Cybercrime rocks the high street – what (or who) is next?

23/05/25 Wavenet
Cybercrime rocks the high street – what (or who) is next? placeholder thumbnail

Picture waking up to headlines revealing your business has been targeted by a sophisticated cyber-attack. This recent harsh reality, of stolen customer data and significant operational disruption, faced by UK retail giants Marks & Spencer and Co-op, has exposed the extreme vulnerability of retail cyber security.

So, what is the story behind these attacks, and how can you protect your business from becoming the next headline in cybercrime news?

The breaches brought to light exhibit the rising threat from organised cybercrime groups like Scattered Spider and DragonForce. While the full scope is still unravelling, what is clear is that these incidents emphasise that businesses can no longer afford insufficient cyber security measures.

While publicly available technical insights about these attacks remain sparse, our security teams have put together a high-level overview based on our experiences with similar incidents and our threat intelligence regarding the known threat actor.

What do we know so far?

Scattered Spider, notorious for its sophisticated social engineering and sky-high ransom demands against high revenue European and US companies, in exchange for not leaking sensitive company and customer data, allegedly orchestrated the attacks. Yet, newer ransomware group DragonForce has publicly claimed responsibility.

Reports from both BBC and the National Cyber Security Centre suggest that social engineering (hacking through human error) was the gateway, with crafty manoeuvres like smishing (SMS) or vishing (voice phishing), bypassing defences and gaining access to C-suite, IT, or security roles.

Both M&S and Co-op have suffered significant operational and reputational damage as a result of the attacks. And the M&S share price has dropped by over 14%, wiping more than £1 billion from its market capitalisation. Fully recovering from this cyber attack will be a lengthy and challenging process – if it’s even achievable at all.

Who is most under threat?

Major enterprises in sectors such as retail, finance, telecommunications, hospitality, and cloud services are prime targets for these cyber predators. Why? Their operational complexity and high value data make them especially tempting for Scattered Spider. While patterns of behaviour exist for this most disruptive and innovative cybercriminal collective, it continually adapts tactics, techniques, and procedures (TTPs) to bypass security controls, so unpredictability remains their powerful weapon. The question isn’t “if” but “when” they will strike again.

"Protecting data is not a luxury - it's a fundamental necessity. Cyber threats are evolving rapidly, and organisations of all sizes are at risk. Insider knowledge confirms that cyber security must be embedded into your core business strategy - it's not optional.” - Paul Colwell, Chief Information Security Officer, Wavenet.

What can you do to protect your business?

These recent attacks aren’t isolated incidents; they’re part of a broader surge in targeted, sophisticated cybercrime. But – have no fear – proactive measures can drastically reduce your risk:

Deploy phishing-resistant multi-factor authentication (MFA)

Secure your access points with advanced MFA solutions including hardware security keys (such as YubiKey) and modern app-based number matching.

Enforce strict call-back verification for password resets

Enhance your password reset procedures and instate strict call-back verification protocols. This ensures the identity is thoroughly confirmed before any sensitive account changes are made.

Implement network segmentation

Implement VLANs, firewalls, and access controls, and regularly test segmentation effectiveness to isolate critical systems and limit lateral movement by attackers.

Patch business-critical systems in a timely manner

Stay updated, monitor for new vulnerabilities, schedule and deploy patches, and verify successful updates to minimise the window of exposure to known exploits.

Regularly test your data backups, failover and failback

Schedule and conduct regular backup tests, including failover and failback exercises, to ensure data can be restored quickly and reliably in a crisis.

Monitor security logs for suspicious activity

Implement 24/7 security monitoring with a Security Operations Centre (SOC) across your environment, using advanced SIEM (Security Information and Event Management) tools. This detects, investigates, and responds to suspicious activity in real time.

Perform regular penetration tests including social engineering assessments

Engage in regular testing with CHECK and CREST-accredited penetration testers that will conduct regular technical and social engineering assessments (such as phishing simulations and vishing) and provide detailed reports and actionable recommendations to address weaknesses.

Create and rehearse business continuity & incident response plans

Regularly rehearse Business Continuity and Incident Response Plans and facilitate tabletop exercises and live simulations to ensure your team is prepared for incidents.

Prepare and protect your data using the 3-2-1 strategy

Regularly review backup strategies to ensure compliance and resilience and follow the 3-2-1 rule: three copies of your data, on two different types of storage, with one copy off-site (or in the cloud).

Ensure your data is immutable or air-gapped

Configure immutable backups (that can’t be altered or deleted, even by attackers) and set up air-gapped storage solutions, providing maximum protection against ransomware and insider threats.

All of these measures will help. The key question is - are you confident that your organisation can withstand such organised cyber onslaughts?

Paul Colwell continues: “Every employee and every process must treat security as a vital requirement, because if human error or complacency creates vulnerabilities, it could cost your organisation greatly. It's not just prevention; it's safeguarding!".

Is your business prepared for what’s next?

These disruptive organised attacks are increasing and other major UK retailers such as Harrods have already become victims. But this isn’t the only type of threat that is intensifying.

Ransomware, AI-driven attacks, phishing, DDoS, supply chain compromises, insider threats, and vulnerabilities in cloud, containers, and emerging technologies are all increasing in frequency and sophistication.

Businesses must evolve, too, bolstering detection, response and resilience strategies to stay ahead.

Our Cyber and Operational Resilience expert Martin Lewis, adds a cautionary word to make sure your approach to backup and recovery is part of your cyber resilience and not an afterthought. “Effective data protection strategies are not just compliance checkboxes, they are critical controls that can protect your sensitive data and help to contain the blast radius of a cyber incident.”

With our comprehensive suite of cyber security services you gain a trusted partner equipped to navigate these challenges. To explore how we can help, visit the CyberGuard homepage.

 

Cyber Security, Retail, CyberGuard

Latest blogs

See all posts
Placeholder thumbnail
Boardroom vs breach: 20 questions every IT leader should be asking about cyber security

Cyber threats are evolving faster than most organisations can keep up. Between new attack techniques, expanding digital estates, and the cyber skills shortage, even well-equipped IT teams are struggling to stay ahead. It’s no longer enough to tick compliance boxes or to simply deploy the latest tools. Real security starts with asking the right questions and acting on the answers. That’s why we’ve created Boardroom vs Breach, a 20-question self-assessment designed to help IT leaders and those responsible for cyber-security take a clear-eyed look at your current security posture, highlight blind spots, and spark critical conversations at board level. Why this matters The cost of a cyber breach isn’t just downtime – it’s trust, reputation, compliance fines, and lost revenue. Yet many companies don’t know if their defences are actually up to the task – do you? These 20 questions aren’t about theory; they reflect real-world weak points that we see every day. If you can’t answer them confidently, we can help. The 20 questions you need to answer Visibility & monitoring Do you have complete visibility of your IT assets? What visibility do you have into incidents and events across your infrastructure? How do you manage your security tooling? How many different tools are you running — and are they working together? Are your systems and endpoints patched regularly? Our advice: Gaining complete visibility starts with consolidating event data, automating alerts, and ensuring continuous oversight across your entire estate. Take a look at: Security Information and Event Management Vulnerability Management Managed Detection and Response Threat detection & response What happens if an incident occurs after hours? How do you find out? Who responds? When was your last penetration test? How regularly do you conduct them? What protections are in place for endpoints, email, and networks? What level of visibility do you have into potential breaches? Do you work with a partner that offers 24/7/365 response and real-world support? Our advice: Improve threat visibility and reduce response times by combining real-time monitoring with expert-led incident analysis and containment. Take a look at: 24/7/365 Managed Detection and Response Incident Response Retainers Penetration Testing and Red Teaming Cloud & modern IT risk Do you use public cloud services? Are you confident in how they’re secured? How do you manage and secure user devices remotely? What vendors are you currently relying on — and are they right for your risk profile? How do you secure your network beyond the firewall? Our advice: Extend visibility beyond the traditional perimeter by applying cloud-native monitoring, endpoint telemetry, and policy-based access control. Take a look at: Cloud Security Assessments Secure Access Service Edge (SASE) Endpoint Detection and Response (EDR) People, process & planning How are your users trained to detect attacks such as phishing? Do you have access to expert help in a crisis? What cyber expertise exists in-house — is there a dedicated security leader? How do you create a positive security culture, not just rules? What threats are most relevant to your industry? Are you meeting required regulations and compliance standards? Our advice: Build better situational awareness by aligning people and processes with continuous monitoring and clearly defined escalation paths. Take a look at: Security Awareness Training Virtual CISO Services Compliance and Risk Consulting And a bonus question, with potentially the most worrying answer of all… What would a breach cost your business — financially and operationally? Putting it all together While individual solutions can address specific security challenges, working with a trusted managed services and security partner ensures cohesive, round-the-clock support across every aspect of your cyber security posture — delivering greater efficiency, resilience, and long-term value. We work with IT and security leaders across all sectors to assess risk, build resilient cyber strategies, and deliver comprehensive protection that scales with your business. From real-world penetration testing to 24/7/365 threat detection, cloud security, and expert consultancy, we’re your trusted partner in securing the ‘now’ — and preparing for what’s next.

Read more

Stay service-savvy

Get all the latest news and insights straight to your inbox.