Scattered Spider Returns: A Renewed Threat to Retail Cybersecurity - Cyber and Fraud Centre

As of May 2025, the cyber threat landscape has shifted away from the UK, with the focus moving to US companies following a period of heightened activity in March and April.

One of the key drivers of that disruption was Scattered Spider, a loosely affiliated group of cyber criminals primarily targeting organisations in the UK and the United States. In the UK, the retail sector has been significantly impacted, with Marks & Spencer (M&S) being the first to have its breach made public. This incident resulted in the theft of customer data, including names, dates of birth, postal addresses, mobile numbers, and email addresses. According to Bleeping Computer, the attackers may have accessed the company’s systems using login credentials belonging to two employees of a third-party contractor. M&S has estimated a £300 million loss in profits as a result of the breach, with ongoing operational disruption expected to continue into July.

Around the same time, the Co-op was also reported to have suffered a cyber attack attributed to the same group, with a separate incident at Harrods also flagged as potentially linked. From the outset, details have been limited. However, where possible, the National Cyber Security Centre (NCSC) and other agencies worked to share key tactics to raise awareness and help prevent further attacks. As time passed, concerns grew about what might come next, although Scattered Spider apparently began focusing on targets in the United States.

As reported this week by the BBC, The North Face and Cartier confirmed they were victims of cyber attacks believed to be linked to the same threat actors. These developments suggest a strategic expansion of the group’s operations and reinforce the need for vigilance across sectors and borders. At present, full details and timelines of these attacks are still emerging. However, the consequences are already clear: loss of customer trust, significant financial impact, and long-term reputational damage.

Proactive measures are essential across all sectors to strengthen defences in light of these incidents. Here are key takeaways:

Enable Multi-Factor Authentication (MFA)
MFA remains one of the most effective defences against unauthorised access. All user accounts, especially those with elevated privileges or third party access, should be protected by MFA to reduce the risk of credential compromise.
Have a Cyber Incident Response Plan
Every organisation should have a documented Cyber Incident Response Plan that outlines roles, responsibilities, and escalation procedures. A clear plan ensures that technical and non-technical staff members know how to respond swiftly and minimise damage during a breach.
Exercise your Response Plan
Having a plan is only part of it. Regularly test your incident response process through simulations and tabletop exercises. This ensures your team can act decisively under pressure and reveals any gaps before a real incident occurs.

Conclusion

The recent wave of attacks attributed to Scattered Spider highlights a broader trend: threat actors are becoming more sophisticated, more persistent, and more opportunistic. The retail sector, due to its reliance on third parties and its rich data sets, is a natural target, but we must all learn quickly and take meaningful steps as a result of these very public and painful attacks. Whether based in the UK or elsewhere, organisations must move to enhance their cyber resilience, preparing thoroughly and making risk-based investment in defenses recover from these inevitable incidents.