Co-Op and M&S – What we know so far

🕵️ A coordinated spring cyber‑attack

In April 2025, Marks & Spencer (M&S) fell victim on Easter weekend to a ransomware breach. Attackers used social engineering—tricking a third party into resetting credentials—to access systems and deploy DragonForce malware. That crippled online ordering, click-and-collect, and contactless payments, forcing a shut-down of services until June and costing the business around £300 million in lost profits.

Days later, the Co‑Op experienced a rapid escalation of the same campaign: hackers accessed systems and exfiltrated customer data, disrupting restocking efforts and payments. However, it seems Co‑Op’s swift response helped limit ransomware encryption .

The attack wave extended to Harrods, though its impact was milder—some sites were briefly shut while the team contained the threat quickly.

👥 Who’s behind it – and how?

UK’s National Crime Agency (NCA) recently arrested four suspects aged between 17 and 20—three men and one woman—from London, the West Midlands and Staffordshire. They face charges under the Computer Misuse Act, including blackmail, money laundering, and organised crime allegations.

Investigations link these attacks to the English‑speaking hacker collective Scattered Spider, working in concert with the DragonForce ransomware gang. Their method involves impersonating IT staff (via SIM‑swap, phishing, MFA‑bombing) to break into corporate networks.

This appears to be a coordinated campaign spanning multiple sectors: after hitting UK retail giants, the group turned its attention to US insurers and aviation firms like Qantas, WestJet and Hawaiian Airlines.

🏢 Why small and mid‑size businesses should care

You don’t have to be M&S to be a target. These cybercriminals rely on social manipulation, not just technical exploits. That means even modest firms—with less hardened defences—are equally vulnerable. The Co‑Op incident shows how speed of response matters—mid‑sized organisations might lack that agility and face even worse outcomes.

Insurance premiums are rising—for example, UK retailers now see 10 %+ jumps in cyber‑insurance costs because of events like this. If you haven’t reviewed your cover—or prepared for a serious incident—you’re already walking into uncharted territory.

🔐 Plan for when—not if—it happens

Even the best teams can fall prey to well‑executed social engineering. So treat it like inevitable: assume somewhere, sometime, your defences will be tested. The question is whether you’ll be ready.

The NCA stressed the importance of reporting and collaboration. Early escalation can make the difference between contained disruption and weeks of business interruption. And as M&S’s chair Archie Norman suggests, mandatory reporting could help provide early warning to other businesses and prevent future breaches.

🛡️ How partnering with Dragon Digital helps

At Dragon Digital, we don’t pretend hacks won’t happen. Instead, we help you:

• Harden your systems—with regular, practical training focused on real threats like phishing and impersonation

• Run table‑top drills—so your team knows who to alert and how to respond

• Connect you to cyber‑insurance experts informed by the latest risks and penalties

• Guide you through reporting—working with law enforcement and regulators, should the worst occur

You might not be as big as M&S, but with proactive defence and response planning, you’ll face these threats in a much stronger position. Partnering with Dragon Digital means you’re not alone. We help you build resilience so that when a breach happens, you’re prepared—not panicked.