April 2025 Marks & Spencer, Co-op & Harrods: When High‑Street Trust Cracked
In the lead-up to Easter 2025, some of the UK’s best‑known retailers suffered coordinated digital assaults. Marks & Spencer’s online services failed no contactless payments, no click‑and‑collect, and a website that went dark for nearly seven weeks. Co‑op, impacted just days later, temporarily shut down parts of its IT systems to contain the intrusion. Harrods also restricted internet access at its flagship store as part of damage control.
The National Crime Agency (NCA) later charged four suspects, two 19‑year‑olds, a 17‑year‑old and a 20‑year‑old woman with offences under the Computer Misuse Act, organized crime involvement, and blackmail. Investigators believe the group known as Scattered Spider or DragonForce orchestrated the attacks using highly targeted social engineering, including help‑desk impersonation and SIM‑swapping to reset credentials and gain access.
M&S alone is estimated to have lost around £300 million in operating profit, and its market value dropped by over £1 billion by mid-May. Co‑op confirmed later that personal data of roughly 6.5 million members, names, addresses, contact details had been stolen. Thankfully, no password or payment data was compromised
These incidents forced crucial takeaway lessons: strong multi‑factor authentication, stricter access for third-party providers, staff training on phishing threats, and more robust identity governance.
June–July 2025 – Knights of Old (KNP Logistics): One Password That Ended a Legacy
Just months later, another cyberattack struck but this time it was a private transport firm, not a retailer. Knights of Old, part of Northamptonshire-based KNP Logistics, had roots going back 158 years and over 700 jobs but none of it mattered once a single employee password was guessed by attackers from the Akira ransomware gang.
What followed was catastrophic: internal systems were encrypted, backups destroyed, and a ransom demand of up to £5 million was issued. Despite holding cyber insurance and adhering to baseline controls, KNP found recovery impossible operations collapsed, and the company ceased to exist.
The key failures were clear: poor password hygiene, lack of multi-factor authentication, inconsistent backup validation, and underestimating insurance limitations. This incident made it painfully obvious: digital dependency demands proactive security not just compliance.
Why These Stories Matter to You
These aren’t tech‑only tales. They are warnings across industries:
- Even household-name brands can be immobilised overnight by social engineering.
- Legacy businesses with low digital maturity are surprisingly vulnerable.
- Cyber insurance isn’t a safety net unless controls are strong and tested.
- Third-party access and internal help‑desk procedures can be high‑risk vectors.
What Organizations Should Learn
- Strengthen Identity & Access Controls Require MFA everywhere, especially for privileged and vendor access Harden help‑desk protocols—no password resets without verification
- Run Phishing & Social Engineering Drills Simulate realistic executive impersonation and telephone phishing scenarios Educate staff to verify unusual access requests
- Test and Safeguard Backups Ensure backups are isolated, immutable, and recoverable Practice restoration regularly under pressure
- Review Cyber Insurance Terms Confirm ransomware and data recovery costs are covered realistically Match coverage limits to business exposure
- Vet Third-Party Partners Conduct security assessments and enforce vendor security standards Plan for rapid containment and escalation if a partner is breached.