UK department store Harrods suffered a cyber attack in the recent past, joining a series of UK retailers experiencing data breaches.

In a series of cyber-attacks that have shaken the retail sector, three major British companies – Marks & Spencer (M&S), Co-op, and luxury retailer Harrods – have been targeted by the hacking group known as Scattered Spider.

The attacks, which have been linked to the deployment of the DragonForce encryptor, began with M&S's public disclosure on April 22. Since then, M&S's Chief Executive Stuart Machin has confirmed that they are continuing to tackle the incident and working around the clock to restore normal operations.

Jake Moore, Global Cybersecurity Advisor at ESET, notes that similar companies in the same sector often become secondary targets after a large cyber-attack. This could suggest that Scattered Spider, having successfully infiltrated M&S's systems, expanded its reach to other retailers.

The M&S incident has affected click and collect services, online orders, and their job searching site, which was offline at the time of writing. Luxury retailer Harrods confirmed a cyber incident on May 1, leading to some systems being taken offline. Co-op also confirmed on May 1 that it had to shut down part of its IT systems due to unauthorized attempts to gain access. At the time of the article, Harrods' stores and website remain open to customers.

Toby Lewis, Head of Threat Analysis at Darktrace, suggests two possible scenarios connecting the incidents: a breached common supplier or technology, or security teams re-examining logs due to the M&S incident. Silent Push's analysis noted that the tactics, techniques, and procedures (TTPs) of Scattered Spider have continued to evolve in the last year with at least four phishing kits updated in 2024. The latest phishing kit, the fifth, was observed in 2025 and has additional content changes and was hosted on Cloudflare.

None of the affected retailers have instructed customers to take any action at this time. The National Cybersecurity Center (NCSC) CEO Richard Horne issued a statement offering support and advice to businesses affected by the incidents. The NCSC is working closely with organizations that have reported incidents to them to understand the nature of these attacks and provide expert advice to the wider sector.

It is worth noting that the DragonForce tool used by Scattered Spider can be purchased on the dark web in the Ransomware-as-a-Service (RaaS) ecosystem. Scattered Spider is also tracked under the monikers UNC3944, Scatter Swine, Octo Tempest, and Muddled Libra.

Scattered Spider was behind the MGM International and Caesars Entertainment ransomware attacks in 2023. The group has also been known to target brands including Luis Vuitton, Nike, and Vodafone in 2025.

As the situation continues to unfold, it is crucial for businesses to remain vigilant and proactive in their cybersecurity measures. Regular updates and patches to systems, as well as thorough investigations of any unusual activity, can help prevent such attacks in the future.

UK department store Harrods suffered a cyber attack in the recent past, joining a series of UK retailers experiencing data breaches.