Retailers and their suppliers are having a tough time in the UK right now. A string of major security breaches tied to ransomware actors has left shelves bare, damaged corporate reputations, and sent stock prices tumbling. These incidents have also served as a timely reminder that attackers continue to move faster than defenders. And that too many organisations still treat compliance as a retrospective exercise.
To get back on the front foot, UK retailers and their peers across other sectors must start thinking about compliance and risk management as a dynamic, real-time endeavour.
Retail Attacks Highlight Hacker Advantages
Four breaches have shaken the retail and logistics sectors in recent weeks. Here’s what we know so far and the impact on each corporate victim.
Marks & Spencer: The high street stalwart revealed news of an “incident” on April 21. This soon spiralled, and it was forced to suspend contactless payments, Click & Collect and online orders. Stock levels also ran low in some stores after the incident hit logistics hubs. M&S now says some customer data was stolen. The firm is said to be losing £40m of sales per week, while its share price has sunk 12% (as of May 19).
Reports suggest that sophisticated threat actors linked to the loose “Scattered Spider” collective encrypted some of the company’s VMware ESXi hosts with the DragonForce ransomware variant. It’s claimed that a compromised third-party (Tata Consulting Services) with logins to its systems may have been the initial entry point. The threat actors may have been able to cause more damage with this attack as they struck just before the long Easter bank holiday weekend.
Co-op: The same threat actors behind the M&S raid are claiming responsibility for a ransomware attack on the UK’s seventh-largest high-street retailer. They say that the firm pulled the plug once it detected unusual network activity, preventing them from deploying ransomware but not in time to stop them from exfiltrating significant volumes of members’ data. Stock levels in some stores have also been affected. It’s unclear what the financial impact on the company will be, but new IT security infrastructure, incident response and recovery processes will likely run into the millions of pounds.
Harrods: The iconic Knightsbridge department store has been tight-lipped over an attack it revealed on May 1. It claims to have spotted and stopped an unauthorised access attempt. “Our seasoned IT security team immediately took proactive steps to keep systems safe, and as a result, we have restricted internet access at our sites today,” a statement notes. The attack doesn’t appear to have impacted its online or brick-and-mortar outlets.
Peter Green Chilled: The latest name to add to this roll call of cyber-attack victims is a little-known logistics partner for Tesco, Sainsbury’s, Aldi and other supermarkets. The ransomware attack occurred in the week beginning May 12, but the firm says “transport activities of the business have continued unaffected”. If deliveries were impacted, it could be costly for suppliers, given that the firm offers cold storage supply chain logistics.
How Can Retailers Avoid a Similar Fate?
UK retailers are not alone. French fashion giant Dior has notified Asian customers of a data breach, while Google claims Scattered Spider actors are also targeting US retailers. That makes any lessons learned important for CISOs across the planet. So, what can we say about the incidents?
Although, in most cases, we still don’t know the ransomware actors’ specific MO, we can say that cyber-hygiene best practices, while important, are not a silver bullet. Yes, things like prompt patching, multi-factor authentication (MFA) and asset management are essential in minimising the size of the attack surface. But there will always be a way for determined threat actors to achieve their goals.
This makes continuous AI-powered network monitoring essential. These tools learn what “normal” traffic patterns look like, enabling them to more effectively raise the alarm when something within the network doesn’t look right. It means security operations (SecOps) teams can react faster to shut down threats before they can spread and/or before data can be exfiltrated and encrypted.
Automated risk assessment tools are another valuable addition, enabling firms to continuously monitor their IT environment to detect any unpatched vulnerabilities, misconfigurations, or other security holes that need to be addressed. They account for the fact that such environments are in constant flux – especially in the cloud – and therefore require continuous attention. This will make the organisation more resilient and close down possible attack paths. But again, it is something only AI and automation can do effectively, 24/7/365.
“Cybersecurity protection is not a destination, but rather a continuous process. Threat actors are constantly evolving, and so should our security posture,” BlackFog CEO Darren Williams tells ISMS.online. “As a result, it is important when looking at new tools, to focus on machine learning-based AI protection, in addition to the more static and signature-based approaches most tools use.”
A Dynamic Approach to Compliance
More broadly, the breaches at UK retailers highlight again that for many organisations, compliance with best practice standards and regulations can often be too reactive. For example, traditional information security management systems (ISMS) are built around point-in-time assessments that fail to adapt to new business models, threats, and technologies like cloud and IoT, which can expand the attack surface.
“The reality is that security teams need to be effective 100% of the time, and threat actors only need to succeed once,” Xalient head of business consultancy, Dave McGrail, tells ISMS.online. “This imbalance highlights the need for a more dynamic, adaptive approach to cybersecurity compliance and ISMS management.”
This is exactly what ISO 27001:2022 encourages through a process of continuous improvement of the ISMS, dynamic risk modelling and adaptive risk management.
“As threats shift, so must our defences. The 2022 update to ISO 27001 supports this shift by encouraging more regular reviews of risk, integrating up-to-date threat information, and promoting awareness across the entire organisation,” 59 Degrees North founder Neil Lappage tells ISMS.online.
“It’s not about doing more for the sake of it. It’s about doing things differently, embedding awareness into onboarding, rethinking what ‘secure’ looks like in day-to-day operations, and giving people the tools and confidence to question unusual requests. Technology helps, but it’s people who make the biggest difference, especially when they’re informed, supported, and brought into the bigger picture. Cybersecurity isn’t just a system; it’s a culture, and that’s something we all build together.”
