Incident Types: The types of cybersecurity incidents that have occurred include Breach, Cyber Attack and Ransomware.

Total Financial Loss: The total financial loss from these incidents is estimated to be $67.26 billion.

Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with restore encrypted virtual machines, remediation measures with sanitize systems, and network segmentation with need for stronger network segmentation, and enhanced monitoring with faster ransomware detection capabilities, and containment measures with disabled online shopping orders, containment measures with disabled click and collect, containment measures with disabled contactless payments in some stores, and communication strategy with letter to customers, and law enforcement notified with yes, and communication strategy with affected customers were notified, and third party assistance with tata consultancy services, and and containment measures with shut down systems to prevent further spread, and recovery measures with recovery efforts ongoing, recovery measures with full recovery expected by october or november 2025, and communication strategy with calling for greater transparency and cyberattack reporting, and third party assistance with professional intermediaries, and containment measures with shutting down systems, and remediation measures with rebuilding systems, and recovery measures with bringing systems back up securely, and communication strategy with media channels, including bbc, and network segmentation with not heavily segmented, and law enforcement notified with yes, and and enhanced monitoring with strong identity verification, enhanced monitoring with vmware hardening, enhanced monitoring with backup integrity, enhanced monitoring with continuous monitoring, and and organizations involved with ['uk national cyber security centre (ncsc)'], and and remediation measures with password resets for affected customers, and customer notification with letters sent to affected customers, public statement with issued to media and on company channels, advisory with no action required by customers except password reset on next login, and incident response plan activated with yes (systems taken offline as precaution), and third party assistance with yes (cybersecurity experts engaged by harrods), and law enforcement notified with yes (metropolitan police and ncsc investigating), and containment measures with online orders suspended, containment measures with job listings removed, containment measures with affected systems isolated, and communication strategy with initial public disclosure (2024-04-21), communication strategy with limited updates (last statement on 2024-04-25), communication strategy with harrods assured customers of normal operations, and incident response plan activated with yes (all three retailers), and third party assistance with ncsc (assisting m&s and co-op), third party assistance with national crime agency (nca) and metropolitan police cybercrime unit (m&s investigation), and law enforcement notified with yes (metropolitan police and nca for m&s), and containment measures with harrods: restricted internet access, shut down some systems, containment measures with m&s: halted online orders, paused hiring/recruitment systems, containment measures with co-op: shut down internal systems, staff warnings for online conferencing, and recovery measures with m&s: working to restore online shop and recruitment systems, and communication strategy with harrods: public statement (no customer action required), communication strategy with m&s: updates on job site ('working hard to be back online'), communication strategy with co-op: internal staff warnings, and remediation measures with urgent calls for security countermeasures in smart buildings, remediation measures with replacement of outdated systems (e.g., windows 7), and communication strategy with public disclosure via rics report, communication strategy with media coverage (the guardian), and containment measures with restricted internet access (harrods), containment measures with it systems taken down (co-op), and enhanced monitoring with security teams advised to deploy endpoint protection software, and incident response plan activated with yes (m&s, harrods, co-op), and third party assistance with likely (m&s, co-op for forensic investigation), and containment measures with restricted internal it systems, paused internet access (harrods), containment measures with shut down parts of it systems (co-op), containment measures with suspended online orders (m&s), and remediation measures with partial restoration of online services (m&s), and recovery measures with ongoing (m&s), recovery measures with quick recovery (h&m, harrods), and communication strategy with public disclosures (all), communication strategy with customer apologies (h&m, m&s), and incident response plan activated with yes (co-op: proactive steps), incident response plan activated with yes (m&s: systems taken offline), and third party assistance with national cyber security centre (ncsc), third party assistance with national crime agency (nca), third party assistance with metropolitan police cyber crime unit, and law enforcement notified with yes (m&s: metropolitan police investigating), law enforcement notified with likely (co-op: not explicitly stated), and containment measures with shut down back-office/call center systems (co-op), containment measures with offline systems (m&s), and recovery measures with working to reduce disruption (co-op), and communication strategy with public statements (both companies), and and third party assistance with national cyber security centre (ncsc), third party assistance with fbi, third party assistance with national crime agency, third party assistance with metropolitan police, third party assistance with ransomware specialists (unspecified), and and containment measures with isolation of affected systems, containment measures with shutdown of online store, containment measures with reliance on pen-and-paper processes, and remediation measures with ongoing rebuild of systems, remediation measures with collaboration with law enforcement, and recovery measures with expected full online operations by end of month (post-attack), recovery measures with insurance claim of >£100m, and communication strategy with transparency with mps during subcommittee hearing, communication strategy with no public disclosure of ransom interactions, and enhanced monitoring with invested hundreds of millions in cybersecurity pre-attack, enhanced monitoring with expanded prevention team to 80 staff, and containment measures with network segmentation (recommended), containment measures with isolation of affected systems (recommended), and remediation measures with centralized log management, remediation measures with real-time threat detection, remediation measures with patch/vulnerability management, remediation measures with identity and access control reforms (mfa, least privilege), and recovery measures with immutable backups (recommended), recovery measures with system restoration protocols, and communication strategy with transparency in public disclosures (recommended), communication strategy with stakeholder/regulator notifications, and and and incident response plan activated with yes (though details undisclosed), and containment measures with suspension of online orders, containment measures with partial halt of click-and-collect services, containment measures with isolation of compromised systems (presumed), and remediation measures with contract termination with tcs for help-desk services, remediation measures with review of third-party access controls, remediation measures with enhanced authentication for vendor logins (presumed), and recovery measures with restoration of online shopping platform, recovery measures with rebuilding supply chain operations, recovery measures with customer communication campaigns, and communication strategy with public disclosure of incident, communication strategy with statements to mps (uk parliament), communication strategy with investor updates, communication strategy with media responses, and enhanced monitoring with likely (though not explicitly stated), and incident response plan activated with likely (marks and spencer ceo initiated communications; incident response retainers mentioned as best practice), and third party assistance with cloud backup providers (e.g., amazon, google, microsoft), third party assistance with specialist third-party backup services, third party assistance with incident response retainers, and remediation measures with ceo-led transparent communication, remediation measures with cloud backups for data recovery, remediation measures with employee training on deepfake/phishing, and recovery measures with prioritization of critical applications (e.g., payroll, supplier payments), recovery measures with third-party support for restoration, and communication strategy with timely digital communications by ceo (marks and spencer), communication strategy with transparency with regulators/investors, and enhanced monitoring with early detection technologies for threat identification, and network segmentation with recommended as a defense measure, and enhanced monitoring with recommended for unusual access to shared resources, and incident response plan activated with yes (implied by recovery efforts), and containment measures with restoration of shops and websites to normal operations, and remediation measures with accelerated investment in cybersecurity technology, remediation measures with supply chain improvements, remediation measures with store updates, and recovery measures with marketing campaigns for autumn/winter ranges, recovery measures with product innovation (especially in food), recovery measures with ocado joint venture optimization, and communication strategy with public disclosure via half-year results (nov 5, 2025), communication strategy with media statements on recovery plans, and enhanced monitoring with planned (part of cybersecurity investment), and and communication strategy with public advisories (e.g., ncsc warnings on fraud trends), and enhanced monitoring with recommended (continuous assurance for drift detection), and and third party assistance with u.k. national cyber security centre (ncsc), and and remediation measures with password reset prompts for customers, remediation measures with customer advisories on online safety, and communication strategy with trading update from ceo stuart machin, communication strategy with customer note from operations director jayne wall, communication strategy with faq page for affected customers, and and status with uk police investigating (as part of broader retail cyberattacks), details with none, and containment measures with pausing online shopping, containment measures with manual logistics processes, and planned with ['restart and ramp up online operations (june–july 2024)', 'upgrade infrastructure and network connectivity', 'enhance store/colleague technology', 'improve supply chain systems'], status with ongoing (accelerated investment phase), and public statements with ['london stock exchange filing (wednesday)', 'customer advisories (data compromise warning)'], transparency with partial (no confirmation/denial of ransom payment)..

Common Attack Types: The most common types of attacks the company has faced is Ransomware.

Identification of Attack Vectors: The company identifies the attack vectors used in incidents through Third-party supplier, Social Engineering, Compromised credentials from TCS, Help desk, Phone-based social engineering, PhishingSIM SwappingMFA Fatigue, Third-party vendor (Adidas)Potential physical access (unguarded sockets/IoT for others), IT help desks (via social engineering), third-party contractorimpersonation, Third-Party Vendors (Compromised Credentials)Unmonitored EndpointsAPI Exploitation, TCS help-desk staff credentials (impersonation/social engineering) and Phishing EmailsDeepfake Impersonation (Hong Kong Case).

Average Financial Loss: The average financial loss per incident is $2.24 billion.

Commonly Compromised Data Types: The types of data most commonly compromised in incidents are Personally Identifiable Information (PII), Personal Data, Personal Customer Data, , Customer data, Home Addresses, Phone Numbers, Dates Of Birth, , Personal Information, Order Histories, , Sensitive Data, Active Directory Database, , Personally Identifiable Information (Pii), , Unconfirmed; Potential Internal System Data (M&S/Co-Op), Harrods: No Evidence Of Data Access, , Customer Names/Contact Details (Adidas, Co-Op), Customer Information (M&S, No Specifics), , Customer Records (Co-Op: 6.5M), Potential Payment Information (M&S), Personally Identifiable Information (Pii), , Customer Databases, Personally Identifiable Information (Pii), Payment Information (Fraud Targets), , Personal Identifiable Information (Pii), Order History, Masked Payment Data, Customer Reference Numbers, , Potentially customer data (claimed by DragonForce and unconfirmed).

Incident Response Plan: The company's incident response plan is described as Yes (Systems taken offline as precaution), Yes (all three retailers), , Yes (M&S, Harrods, Co-op), , Yes (Co-op: proactive steps), Yes (M&S: systems taken offline), , , Yes (though details undisclosed), Likely (Marks and Spencer CEO initiated communications; incident response retainers mentioned as best practice), Yes (implied by recovery efforts), , .

Third-Party Assistance: The company involves third-party assistance in incident response through Tata Consultancy Services, , Professional intermediaries, organizations involved: uk national cyber security centre (ncsc), , Yes (Cybersecurity experts engaged by Harrods), NCSC (assisting M&S and Co-op), National Crime Agency (NCA) and Metropolitan Police Cybercrime Unit (M&S investigation), , Likely (M&S, Co-op for forensic investigation), , National Cyber Security Centre (NCSC), National Crime Agency (NCA), Metropolitan Police Cyber Crime Unit, , National Cyber Security Centre (NCSC), FBI, National Crime Agency, Metropolitan Police, ransomware specialists (unspecified), , Cloud Backup Providers (e.g., Amazon, Google, Microsoft), Specialist Third-Party Backup Services, Incident Response Retainers, , U.K. National Cyber Security Centre (NCSC), .

Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Restore encrypted virtual machines, Sanitize systems, , Rebuilding systems, Password resets for affected customers, , Urgent calls for security countermeasures in smart buildings, Replacement of outdated systems (e.g., Windows 7), , Partial restoration of online services (M&S), , ongoing rebuild of systems, collaboration with law enforcement, , Centralized Log Management, Real-Time Threat Detection, Patch/Vulnerability Management, Identity and Access Control Reforms (MFA, Least Privilege), , Contract termination with TCS for help-desk services, Review of third-party access controls, Enhanced authentication for vendor logins (presumed), , CEO-Led Transparent Communication, Cloud Backups for Data Recovery, Employee Training on Deepfake/Phishing, , Accelerated investment in cybersecurity technology, Supply chain improvements, Store updates, , password reset prompts for customers, customer advisories on online safety, .

Handling of PII Incidents: The company handles incidents involving personally identifiable information (PII) through by disabled online shopping orders, disabled click and collect, disabled contactless payments in some stores, , shut down systems to prevent further spread, , shutting down systems, online orders suspended, job listings removed, affected systems isolated, , harrods: restricted internet access, shut down some systems, m&s: halted online orders, paused hiring/recruitment systems, co-op: shut down internal systems, staff warnings for online conferencing, , restricted internet access (harrods), it systems taken down (co-op), , restricted internal it systems, paused internet access (harrods), shut down parts of it systems (co-op), suspended online orders (m&s), , shut down back-office/call center systems (co-op), offline systems (m&s), , isolation of affected systems, shutdown of online store, reliance on pen-and-paper processes, , network segmentation (recommended), isolation of affected systems (recommended), , suspension of online orders, partial halt of click-and-collect services, isolation of compromised systems (presumed), , restoration of shops and websites to normal operations, , pausing online shopping, manual logistics processes and .

Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Recovery efforts ongoing, Full recovery expected by October or November 2025, , Bringing systems back up securely, M&S: working to restore online shop and recruitment systems, , Ongoing (M&S), Quick recovery (H&M, Harrods), , Working to reduce disruption (Co-op), , expected full online operations by end of month (post-attack), insurance claim of >£100m, , Immutable Backups (Recommended), System Restoration Protocols, , Restoration of online shopping platform, Rebuilding supply chain operations, Customer communication campaigns, , Prioritization of Critical Applications (e.g., Payroll, Supplier Payments), Third-Party Support for Restoration, , Marketing campaigns for autumn/winter ranges, Product innovation (especially in food), Ocado joint venture optimization, , planned: ['Restart and ramp up online operations (June–July 2024)', 'Upgrade infrastructure and network connectivity', 'Enhance store/colleague technology', 'Improve supply chain systems'], status: Ongoing (accelerated investment phase), .

Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through U.S. prosecutors charged 5 alleged Scattered Spider members (November 2023), .

Key Lessons Learned: The key lessons learned from past incidents are Exposed gaps in patch management and incident response processes,Need for stronger network segmentation,Faster ransomware detection capabilities,Robust backup and recovery workflowsImportance of system segmentation and mandatory reporting of cyber incidentsEmployees should be trained to recognize and report cyber threats promptly. Organizations should foster a culture of transparent and timely communication of cyber threats.Proper training and a challenge process to validate the caller is who they say they are can prevent social engineering attacks. Using valid credentials and built-in tools makes it difficult for security teams to discern if they are compromised or not.Proactive cybersecurity measures are significantly more cost-effective than reactive responses (up to 10x cost savings).,AI and Cybercrime-as-a-Service (CaaS) are democratizing cyber attacks, increasing threat sophistication.,Cyber insurance is becoming a necessity, with premiums reducible by up to 75% through measures like XDR, MFA, and vulnerability scanning.,Outsourcing cybersecurity improves IT efficiency, performance, and reduces downtime for 68% of businesses.,Strong cybersecurity credentials can drive revenue growth and customer trust, especially as consumers become more cyber-aware.Smart buildings and operational technology (OT) are increasingly targeted by cybercriminals.,Outdated systems (e.g., Windows 7) pose critical vulnerabilities in building infrastructure.,Lack of proactive security measures risks severe operational and financial disruption.,AI advancements and IoT proliferation will exacerbate cyber risks in building management.Retailers must assume they are targets and prepare accordingly.,AI tools are accelerating the threat landscape, enabling low-skilled attackers to launch sophisticated campaigns (e.g., social engineering).,High downtime costs and customer data volumes make retail a prime target.,Proactive measures (e.g., endpoint detection, staff training, MFA) are critical.Retailers must secure third-party vendors, smart building systems, and IoT devices to reduce attack surfaces. Rapid containment (e.g., Co-op’s IT shutdown) can mitigate ransomware deployment. Public-facing disruptions (e.g., payment outages) erode customer trust and revenue, highlighting the need for resilient backup systems and transparent communication.Isolated backups (e.g., offline/air-gapped storage) could mitigate ransomware impact but introduce cost and logistical challenges.,Traditional backup solutions remain vulnerable to ransomware if not properly segmented or isolated.,Physical security of offline backups (e.g., risk of theft) must be addressed alongside cybersecurity.,Enterprises may need layered backup strategies to balance accessibility, cost, and resilience.Even significant cybersecurity investments (hundreds of millions) may not prevent determined attacks in large organizations.,Third-party contractors can be a critical vulnerability.,Rapid detection (e.g., Co-op's hours vs. M&S's days) mitigates impact.,Segregated 'break glass' systems (Co-op's approach) are more sustainable than pen-and-paper fallbacks.,Mandatory reporting of major cyber-attacks (beyond personal data breaches) could improve collective defense.Proactive visibility across identity, access, and infrastructure is critical to detect threats early.,Centralized log management and real-time threat detection are essential to limit breach impact.,Zero Trust and network segmentation reduce lateral movement and blast radius.,API and application monitoring must be prioritized to detect anomalous activity.,Automated vulnerability management and patching reduce exposure to known exploits.,Security culture and human resilience (e.g., phishing training) are vital to mitigate insider threats.,Incident response plans must include immutable backups, clear communication protocols, and post-incident reviews.,Transparency in breach disclosures helps retain customer trust and brand reputation.Vendor access equals attack surface; third-party personnel and processes must be treated as part of the cyber footprint.,Social engineering (e.g., impersonation of help-desk staff) remains a critical vulnerability, bypassing technical defenses.,Outsourcing does not absolve the client of accountability for cybersecurity, regulatory compliance, or business continuity.,Contract renewal timelines should account for cyber risk assessments, especially for high-access vendors.,Transparency in incident communication is essential to mitigate reputational damage and stakeholder speculation.,Retailers must map 'critical vendors' and integrate them into cybersecurity strategies, not treat them as peripheral suppliers.,Disruptions to digital platforms (e.g., online shopping) can have immediate bottom-line impacts, including market share loss to competitors.Humans remain the weakest link in cybersecurity; advanced training (e.g., deepfake/phishing awareness) is critical.,Proactive cyber resilience requires board-level engagement and accountability.,Operational continuity relies on robust backups (cloud + third-party) and clear prioritization of critical systems.,Transparent, timely communication with stakeholders (customers, investors, regulators) is essential to mitigate reputational damage.,Third-party incident response retainers and cybersecurity providers can accelerate recovery and reduce burnout.Ransomware groups are evolving into cartel-like structures to consolidate power and resources.,Affiliate recruitment and branded variants increase the scale and complexity of attacks.,Partnerships with initial access brokers (e.g., Scattered Spider) amplify threat capabilities.,Aggressive tactics (e.g., defacing rival leak sites) disrupt the cybercriminal ecosystem.,Legacy ransomware code (e.g., Conti) continues to fuel new operations.Critical importance of cybersecurity during peak retail periods (e.g., summer).,Need for resilient supply chain and inventory systems to prevent stock shortages.,Customer loyalty is fragile; competitors can quickly capitalize on disruptions.,Food innovation can offset losses in other segments (e.g., clothing).,Proactive investment in technology is necessary to prevent future incidents.Seasonal peaks in incidents are minor; opportunistic attacks occur year-round.,Continuous assurance is critical to prevent defense drift and detect attacks early.,Balancing cyber resilience with profit-driven operations (e.g., Black Friday) is essential to avoid catastrophic disruptions.,Consumer-targeted fraud (e.g., fake sites, phishing) spikes during holidays, requiring heightened vigilance.

Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Accelerate digital transformation to improve operational agility., Prioritize detection/response for high-impact threats (ransomware, phishing, misconfigurations)., Educate consumers on recognizing fake e-commerce sites and phishing scams (e.g., typosquatting, fake trust badges)., Develop a crisis communication plan to retain customer trust during disruptions., Double-check resilience during peak sales periods (e.g., Black Friday, Christmas)., Verify delivery notifications directly with carriers to avoid falling for fake tracking messages., Leverage data analytics to predict and mitigate stock availability risks., Strengthen partnerships (e.g., Ocado) to diversify revenue streams., Conduct regular audits of vendor cybersecurity practices, especially for help-desk and privileged access roles., Implement multi-factor authentication, Review outsourcing contracts to include cybersecurity SLAs, liability clauses, and breach response obligations., Implement stricter authentication for third-party vendor access (e.g., MFA, behavioral biometrics)., Organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring., Monitor dark web and underground forums for signs of compromised vendor credentials or targeted attacks., Conduct regular stress tests for e-commerce and supply chain systems., Adopt zero-trust principles for vendor access, minimizing standing privileges and enforcing least-privilege access., Develop incident response playbooks specifically for third-party breaches, including clear communication protocols., Adopt continuous assurance to monitor defense posture and prevent vulnerabilities., Deploy next-generation endpoint protection, Enhance training for help-desk staff to detect and resist social engineering attacks (e.g., impersonation, phishing)., Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately., Integrate vendor risk management into enterprise cybersecurity frameworks, treating critical suppliers as extensions of internal systems., Implement multi-layered cybersecurity defenses and including real-time threat detection..

Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Marks & Spencer, and Source: BleepingComputer, and Source: TechRadar Pro, and Source: Reuters, and Source: UK Parliament hearing on July 8Date Accessed: 2023-07-08, and Source: Cohesity Survey, and Source: BlackFog ReportDate Accessed: 2025-07-16, and Source: BleepingComputer, and Source: Google’s Threat Intelligence Group (GTIG)Date Accessed: mid-2025, and Source: Thomas Richards, Infrastructure Security Practice Director at Black Duck, and Source: Marks and Spencer Public StatementDate Accessed: 2024-05-28, and Source: UK National Cyber Security Centre (NCSC)Url: https://www.ncsc.gov.ukDate Accessed: 2024-05-28, and Source: TechRadar ProUrl: https://www.techradar.com, and Source: ESET (Jake Moore, Global Cybersecurity Advisor), and Source: Al Jazeera, and Source: The Guardian (Secureworks interview), and Source: UK National Cyber Security Centre (NCSC), and Source: The GuardianUrl: https://www.theguardian.com/business/2024/may/02/harrods-hit-by-cyber-attack-days-after-marks-spencer-and-co-opDate Accessed: 2024-05-02, and Source: Sky News, and Source: The GuardianUrl: https://www.theguardian.com/business/2024/jun/10/uk-businesses-cyber-attack-risk-smart-buildings-ricsDate Accessed: 2024-06-10, and Source: Royal Institution of Chartered Surveyors (Rics) Report, and Source: TechRadar Pro, and Source: SonicWall (Spencer Starkey, Executive VP of EMEA), and Source: National Cyber Security Centre (NCSC) - Dr. Richard Horne, and Source: Ex-NSA Cyber Chief - Cody Barrow, and Source: Dynatrace & FreedomPay Report, and Source: Royal Institution of Chartered Surveyors (RICS)Url: https://www.theguardian.com/technology/2024/may/XX/rics-cyber-attacks-smart-buildings, and Source: M&S Public Disclosure, and Source: Harrods Statement (1 May 2024), and Source: Adidas Data Breach Notice (May 2024), and Source: ReutersDate Accessed: 2024-06-19, and Source: BleepingComputer, and Source: Darktrace (Nathaniel Jones, VP of Security & AI Strategy), and Source: TechRadar Pro, and Source: Blocksandfiles (interview with Matt Peterman and Nino Eškić), and Source: The GuardianUrl: https://www.theguardian.com/business/2024/jun/11/marks-spencer-cyber-attack-online-store-archie-norman, and Source: UK Parliament Business and Trade Subcommittee on Economic Security, Arms and Export Controls, and Source: Security Journal UK (October 2025 Edition)Url: https://www.securityjournaluk.com, and Source: Media reports on M&S cyberattack and TCS contract termination, and Source: Statements from M&S CEO Stuart Machin to UK Parliament, and Source: TCS public statements on the incident, and Source: TechRadar Pro - Expert InsightsUrl: https://www.techradar.com/pro, and Source: Duke’s CFO Global Business Outlook, and Source: Acronis Threat Research Unit (TRU), and Source: BleepingComputer or similar cybersecurity news outlet (implied), and Source: Marks & Spencer Half-Year Results H1 2025Date Accessed: 2025-11-05, and Source: Huntsman Security Analysis (ICO Data Q3 2024–Q2 2025), and Source: Semperis Report on Ransomware Timing, and Source: ReliaQuest (Scattered Lapsus$ Hunters Telegram Post)Date Accessed: 2025-11-01, and Source: UK NCSC (Festive Fraud Trends), and Source: Action Fraud Data (£11.8m Fraud Loss), and Source: CloudSEK (Fake E-commerce Sites Analysis), and Source: Marks and Spencer Trading Update (CEO Stuart Machin)Date Accessed: 2024-05-28, and Source: U.K. National Cyber Security Centre (NCSC) StatementDate Accessed: 2024-05, and Source: NCC Group (Matt Hull, Head of Threat Intelligence)Date Accessed: 2024-05, and Source: Marks & Spencer (M&S) Statement to London Stock ExchangeDate Accessed: 2024-05-29T00:00:00Z, and Source: Reuters / Media Reports on UK Retail CyberattacksDate Accessed: 2024-05-29T00:00:00Z.

Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Letter To Customers, Affected customers were notified, Calling For Greater Transparency And Cyberattack Reporting, Media channels, including BBC., Initial Public Disclosure (2024-04-21), Limited Updates (Last Statement On 2024-04-25), Harrods Assured Customers Of Normal Operations, Harrods: Public Statement (No Customer Action Required), M&S: Updates On Job Site ('Working Hard To Be Back Online'), Co-Op: Internal Staff Warnings, Public Disclosure Via Rics Report, Media Coverage (The Guardian), Public Disclosures (All), Customer Apologies (H&M, M&S), Public Statements (Both Companies), Transparency With Mps During Subcommittee Hearing, No Public Disclosure Of Ransom Interactions, Transparency In Public Disclosures (Recommended), Stakeholder/Regulator Notifications, Public Disclosure Of Incident, Statements To Mps (Uk Parliament), Investor Updates, Media Responses, Timely Digital Communications By Ceo (Marks And Spencer), Transparency With Regulators/Investors, Public Disclosure Via Half-Year Results (Nov 5, 2025), Media Statements On Recovery Plans, Public advisories (e.g., NCSC warnings on fraud trends), Trading Update From Ceo Stuart Machin, Customer Note From Operations Director Jayne Wall, Faq Page For Affected Customers, public statements: london stock exchange filing (wednesday) and customer advisories (data compromise warning)..

Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Reset passwords, NCSC is providing advice to the retail sector and wider economy, Customers advised to reset passwords on next login; no further action required, Businesses urged to adopt proactive cybersecurity measures to mitigate risks from evolving threats (AI, nation-states, CaaS)., Customers advised to monitor communications from affected retailers for potential data breach notifications or protective measures., NCSC urged retailers to tighten cybersecurity; no specific advisories from M&S/Harrods, M&S warned of service disruptions; Harrods assured normal operations, Ncsc Warns Retailers To Bolster Defenses; No Specific Stakeholder Advisories Detailed, Harrods: No Action Required Per Statement; M&S/Co-Op: No Public Customer Advisories, , Rics Urges Businesses To Address Digital Risks In Building Operations To Avoid 'Sleepwalking' Into Attacks., Marks & Spencer Likely Issued Advisories During The 7-Week Website Outage (Details Unspecified)., , Security Teams Urged To Be 'Ultra Vigilant.', Ncsc Warns Attacks Should Serve As A 'Wake-Up Call' For All Organizations., Experts Recommend Presuming Targeting Is Inevitable And Preparing Accordingly., Update Passwords And Monitor Financial Activity For Signs Of Fraud., Watch For Scams Exploiting Recent Breaches., , Market Updates (M&S £300M Loss), Apologies And Service Updates (H&M, M&S, Co-Op), Data Breach Notifications (Adidas, Co-Op), , Public Statements Confirming Operational Status (Co-Op), No Specific Advisories Mentioned (M&S), , Advice To Businesses: Prepare To Operate On Pen-And-Paper (M&S) Or Segregated Backup Systems (Co-Op)., M&S Updates To Investors And Mps, Tcs Communications To Clients And Media, M&S Notifications About Service Disruptions, Apologies For Order Delays And Stock Shortages, , Ceo-Led Digital Communications (Marks And Spencer), Regulatory Reporting (Emphasized As Best Practice), Transparency About Breach Impact And Remediation Steps (Marks And Spencer), , Investors Notified Via Half-Year Results, Likely Internal Briefings On Recovery Strategies, Indirect (Via Marketing Campaigns And Product Promotions), , Retailers urged to verify resilience; consumers warned about fraud risks., NCSC and experts advise verifying delivery messages and avoiding suspicious e-commerce sites., Customer Notifications, Faq Page For Affected Customers, Password Reset Prompts, Warnings About Phishing/Social Engineering Risks, Guidance On Online Safety, , investors: Notified via London Stock Exchange filing (profit impact disclosure), , data_compromise_warning: Issued (potential risk acknowledged) and .

Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Faster ransomware detection capabilities, Tata Consultancy Services, , Professional intermediaries, Strong Identity Verification, Vmware Hardening, Backup Integrity, Continuous Monitoring, , Organizations Involved: ['UK National Cyber Security Centre (NCSC)'], , , Ncsc (Assisting M&S And Co-Op), National Crime Agency (Nca) And Metropolitan Police Cybercrime Unit (M&S Investigation), , Security Teams Advised To Deploy Endpoint Protection Software, , Likely (M&S, Co-Op For Forensic Investigation), , National Cyber Security Centre (Ncsc), National Crime Agency (Nca), Metropolitan Police Cyber Crime Unit, , National Cyber Security Centre (Ncsc), Fbi, National Crime Agency, Metropolitan Police, Ransomware Specialists (Unspecified), , Invested Hundreds Of Millions In Cybersecurity Pre-Attack, Expanded Prevention Team To 80 Staff, , , Likely (though not explicitly stated), Cloud Backup Providers (E.G., Amazon, Google, Microsoft), Specialist Third-Party Backup Services, Incident Response Retainers, , Early Detection Technologies For Threat Identification, , Recommended For Unusual Access To Shared Resources, , Planned (part of cybersecurity investment), Recommended (continuous assurance for drift detection), U.K. National Cyber Security Centre (Ncsc), .

Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Accelerated Cybersecurity Investment, Deployed Next-Generation Endpoint Protection And Multi-Factor Authentication Across Cloud And On-Premises Infrastructure, , Rebuilding systems and improving segmentation, Improve employee training and foster a culture of transparent communication, Increase Cybersecurity Budgets (77% Of Uk Businesses Planning To Do So)., Implement Xdr, Mfa, And Vulnerability Scanning To Reduce Insurance Premiums., Adopt Outsourced Cybersecurity Solutions For Specialized Expertise., Comply With Upcoming Regulations (E.G., Cyber Security And Resilience Bill 2025)., Position Cybersecurity As A Strategic Revenue Driver, Not Just A Protective Measure., , Mandate Regular Audits Of Ot/It Systems In Commercial Buildings., Invest In Modernizing Legacy Systems In Smart Buildings., Integrate Cybersecurity Into Facilities Management Training., Collaborate With Cybersecurity Firms To Assess Building-Specific Risks., , Enhance Endpoint Protection And Detection Capabilities., Implement Mfa And Staff Training Programs., Develop And Test Incident Response Plans Regularly., Segment Networks To Limit Lateral Movement By Attackers., , Vendor Security Audits (Adidas), It System Segmentation (Co-Op, Harrods), Offline Payment Fallback (H&M, M&S), , Ongoing System Rebuild, Collaboration With Law Enforcement (Fbi, Nca, Met Police), Review Of Third-Party Access Controls, Potential Advocacy For Mandatory Attack Reporting (Ncsc), , Deploy Unified Log Management And Real-Time Threat Detection Platforms., Enforce Zero Trust Architecture With Strict Access Controls And Mfa., Segment Networks To Limit Breach Impact And Lateral Movement., Enhance Api/Application Monitoring For Behavioral Anomalies., Automate Vulnerability Scanning And Prioritize High-Risk Patching., Integrate Security Awareness Into Organizational Culture Via Regular Training., Test Incident Response Plans With Simulations And Ensure Immutable Backups., Improve Post-Incident Communication Transparency To Retain Customer Trust., , Termination Of Tcs Help-Desk Contract (Though M&S Claims Unrelated To Breach)., Likely Review Of All Third-Party Access Controls And Authentication Mechanisms., Potential Adoption Of Zero-Trust Architecture For Vendor Access., Enhanced Monitoring Of Help-Desk Activities For Anomalous Behavior., Reevaluation Of Outsourcing Strategies To Balance Cost Savings With Cyber Risk., , Enhanced Employee Training On Emerging Threats., Implementation Of Third-Party Backup Solutions., Board-Level Cybersecurity Accountability., Adoption Of Early Detection Technologies., , £100M+ Investment In Cybersecurity And Technology Upgrades., Supply Chain Modernization Program., Store Updates To Improve Operational Resilience., Enhanced Marketing To Rebuild Customer Base., , Implement Continuous Assurance Frameworks., Enhance Monitoring During Holidays/Weekends (High-Risk Periods For Ransomware)., Strengthen Consumer Education On Fraud Prevention., , planned: ['Infrastructure upgrades', 'Network connectivity improvements', 'Supply chain system enhancements'], .

Ransom Payment History: The company has Paid ransoms in the past.

Last Ransom Demanded: The amount of the last ransom demanded was Yes.

Last Attacking Group: The attacking group in the last incident were an DragonForce group, Scattered Spider, Scattered Spider, DragonForce hacking collective, DragonForce, Scattered Spider (DragonForce), DragonForce ransomware group, Scattered Spider, Cybercriminal groupsMany based in Russia, Scattered Spider (0ktapus, UNC3944), Claimed By: DragonForce ransomware group, ScatteredSpiderHostile nation-statesCybercriminal groups, Scattered Spider (Octo Tempest), Scattered Spider (linked to M&S attack)Unidentified actors for Harrods and Co-op, ScatteredSpider (alleged for M&S), DragonForce (suspected for M&S and possibly others), Scattered Spider (alleged for M&S), DragonForce (ransomware group)Scattered Spider (hacking collective), Scattered Spider, Scattered SpiderUnidentified Fraudsters (Hong Kong Deepfake Case), DragonForceDevman (affiliate)Scattered Spider (partner), Scattered Lapsus$ Hunters (alleged upcoming attacks under #ShinyHuntazz)Unspecified ransomware groups (e.g., M&S and Co-Op Group breaches)Fraudsters operating fake e-commerce sites, Scattered SpiderDragonForce and DragonForce (ransomware group).

Most Recent Incident Detected: The most recent incident detected was on April 2023.

Most Recent Incident Publicly Disclosed: The most recent incident publicly disclosed was on 2024-04-03T00:00:00Z.

Most Recent Incident Resolved: The most recent incident resolved was on ['2024-06-XX (M&S, partial recovery ongoing)', None, None, None, '2024-06-XX (H&M, within 2 hours for most stores)'].

Highest Financial Loss: The highest financial loss from an incident was {'operating_profit_impact': '£300 million (before cost mitigation, insurance, and trading actions)', 'insurance_claim': 'Up to £100 million (maximum policy claim)', 'first_quarter_costs': ['Additional waste', 'Logistics costs (manual processes)', 'Reduced availability'], 'second_quarter_costs': ['Increased stock management', 'Online disruption (June–July)'], 'revenue_loss': None, 'conversion_rate_impact': None}.

Most Significant Data Compromised: The most significant data compromised in an incident were Personally Identifiable Information (PII), , Personal Data, Customer data, , Customer data, Home addresses, Phone numbers, Dates of birth, , Names, Birth Dates, Addresses, Phone Numbers, Household Information, Order Histories, , Sensitive data, Active Directory database, , Names, Home addresses, Email addresses, Phone numbers, , Unconfirmed for Harrods; M&S and Co-op: potential internal system data (no confirmation of customer data breach), , Customer names/contact details (Adidas, Co-op), Customer information (M&S, no payment details/passwords), None confirmed (Harrods, H&M), , , , basic contact details, dates of birth, online order histories, masked payment information, customer reference numbers (M&S credit card/Sparks Pay holders), Status: Potentially compromised (claimed by DragonForce, not yet leaked), , Status: Potentially compromised (claimed by DragonForce, not yet leaked) and .

Most Significant System Affected: The most significant system affected in an incident were VMware ESXi hostse-commerce platformspayment platforms and Online shopping ordersClick and collectContactless payments and Online SalesContactless Payments and Online services and and and Virtual machinesContactless paymentsClick-and-collectOnline ordering and Local councilsSchoolsNHSBritish LibraryMarks & SpencerCo-opHarrods and VMware vSphere environmentsESXi hostsVCSA and Online shopping platformInventory managementProduct availability systems and Online order processingContactless paymentsClick-and-collect servicesWarehouse logistics (Castle Donington)Gift card/return processingJob application portal and Harrods: restricted internet access at sites, some systems shut downM&S: online orders halted (~1 week), automated stock systems, loyalty scheme, gift card payments, recruitment systems (job postings paused)Co-op: internal systems shut down, online conferencing security warnings and Website Ordering System (Marks & Spencer)Building Management SystemsCCTV NetworksIoT DevicesAccess Control SystemsHVAC/Lighting Systems and Store SystemsOnline PlatformsIT Infrastructure and Ecommerce, contactless payments (M&S)Internal IT systems, internet access (Harrods)Payments systems (H&M, in-store)IT systems (Co-op, leading to empty shelves)Third-party customer service (Adidas) and Back-office systems (Co-op)Call centers (Co-op)Servers (M&S, encrypted)Online ordering systems (M&S)App-based ordering (M&S) and internal systemscritical employee files and online store (closed for ~7 weeks)online clothing distribution center (Castle Donington, Leicestershire) and and Online Shopping PlatformClick-and-Collect OperationsSupply Chain SystemsInventory ManagementStore Stocking Systems and local storagenetwork shares via SMB and Inventory ManagementE-commerce PlatformTransactional WebsiteSupply Chain and and online purchase systemsstore inventory systems and App (unavailable)Online shopping platform (paused)Supply chain systemsStore stocking processesManual logistics operations.

Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was tata consultancy services, , Professional intermediaries, Organizations Involved: ['UK National Cyber Security Centre (NCSC)'], , ncsc (assisting m&s and co-op), national crime agency (nca) and metropolitan police cybercrime unit (m&s investigation), , likely (m&s, co-op for forensic investigation), , national cyber security centre (ncsc), national crime agency (nca), metropolitan police cyber crime unit, , national cyber security centre (ncsc), fbi, national crime agency, metropolitan police, ransomware specialists (unspecified), , cloud backup providers (e.g., amazon, google, microsoft), specialist third-party backup services, incident response retainers, , u.k. national cyber security centre (ncsc), .

Containment Measures in Most Recent Incident: The containment measures taken in the most recent incident were Disabled online shopping ordersDisabled click and collectDisabled contactless payments in some stores, Shut down systems to prevent further spread, Shutting down systems, Online orders suspendedJob listings removedAffected systems isolated, Harrods: restricted internet access, shut down some systemsM&S: halted online orders, paused hiring/recruitment systemsCo-op: shut down internal systems, staff warnings for online conferencing, Restricted internet access (Harrods)IT systems taken down (Co-Op), Restricted internal IT systems, paused internet access (Harrods)Shut down parts of IT systems (Co-op)Suspended online orders (M&S), Shut down back-office/call center systems (Co-op)Offline systems (M&S), isolation of affected systemsshutdown of online storereliance on pen-and-paper processes, Network Segmentation (Recommended)Isolation of Affected Systems (Recommended), Suspension of online ordersPartial halt of click-and-collect servicesIsolation of compromised systems (presumed), Restoration of shops and websites to normal operations and Pausing online shoppingManual logistics processes.

Most Sensitive Data Compromised: The most sensitive data compromised in a breach were Phone numbers, Customer information (M&S, no payment details/passwords), None confirmed (Harrods, H&M), Customer names/contact details (Adidas, Co-op), masked payment information, online order histories, Home addresses, Birth Dates, Order Histories, Customer data, Personal Data, Active Directory database, Email addresses, customer reference numbers (M&S credit card/Sparks Pay holders), dates of birth, Dates of birth, Personally Identifiable Information (PII), Household Information, Names, Phone Numbers, Addresses, Unconfirmed for Harrods; M&S and Co-op: potential internal system data (no confirmation of customer data breach), basic contact details and Sensitive data.

Number of Records Exposed in Most Significant Breach: The number of records exposed in the most significant breach was 6.5M.

Highest Ransom Paid: The highest ransom paid in a ransomware incident was ["M&S: no confirmation (stated 'not discussing details')", 'unnamed UK company: paid (per MP David Davis)'].

Most Significant Legal Action: The most significant legal action taken for a regulatory violation was U.S. prosecutors charged 5 alleged Scattered Spider members (November 2023), .

Most Significant Lesson Learned: The most significant lesson learned from past incidents was Consumer-targeted fraud (e.g., fake sites, phishing) spikes during holidays, requiring heightened vigilance.

Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Implement multi-layered defenses: MFA, adaptive behavioral WAFs, network segmentation, and enhanced monitoring., Invest in employee training programs that address emerging threats (e.g., deepfakes, social engineering)., Enhance third-party risk management (given impersonation via contractor)., Implement multi-layered backup strategies to avoid single points of failure., customers advised to reset passwords, Leverage data analytics to predict and mitigate stock availability risks., Conduct thorough post-incident root cause analyses to harden systems and share lessons industry-wide., Invest in detection systems for faster response (e.g., Co-op's hours-long detection)., Multi-Factor Authentication (MFA) hardening recommended, Monitor financial activity and update passwords (for consumers)., Monitor dark web and underground forums for signs of compromised vendor credentials or targeted attacks., Replace end-of-life operating systems (e.g., Windows 7) with supported, patched versions., Develop a communication strategy that prioritizes openness and honesty within 48 hours of an incident., Deploy endpoint protection and detection tools (e.g., EDR)., Conduct regular simulations of cyber incidents to test response plans and recovery timelines., Adopt zero-trust principles for vendor access, minimizing standing privileges and enforcing least-privilege access., NCSC guidance for mitigating future ransomware attacks, Elevate cybersecurity to a board-level imperative with designated expertise (e.g., Virtual CISO)., Conduct regular vulnerability assessments for interconnected building systems., Conduct user awareness training to prevent initial access exploits., Develop incident response plans tailored to operational technology disruptions., Educate consumers on recognizing fake e-commerce sites and phishing scams (e.g., typosquatting, fake trust badges)., Implement zero-trust architecture for third-party access., Double-check resilience during peak sales periods (e.g., Black Friday, Christmas)., Develop playbooks for ransomware attacks, including offline payment contingencies., Implement network segmentation and Zero Trust principles to limit breach impact., Evaluate offline/air-gapped backup solutions (e.g., data diodes) for critical data, weighing costs against risk reduction., Develop segregated backup systems for critical processes (Co-op's 'break glass' approach)., NCSC urges organizations to implement preventive measures and robust incident response/recovery plans, Retailers urged to enhance cybersecurity (NCSC advisory), Enhance monitoring of building management systems, CCTV, and IoT devices., Regularly test backup integrity and recovery procedures to ensure effectiveness against ransomware., Train staff to recognize phishing and social engineering attacks., Review outsourcing contracts to include cybersecurity SLAs, liability clauses, and breach response obligations., Mandate reporting of major cyber-attacks to NCSC (per Archie Norman)., Evaluate cyber insurance coverage (Co-op chose detection over insurance; M&S relying on >£100m claim)., Greater transparency and cyberattack reporting, Adopt a visibility-first security posture with centralized log management and SIEM capabilities., Automate vulnerability scanning and prioritize patching based on risk/exploitability., Outsource cybersecurity to leverage external expertise, especially for SMEs lacking in-house capabilities., Invest in advanced security measures such as XDR platforms, multi-factor authentication (MFA), and vulnerability scanning., Implement multi-factor authentication (MFA) for administrative access., Implement multi-layered cybersecurity defenses, including real-time threat detection., Accelerate digital transformation to improve operational agility., Prioritize detection/response for high-impact threats (ransomware, phishing, misconfigurations)., Develop and rehearse incident response plans with clear communication protocols., Develop a crisis communication plan to retain customer trust during disruptions., View cybersecurity as a revenue driver, not just a cost center, to gain competitive advantage and customer trust., Enhance employee training on physical security (e.g., unguarded network sockets)., Defend against affiliate-based attacks by tracking emerging ransomware strains., Establish incident response retainers for immediate access to expert assistance during breaches., Raise awareness among facilities managers about cyber risks in digital environments., Implement stricter authentication for third-party vendor access (e.g., MFA, behavioral biometrics)., Assume breaches will occur and prepare for rapid response and recovery., Invest in regular, scenario-based security training for employees to reduce human error., Organisations must protect their virtualised assets through strong identity verification, VMware hardening, backup integrity, and continuous monitoring., Maintain separate third-party backups of cloud data to ensure rapid recovery of critical applications., Implement robust backup practices to mitigate encryption impacts., vigilance against phishing/social engineering attacks, Shift from reactive to proactive cybersecurity strategies to mitigate financial and operational risks., Deploy next-generation endpoint protection, Conduct regular red-team exercises simulating supply-chain and RaaS attacks., Enhance training for help-desk staff to detect and resist social engineering attacks (e.g., impersonation, phishing)., Integrate vendor risk management into enterprise cybersecurity frameworks, treating critical suppliers as extensions of internal systems., Assess physical security measures for offline storage to mitigate theft risks., Consider distributing encrypted backup units across secure locations to reduce risk concentration., Ensure transparent, timely communication with stakeholders, regulators, and customers during breaches., Prioritize cyber insurance to comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025) and reduce premiums through risk mitigation., Audit and segment IoT/building management systems from critical networks., Consumers advised to monitor bank activity and update passwords, Verify delivery notifications directly with carriers to avoid falling for fake tracking messages., Develop and test incident response plans with tabletop exercises and immutable backups., Enforce least-privilege access, MFA, and continuous monitoring for identity and access controls., Strengthen partnerships (e.g., Ocado) to diversify revenue streams., Implement multi-factor authentication, Conduct regular audits of vendor cybersecurity practices, especially for help-desk and privileged access roles., Apply consistent patching and endpoint protection., Conduct regular stress tests for e-commerce and supply chain systems., Educate stakeholders on the financial and operational benefits of early cybersecurity investment., Treat cybersecurity as a board-level priority tied to business continuity, not just an IT issue., Monitor API traffic and application behavior in real time for early threat detection., Restrict lateral movement via network segmentation., Develop incident response playbooks specifically for third-party breaches, including clear communication protocols., Adopt continuous assurance to monitor defense posture and prevent vulnerabilities., Implement network segmentation for OT and IT systems in smart buildings., Retailers using SAP systems advised to review security postures, Implement training and attack simulation training to help employees recognize and respond to cyber threats appropriately., Monitor for unusual access to shared resources (e.g. and SMB)..

Most Recent Source: The most recent source of information about an incident are ESET (Jake Moore, Global Cybersecurity Advisor), Royal Institution of Chartered Surveyors (RICS), Thomas Richards, Infrastructure Security Practice Director at Black Duck, Reuters, The Guardian (Secureworks interview), Media reports on M&S cyberattack and TCS contract termination, BleepingComputer or similar cybersecurity news outlet (implied), Marks & Spencer, Darktrace (Nathaniel Jones, VP of Security & AI Strategy), Semperis Report on Ransomware Timing, Sky News, U.K. National Cyber Security Centre (NCSC) Statement, The Guardian, Al Jazeera, BleepingComputer, Cohesity Survey, Ex-NSA Cyber Chief - Cody Barrow, TCS public statements on the incident, Reuters / Media Reports on UK Retail Cyberattacks, UK National Cyber Security Centre (NCSC), Action Fraud Data (£11.8m Fraud Loss), SonicWall (Spencer Starkey, Executive VP of EMEA), M&S Public Disclosure, Statements from M&S CEO Stuart Machin to UK Parliament, Marks & Spencer (M&S) Statement to London Stock Exchange, Huntsman Security Analysis (ICO Data Q3 2024–Q2 2025), Dynatrace & FreedomPay Report, Adidas Data Breach Notice (May 2024), UK NCSC (Festive Fraud Trends), NCC Group (Matt Hull, Head of Threat Intelligence), Marks and Spencer Public Statement, TechRadar Pro, ReliaQuest (Scattered Lapsus$ Hunters Telegram Post), National Cyber Security Centre (NCSC) - Dr. Richard Horne, BlackFog Report, UK Parliament Business and Trade Subcommittee on Economic Security, Arms and Export Controls, TechRadar Pro - Expert Insights, Marks and Spencer Trading Update (CEO Stuart Machin), UK Parliament hearing on July 8, Marks & Spencer Half-Year Results H1 2025, Google’s Threat Intelligence Group (GTIG), Security Journal UK (October 2025 Edition), Harrods Statement (1 May 2024), Acronis Threat Research Unit (TRU), CloudSEK (Fake E-commerce Sites Analysis), Duke’s CFO Global Business Outlook, Blocksandfiles (interview with Matt Peterman and Nino Eškić) and Royal Institution of Chartered Surveyors (Rics) Report.

Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://www.ncsc.gov.uk, https://www.techradar.com, https://www.theguardian.com/business/2024/may/02/harrods-hit-by-cyber-attack-days-after-marks-spencer-and-co-op, https://www.theguardian.com/business/2024/jun/10/uk-businesses-cyber-attack-risk-smart-buildings-rics, https://www.theguardian.com/technology/2024/may/XX/rics-cyber-attacks-smart-buildings, https://www.theguardian.com/business/2024/jun/11/marks-spencer-cyber-attack-online-store-archie-norman, https://www.securityjournaluk.com, https://www.techradar.com/pro .

Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing.

Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was NCSC is providing advice to the retail sector and wider economy, Businesses urged to adopt proactive cybersecurity measures to mitigate risks from evolving threats (AI, nation-states, CaaS)., NCSC urged retailers to tighten cybersecurity; no specific advisories from M&S/Harrods, NCSC warns retailers to bolster defenses; no specific stakeholder advisories detailed, Rics urges businesses to address digital risks in building operations to avoid 'sleepwalking' into attacks., Security teams urged to be 'ultra vigilant.', NCSC warns attacks should serve as a 'wake-up call' for all organizations., Experts recommend presuming targeting is inevitable and preparing accordingly., Market updates (M&S £300m loss), Advice to businesses: prepare to operate on pen-and-paper (M&S) or segregated backup systems (Co-op)., M&S updates to investors and MPs, TCS communications to clients and media, CEO-led digital communications (Marks and Spencer), Regulatory reporting (emphasized as best practice), Investors notified via half-year results, Likely internal briefings on recovery strategies, Retailers urged to verify resilience; consumers warned about fraud risks., customer notifications, FAQ page for affected customers, investors: Notified via London Stock Exchange filing (profit impact disclosure), .

Most Recent Customer Advisory: The most recent customer advisory issued were an Reset passwords, Customers advised to reset passwords on next login; no further action required, Customers advised to monitor communications from affected retailers for potential data breach notifications or protective measures., M&S warned of service disruptions; Harrods assured normal operations, Harrods: no action required per statement; M&S/Co-op: no public customer advisories, Marks & Spencer likely issued advisories during the 7-week website outage (details unspecified)., Update passwords and monitor financial activity for signs of fraud.Watch for scams exploiting recent breaches., Apologies and service updates (H&M, M&S, Co-op)Data breach notifications (Adidas, Co-op), Public statements confirming operational status (Co-op)No specific advisories mentioned (M&S), M&S notifications about service disruptionsApologies for order delays and stock shortages, Transparency about breach impact and remediation steps (Marks and Spencer), Indirect (via marketing campaigns and product promotions), NCSC and experts advise verifying delivery messages and avoiding suspicious e-commerce sites., password reset promptswarnings about phishing/social engineering risksguidance on online safety, data_compromise_warning: Issued (potential risk acknowledged) and .

Most Recent Entry Point: The most recent entry point used by an initial access broker were an Phone-based social engineering, Help desk, Compromised credentials from TCS, Third-party supplier, TCS help-desk staff credentials (impersonation/social engineering) and Social Engineering.

Most Recent Reconnaissance Period: The most recent reconnaissance period for an incident was Days to weeks (undetected dwell time).

Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Social EngineeringPassword Reset Mechanism, Compromised credentials and lack of system segmentation, Employee impersonation and unauthorized system access, Weak identity verification procedures in IT help desks, Underinvestment in proactive cybersecurity measuresOver-reliance on in-house teams without external expertiseFailure to adapt to evolving threats (AI, CaaS, nation-state actors)Lack of comprehensive cyber insurance and resilience planning, Phishing vulnerabilitiesMFA fatigue exploitsLack of segmentation (warehouse/retail systems impacted), Use of outdated, unsupported software (e.g., Windows 7) in building systems.Inadequate security for operational technology (OT) and IoT devices.Lack of preparedness for cyber-physical attacks on smart infrastructure.Underestimation of risks associated with interconnected building technologies., Potential exploitation of human vulnerabilities (e.g., social engineering).Lack of robust endpoint protection or detection tools in some cases.High-value target sector (retail) with critical operational dependencies., Third-party vendor vulnerabilities (Adidas)Insecure IoT/building systems (theoretical for Co-op/H&M)RaaS proliferation (DragonForce for M&S)Lack of payment system redundancy (H&M, M&S), Social engineering (MFA bombing, SIM swapping, phishing), Lack of isolated/offline backups allowing ransomware to encrypt critical files.Potential exploitation of network-connected backup vulnerabilities (historical context)., Sophisticated impersonation and third-party compromiseDetermined threat actor exploiting complex organizational structurePotential delays in detection (attack began 17 April, detected 19 April), Lack of centralized visibility into digital environments (logs, telemetry, user activity).Weak identity/access controls (stolen credentials, unmonitored endpoints).Siloed logging and delayed threat detection.Insufficient network segmentation enabling lateral movement.Unpatched vulnerabilities and poor API security.Inadequate security culture/training (phishing, social engineering risks)., Over-reliance on third-party vendor (TCS) for critical help-desk access without sufficient safeguards.Lack of robust authentication (e.g., MFA) for vendor logins, enabling credential theft via impersonation.Inadequate segmentation between M&S systems and TCS help-desk access, allowing lateral movement.Social engineering vulnerabilities in help-desk processes (e.g., scripted password resets).Complex outsourcing ecosystem with elevated third-party access, increasing attack surface., Human Error (e.g., falling for deepfake/phishing)Inadequate TrainingLack of Proactive Threat Detection, Exploitation of Conti’s leaked source code for new ransomware development.Leveraging affiliate networks to scale attacks (e.g., Devman, Scattered Spider).Use of SMB for lateral movement and network-wide encryption.Cartel-like coordination to dominate the ransomware ecosystem., Inadequate cybersecurity measures to prevent disruption during peak periods.Vulnerabilities in supply chain and stock management systems.Lack of redundancy in transactional website infrastructure., Opportunistic exploitation of vulnerabilities (misconfigurations, brute force).Distraction during peak sales periods diverting attention from cybersecurity.Lack of continuous monitoring leading to undetected drift in defenses..

Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Accelerated cybersecurity investmentDeployed next-generation endpoint protection and multi-factor authentication across cloud and on-premises infrastructure, Rebuilding systems and improving segmentation, Improve employee training and foster a culture of transparent communication, Increase cybersecurity budgets (77% of UK businesses planning to do so).Implement XDR, MFA, and vulnerability scanning to reduce insurance premiums.Adopt outsourced cybersecurity solutions for specialized expertise.Comply with upcoming regulations (e.g., Cyber Security and Resilience Bill 2025).Position cybersecurity as a strategic revenue driver, not just a protective measure., Mandate regular audits of OT/IT systems in commercial buildings.Invest in modernizing legacy systems in smart buildings.Integrate cybersecurity into facilities management training.Collaborate with cybersecurity firms to assess building-specific risks., Enhance endpoint protection and detection capabilities.Implement MFA and staff training programs.Develop and test incident response plans regularly.Segment networks to limit lateral movement by attackers., Vendor security audits (Adidas)IT system segmentation (Co-op, Harrods)Offline payment fallback (H&M, M&S), Ongoing system rebuildCollaboration with law enforcement (FBI, NCA, Met Police)Review of third-party access controlsPotential advocacy for mandatory attack reporting (NCSC), Deploy unified log management and real-time threat detection platforms.Enforce Zero Trust architecture with strict access controls and MFA.Segment networks to limit breach impact and lateral movement.Enhance API/application monitoring for behavioral anomalies.Automate vulnerability scanning and prioritize high-risk patching.Integrate security awareness into organizational culture via regular training.Test incident response plans with simulations and ensure immutable backups.Improve post-incident communication transparency to retain customer trust., Termination of TCS help-desk contract (though M&S claims unrelated to breach).Likely review of all third-party access controls and authentication mechanisms.Potential adoption of zero-trust architecture for vendor access.Enhanced monitoring of help-desk activities for anomalous behavior.Reevaluation of outsourcing strategies to balance cost savings with cyber risk., Enhanced employee training on emerging threats.Implementation of third-party backup solutions.Board-level cybersecurity accountability.Adoption of early detection technologies., £100m+ investment in cybersecurity and technology upgrades.Supply chain modernization program.Store updates to improve operational resilience.Enhanced marketing to rebuild customer base., Implement continuous assurance frameworks.Enhance monitoring during holidays/weekends (high-risk periods for ransomware).Strengthen consumer education on fraud prevention., planned: ['Infrastructure upgrades', 'Network connectivity improvements', 'Supply chain system enhancements'], .