scottish national, was recently extradited to the United States from Spain, accused of attempting to breach multiple corporate networks. Prosecutors link Buchanan and his associates to dozens of sophisticated, multi-phase cyberattacks, reinforcing concerns about cross-border digital crime.
As Marks & Spencer works to restore full digital functionality and the Co-op continues investigating customer data exposure, the incident has highlighted serious gaps in corporate cybersecurity practices. With social engineering emerging as a favored tool among threat actors, experts warn that robust cybersecurity is no longer optional — it is mission-critical.
This breach serves as a stark reminder for industries reliant on digital infrastructure: Human error remains the weakest link, and without proactive, layered security, even the most established institutions remain vulnerable.