Not much happens by chance in cybersecurity.
In most cases, when multiple companies in a similar sector or field are compromised, it is due to one of two things: the organised threat groups targeting them are specialists in going after one particular sector, or there is a common vulnerability in a system which the majority of businesses in that sector use.
Since April this year, the U.K. has been rocked by a flurry of supply chain-based cyber attacks in the retail sector, beginning with news from Marks & Spencer whom had to suspend all online activities, paired with the attack and preventative steps that the Co-Op Group took and the recent news that sporting brand Adidas and premium brand Harrods have dealt with impactful cyber incidents. What’s interesting is the attack techniques speculated for all these attacks aren’t focused on a particular zero-day vulnerability or thought to be generative-AI led like cyber hype cycles would have you believe. Rather, they’ve focused on human-led manipulation of the supply chain to garner initial access, and in the case of M&S and Co-Op, attacking and controlling the mission-critical virtualised infrastructure environments within the organisations.
The attacks have been credited to a group called Scattered Spider, who are persistent, financially motivated threat actors spread across the U.K. as well as the U.S., and are known to participate in high-profile ransomware and extortion attacks. They are also credited to be behind the 2023 attacks on Caesars Entertainment and MGM Resorts which caused major disruption. In the past, they have also been linked to attacks on a handful of SaaS providers and consumer brands, including retailers.
Their techniques involve successful employee phishing campaigns using domains that impersonate recognisable brands as a key part of their strategy for gaining initial access, leveraging gateways and third-party vendors that may have access to their actual target.
The final alarming piece of the puzzle is in the case of M&S, it’s believed they’re readying a claim against their cyber insurance coverage of up to £100m to cover business losses of roughly 30% (£300m), and a 16% hit in the share price equating to approximately £1.3 billion.
Not only will this claim be a significant test for the insurance industry, the inevitable reaction to this will most likely be increased premiums for other organisations in the U.K. as well as heightened focus and evidence on implementing good cyber controls, frameworks, and showing significant effort to reduce the organisation’s cyber risk.
This kind of supply chain attack is also how attackers obtained consumer data from Adidas, and poses the question, should all retailers be worried that they are next?
The simple answer to that is ‘yes,’ but the threat isn’t just isolated to the retail sector. All businesses need to treat their cybersecurity as a direct, top-level risk at the organisational level.
“What we have seen over the past couple of weeks should serve as a wake-up call for businesses and organisations up and down the U.K. as if we needed one, that cybersecurity is not a luxury but an absolute necessity.” — Rt Hon Pat McFadden MP, Chancellor of the Duchy of Lancaster and Minister for Intergovernmental Relations
This quote is taken from the keynote speech of the National Cyber Security Centre’s CyberUK event held earlier in May 2025. Organisations of all sizes are in the crosshairs of cyber gangs looking to make money. And now is as good a time as ever for these organisations to learn from the public reports, review their security, and make sure they have effective plans in place should the worst happen.
But What Steps Can Businesses Take?
There are four key pillars for improved cybersecurity:
- Educate your people and build a positive culture of security across the business
- Detect and respond to threats quickly across the entire attack surface
- Proactively remediate vulnerabilities which are high risk to your organisation
- And have a comprehensive incident response (IR) plan that you regularly test with your business leaders
It’s a sad fact that cybersecurity incidents are a matter of when, not if. Arctic Wolf® Incident Response, which engages in over 1000 forensic attack investigations per year reported in 2024 that, in 76% of intrusion cases, threat actors employed at least one of ten specific vulnerabilities, none of which were zero-days and seven of which were associated with remote access tools or other externally facing services.
In other words, the majority of successful intrusions were caused by known vulnerabilities that remained unpatched for access on the public internet. This data suggests that the security challenges organisations struggle with internally are solvable, if IT and security leaders take the necessary steps to ensure that they are regularly patching and reviewing the complexities and attack surfaces in their network. This kind of planning is essential to create a cyber resilient environment, but organisations must also have a strong IR plan in place in case they fail to patch a known vulnerability or are targeted by a zero-day.
Many organisations fail to regularly test their IR plan from preparation to post-incident review while conducting the proper exercises along the way. Just as an organisation’s business strategy and tech stack are constantly evolving, so should their IR plan to ensure that all stakeholders know their role, that containment procedures are up –to date and, most importantly, that the amount of downtime is mitigated.
How Arctic Wolf Can Help
That’s why Arctic Wolf’s new Incident360 Retainer is a valuable solution for organisations of all sizes looking to enhance their cyber resiliency. The Arctic Wolf Incident360 Retainer is the only retainer that includes full IR coverage for any incident type and provides customers with prioritised access to insurance-approved IR experts that will remove the threat actor’s access to the environment, determine the root cause and extent of the attack, and restore business systems and applications to normal.
The Incident360 Retainer also includes a full suite of readiness activities, including IR planning and a tabletop exercise, to prepare an organisation ahead of a cyber incident. This proactive planning helps organisations respond and emerge faster from incidents.
Traditional IR retainers force organisations to guess in advance how many service hours they’ll need to prepare for and recover from a cyber attack. This creates a risky trade off: either invest hours upfront in readiness and risk not having enough left when an attack hits or save hours for emergencies and delay critical preparation. The Arctic Wolf Incident360 Retainer eliminates the need to make that compromise.
Looking beyond IR capabilities – which really are the last line of defence, Arctic Wolf core focus is to deliver comprehensive security operations solutions for organisations of all sizes – from vulnerability management, employee security awareness and education, 24×7 holistic managed detection and response and finally AI-powered endpoint security all through our Aurora™ platform – meeting our customers where their cyber risk exists, for the outcomes and requirements they need address most. But the way that organisations move the needle in addressing cyber risk is not through more technology alone – it’s through delivering a continuous improvement and hardening of cyber controls, hygiene, and best practices across the organisation – which Arctic Wolf brings through the Security Journey. What’s more is our customers are supported by the cyber industry’s biggest Security Operations Warranty which brings up to $3M (USD) of coverage for cyber incidents.
If these attacks on retailers are indeed ransomware attacks, as is being speculated, it can be an expensive problem – causing potentially millions of pounds in lost sales, plus impacting their reputation and stock price. But then there is also the cost of the ransom itself, and of course, getting the situation resolved and systems back up and running again.
Managing your risk and exposure to cyber threats is critical to your business, staff, shareholders, and of course, customers. You need to be confident that you can address cyber risk end-to-end through a single partner with the platform and security expertise to mitigate risks and strengthen your security posture over time. This preparation will pay off when dealing with the sorts of challenges these retailers are facing to keep their businesses online, and indeed, afloat.