The wave of cyberattacks targeting British retailers is likely to continue, spelling more disrupted shopping for UK consumers, experts have warned.
Harrods was the third major retailer to be targeted following ransomware attacks on Marks & Spencer and the Co-Op, for which a hacking gang has claimed responsibility.
It is believed that hackers impersonated employees while contacting the retailers’ IT help desks to gain access to the network in all three cases. Ransomware attacks see malicious software used to deny access an organisation or user to their own files and data by encrypting them.
Marks & Spencer was attacked first on 21 April, leaving the retailer unable to accept contactless payments and website orders paused, which have not yet resumed. The attack disrupted M&S’s stock ordering systems, leading to empty shelves and the suspension of meal deal offers.
Then on 30 April, Co-op confirmed a cyberattack impacting back-office services and leaving the company suspending VPN access for all staff. The attack led to delivery delays and disrupted deliveries leading to product shortages.
Harrods announced on 1 May that it had contained an attempted cyberattack and had restricted internet access as a precaution.
The Metropolitan Police is investigating.
Who is behind these attacks?
A notorious ransomware gang called Dragonforce is thought to be behind the attacks, explains Paul Bischoff, consumer privacy advocate at Comparitech, speaking to Yahoo News.
Dragonforce has claimed responsibility for all three attacks, although this has not yet been confirmed.
Technology specialist site BleepingComputer had previously said the attack on M&S was believed to have been conducted by a hacking collective known as Scattered Spider – deploying Dragonforce ransomware.
The National Cyber Security Centre (NCSC) has also suggested that tactics used by the Scattered Spider ransomware group were employed in the attacks.
“Dragonforce claimed responsibility for 30 confirmed ransomware attacks in total, six of which occurred in 2025,” Bischoff says. “That doesn’t include dozens more unconfirmed claims that DragonForce made, but were never acknowledged by the targeted organisations.
“Ransomware locks down computer systems, steals data, or both (DragonForce does both). Companies are forced to pay a ransom or else face extended downtime, data loss, and putting customers at increased risk of fraud.”
Why such cyberattacks are likely to continue
The first reason why attacks on retailers are likely to continue is because ransomware remains an effective way for cybercriminals to make money, according to Bischoff.
So far there is no suggestion that any UK retailers have paid the ransom, but many targeted organisations do. Research by security firm Proofpoint in 2024 found that 64% of British firms targeted by ransomware paid the ransom.
Separately, software giant Cisco’s annual Cybersecurity Readiness Index released on Wednesday found that only 4% of UK organisations achieved its “mature” level of readiness be able to withstand modern cyber attacks – although this was a slight increase from the just 2% that achieved the status last year.
According to its study, 78% of UK organisations said they had faced an artificial intelligence-related security incident in the last year, but only 52% of those surveyed said they are confident their staff fully understand AI-related threats or grasp how the technology can be used to carry out attacks.
“This sort of thing is likely to happen more often,” says Bischoff. “Ransomware is a proven way for cybercriminals to make money, and until that’s no longer true, we’ll continue to see ransomware attacks.”
Secondly, according to Bischoff, it’s now becoming easier for criminals to launch such attacks, as they can simply pay ‘rent’ to other criminals to use malicious software and tactics. This means that relatively unskilled criminals can launch attacks.
“The rise of ‘ransomware-as-a-service’ businesses and AI make it easier for non-technical users to launch ransomware attacks and collect ransoms,” Bischoff says
How will it affect British shops?
The NCSC has urged retailers to take preventative measures to prevent future attacks, with suggested measures including reviewing how IT help desks reset passwords for users and to enable two-step verification for all users.
Bischoff says that with such attacks continuing, British retailers are likely to modify how they store, secure and access data. “That includes regular backups, training employees to spot phishing emails, and disaster recovery planning,” he says.
Cybersecurity expert Cody Barrow, chief executive of EclecticIQ, said the recent flurry of attacks showed cybercriminals are becoming bolder.
“It highlights an alarming trend: attackers are becoming increasingly opportunistic, exploiting weaknesses across complex, highly interconnected supply chains,” he said, warning that artificial intelligence was also making it easier for lower-skilled hackers to put together sophisticated attacks.
“What’s deeply concerning is generative AI is accelerating the threat landscape.
“Sophisticated phishing campaigns, deepfake social engineering, and adaptive malware are now within reach of even low-skilled attackers. This widespread access to advanced attack tools is driving up attack volume, speed, and complexity.”
