UK retail cyber attacks ‘should be a wake-up call’ for business

Writing in the Belfast Telegraph, Laura Gillespie of Pinsent Masons said the recent spate of cyber attacks on major UK retailers has made it “abundantly clear the devasting effect” that ransomware attacks can have on any business. She said the incidents should give all companies cause to reflect on the operational resilience of both their systems and supply chains, and how they would cope in the face of cyber threats.

The warnings follow three serious cyber attacks on major UK household names: Harrods, Marks & Spencer and the Co-op. In early April, Marks & Spencer was forced to halt online orders after its systems were hacked. It reported in May that customer data had been stolen.

On 30 April, Co-op also fell victim to a cyber attack, which compromised the retailer’s back-office systems and call centre services. On 1 May Harrods reported it had detected a cyber attack in late April, but the department store says it thwarted the intrusion.

The same criminal group – which goes by the name DragonForce – has claimed responsibility for all three attacks. The financial and reputational impact on the three retailers is still not fully known. On 10 June Marks & Spencer announced it was accepting online orders again, having already disclosed that it expects the hack to cost its business up to £300m.

These high-profile incidents highlight the ongoing challenges posed by ransomware attacks of this kind, where hackers access company systems to encrypt and steal data and demand a ransom in exchange for a decryption key, Gillespie said.

Despite growing awareness of such attacks, in April a government study on cyber resilience revealed that 74% of large businesses and 67% of medium businesses in the UK reported experiencing a cybersecurity breach or attack in the previous 12 months.

In a recent report, cyber security experts at Pinsent Masons also revealed that 48% of their 2024 caseload involved ransomware. In 83% of these cases, the hackers succeeded in stealing data, whether from customers, employees, clients, or all three.

However, recent reports of similar attacks on the British Horseracing Authority, the UK’s horseracing regulator, and the Legal Aid Agency, the government agency providing legal aid in England and Wales, highlight that no organisation is immune to such threats.

Gillespie said all businesses should take this opportunity to test their back-up systems, carry out due diligence and consider how they would respond in the event of a ransomware attack, including considering potential routes to recover business operations if they become compromised.

These cyber attacks have also underscored the need for businesses to identify supply chain vulnerabilities to prevent hackers from exploiting weak links through partners, clients and third-party contractors, she said. “This demonstrates the importance of understanding who has access to systems and ensuring appropriate contractual requirements, and clear scopes of work, are in place,” said Gillespie.