In the last week of April 2025, three of the United Kingdom's most recognisable retailers — Marks & Spencer, the Co-operative Group, and Harrods — disclosed cybersecurity incidents in rapid succession. The UK National Cyber Security Centre and the Cyber Monitoring Centre subsequently characterised the M&S and Co-op intrusions as a single combined cyber event, attributing them to operators using DragonForce ransomware-as-a-service tooling with tradecraft consistent with the Scattered Spider cluster. The Co-op confirmed by May 2 that significant member and employee data had been exfiltrated, that ransomware deployment had been prevented but data theft had not, and that core trading systems remained degraded for weeks. The Cyber Monitoring Centre estimated the combined financial impact of the M&S and Co-op events at between £270 million and £440 million. The case is a textbook example of helpdesk-as-attack-surface, and a wake-up call for any retailer that has outsourced IT support.
Who is DragonForce and how did they get in?
DragonForce is a ransomware-as-a-service brand that emerged from the leak of LockBit Black builder in mid-2023, rebranded and operated by a UK and Malaysia-linked group. The affiliates seen in the spring 2025 UK retail campaign overlap heavily with the Scattered Spider cluster — UNC3944, Octo Tempest, Star Fraud — known for native-English-speaker social-engineering tradecraft against helpdesks. In the Co-op and M&S intrusions, the public attribution centres on calls to outsourced IT support operated for both retailers by Tata Consultancy Services, in which attackers impersonated employees, requested password resets and MFA re-enrolments, and pivoted into corporate identity systems. M&S CEO Stuart Machin confirmed in a parliamentary appearance in July 2025 that the company's IT helpdesk supplier was the initial-access path; Co-op has not formally named its outsourced provider but the playbook matched.
What did the attackers actually access?
Co-op's CEO Shirine Khoury-Haq confirmed that personal data of "all 6.5 million members" was accessed, including names, contact details, and dates of birth, though Co-op stated that financial data and passwords were not affected. M&S confirmed exfiltration of customer contact data, order histories, and partial card data, while Harrods escalated more quickly to network isolation and reported a more limited blast radius. For Co-op specifically, the operational impact was particularly disruptive: warehouse and logistics systems went offline, leading to empty shelves at hundreds of stores and significant cash-flow stress for the cooperative's funeral and insurance lines of business that share infrastructure with the food estate.
How long were they inside?
Public timelines indicate initial helpdesk-call activity at Co-op began in late April 2025, with the company detecting unauthorised access and proactively shutting down VPN access on April 30. M&S detected the M&S intrusion on April 22; Harrods publicly disclosed on May 1. The window from first social-engineering call to network shutdown across the cluster appears to have been days, not weeks — Scattered Spider tradecraft historically targets rapid privilege escalation followed by either data extortion or ransomware within the first 72 hours. Recovery has been longer. M&S warned investors in late April that the incident would shave roughly £300 million from annual profit and that disruption would extend into June and July 2025.
What did existing controls miss?
Three failures define this campaign and they have been visible since the 2023 MGM Resorts and Caesars incidents. First, the helpdesk identity proofing process at the outsourced provider relied on knowledge-based authentication — questions an attacker can answer from LinkedIn and breach-corpus material — rather than verified callback or video identity checks. Second, the helpdesk had authority to reset MFA factors without a human-in-the-loop manager approval, which let one call turn into one re-enrolment turn into one privileged session. Third, the lateral movement from a single user account into the OT-adjacent warehouse-management estate was unrestricted by tier-zero segmentation. M&S, Co-op, and Harrods each maintained large outsourced Tata operations; none of them, on public record, had layered helpdesk identity proofing.
# Helpdesk MFA-reset hardening baseline
helpdesk_identity_proofing:
password_reset:
requires_verified_callback: true
minimum_proof_factors: 2
forbid_kba_only: true
mfa_factor_reset:
requires_manager_approval: true
requires_live_video_check: true
cooldown_hours_after_password_reset: 24
privileged_user_resets:
requires_in_person_or_notary: true
audit:
record_call_audio: true
record_screen_capture: true
retention_days: 365
alerts:
new_mfa_factor_within_7d_of_password_reset: high
helpdesk_reset_outside_business_hours: high
bulk_reset_pattern_same_agent: high
What should retail defenders do now?
Six steps. First, rebuild the helpdesk identity-proofing flow. Require verified callback to a number on file in HR, manager approval for any MFA factor change, and a 24-hour cooldown between password reset and MFA re-enrolment. Phishing-resistant FIDO2 factors must replace SMS and authenticator-app OTP for any privileged role. Second, exercise a Scattered Spider tabletop quarterly with the outsourced helpdesk in the room, scoring response on time-to-callback-verification and time-to-account-disable. Third, segment OT-adjacent retail systems — warehouse management, electronic shelf labels, POS gateways — onto separate identity tiers so that a corporate user compromise does not collapse the supply chain. Fourth, integrate identity-provider telemetry into the SOC at high fidelity: failed authentication patterns, new device enrolments, and impossible-travel events should be alerted on within seconds, not minutes. Fifth, push contractual liability and breach-notification clauses into IT-outsourcing agreements that match the regulatory posture of the principal — UK GDPR, NIS2 if applicable, FCA notification thresholds for the financial-services subsidiaries that hide inside retail conglomerates. Sixth, share TTPs and IOCs across the British Retail Consortium and the UK retail ISAC the moment your SOC catches a Scattered Spider-pattern call.
What regulatory and law-enforcement follow-on has the campaign produced?
By July 10, 2025 the UK National Crime Agency announced the arrest of four individuals, aged 17 to 20 and located in the UK and Latvia, in connection with the M&S, Co-op, and Harrods intrusions. The arrests reinforced the now-public pattern of UK-and-US-based teenage operators executing high-impact intrusions for financial gain, the same pattern documented in MGM Resorts 2023 and the AT&T Snowflake events. The UK Information Commissioner's Office opened formal investigations into both M&S and Co-op under UK GDPR, with potential monetary penalties scaling against the magnitude of personal data exfiltrated. Parliament called the M&S CEO to testify in July 2025; Stuart Machin confirmed the helpdesk-supplier initial-access vector and committed to public reporting on remediation actions. The Financial Conduct Authority asked Co-op for separate evidence on the impact to its funeral-care and insurance subsidiaries given the cross-business infrastructure overlap. Cyber-insurance pricing for UK retail rose sharply in the second half of 2025 with several insurers reportedly carving out helpdesk-vendor breach coverage entirely. The combined regulatory, criminal, and commercial pressure now provides the strongest enforcement signal yet that helpdesk identity-proofing must be rebuilt across the sector.
How Safeguard Helps
Safeguard inventories every IT-outsourcing and helpdesk vendor that handles identity workflows for your environment, and continuously scores them against the CISA Secure by Design pledge, ISO 27001 controls A.5.20 to A.5.23 supplier management, and your contractual breach-notification SLA. Griffin AI reachability analysis surfaces which helpdesk-operated identity flows can reach tier-zero systems such as warehouse management, POS gateways, and OT segments, and flags re-enrolment patterns that do not match the helpdesk's stated controls. TPRM workflows require helpdesk vendors to attest to FIDO2 enforcement, manager-approval workflows, and verified-callback procedures, and continuously check whether attestations match the live configuration. Policy gates block new outsourcing integrations that fall below the baseline, and ingest Scattered Spider and DragonForce IOCs across the retail sector so that one socially engineered call at any peer retailer raises the alarm across your environment.