Cyberattacks on UK retailers highlight data and cybersecurity risks

In April and May 2025, there were sophisticated cyberattacks targeting multiple established UK retailers, including Marks & Spencer (M&S), the Co-operative Group (Co-op), and Harrods. These incidents disrupted operations, compromised customer data, and highlighted vulnerabilities within the retail sector’s cybersecurity framework. These disruptions also raised legal concerns regarding data protection and regulatory compliance.

During the Easter Weekend M&S experienced a significant cyberattack which disrupted online orders, contactless payments and Click & Collect services. While it was reported that payment details and passwords remained secure, customer data, including names, addresses, and order histories, were accessed. The financial impact was substantial. M&S shares dropped by 6.2% following the initial news of the incident, resulting in the FTSE 100 company losing almost £700 million in market value. Reports indicate that M&S has since been working to restore services, with full recovery anticipated by July.

As the M&S attack continued into its second week, Co-op identified a cyberattack directed at its systems. The company’s IT team acted swiftly, taking systems offline to prevent the deployment of ransomware. However, hackers still managed to access personal data of a significant number of current and past members, including names and contact details. Operational disruptions caused stock shortages, especially in rural branches. Reports indicate that Co-op has now fixed its stock-ordering system and returned to normal payment operations.

Harrods also reported attempts to gain unauthorised access to its systems in late April. The luxury department store’s IT security team responded by restricting internet access and shutting down select internal systems. This action meant Harrods did not experience significant operational disruptions, and there was no evidence of compromised customer data.

These cyberattacks share common characteristics, notably the reported use of social engineering tactics. Social engineering is a tactic where hackers manipulate people into sharing confidential information or granting access to systems, often through deceptive means. In these incidents, hackers reportedly pretended to be employees and requested password resets, exploiting the trust placed in internal processes. These tactics, combined with the reliance on third-party vendors further exposed weaknesses in supply chain security. All of these have led to a reassessment of cybersecurity protocols and standards across the retail industry and highlight the importance of robust cyber and cloud security systems and processes which encompass comprehensive risk assessments (both internally and of third-party vendors), employee training, and effective incident response plans.

The Information Commissioner’s Office has been notified of these breaches, and investigations are ongoing to assess compliance with data protection regulations. Legal actions are being considered, particularly concerning the protection of customer data and the adequacy of security measures in place at the time of the attacks. M&S is facing a class action lawsuit from customers who had their personal data compromised. There may also be underlying contractual claims available to the retailers against their third-party vendors where the vulnerabilities arose from weaknesses in supply chains.

Contractual and commercial risks are also now a major concern. Many breaches originated through third-party systems which led to prompt reviews of service contracts, liability caps, and breach response terms. As a consequence, retailers are likely to be interested in renegotiating relevant provisions of their third-party vendor agreements, strengthening audit rights, and assessing the adequacy of their cyber insurance coverage.

These events highlight the importance of complying with data protection standards and the potential consequences of lapses in cybersecurity. These events could also prompt tighter enforcement expectations, with both public and private actors demanding more transparency, risk-sharing, and resilience in handling sensitive customer data across the UK retail sector and beyond.