Menu
Browse

Cyber Incident Victim: Harrods

Date:

Jan 2025

Location:

United Kingdom

Summary

Harrods was among several major UK retailers targeted in a coordinated cyberattack by the Scattered Spider group, which employed DragonForce ransomware alongside sophisticated social engineering tactics and compromised third-party credentials to infiltrate networks. The attackers conducted prolonged reconnaissance before deploying ransomware, resulting in severe financial losses across the sector, with some retailers facing operational disruptions that required extensive system rebuilds while others mitigated impact through advanced cloud infrastructure. The incidents, characterized as deliberate targeting of the retail sector's vulnerabilities, prompted industry-wide enhancements in crisis communications, accelerated digital transformation, and investments in specialized security teams to bolster employee awareness and third-party risk management.

CIA Posture Motives Tactics, Techniques & Procedures
Available to members 1 motive 1 technique
Threat Actor Type Location
1 actor Available to members Available to members

Description

In 2025, a coordinated series of cyberattacks attributed to the Scattered Spider group targeted multiple major UK retailers, including Harrods, Marks & Spencer (M&S), and the Co-op. The attackers deployed DragonForce ransomware after infiltrating victim networks through sophisticated social engineering tactics and the compromise of third-party credentials. Following initial access, the threat actors conducted prolonged reconnaissance activities within the environments to map systems and identify critical assets before executing ransomware deployment. The attacks inflicted severe financial damage across the sector, with M&S reporting estimated losses of £300 million and the Co-op £206 million, though specific loss figures for Harrods were not disclosed in available reporting. The incidents prompted parliamentary hearings and industry summits to examine systemic vulnerabilities, particularly highlighting the retail sector's expansive attack surface and historically constrained IT budgets as contributing factors to the attacks' success.

Cyber Incident Image

The attacks revealed significant disparities in organizational resilience based on technological preparedness. The Co-op experienced comparatively limited operational disruption due to its advanced migration from legacy systems to cloud infrastructure prior to the incident, enabling faster recovery. In contrast, M&S faced months of system rebuilding efforts. Industry analysts, including River Island's CISO Sunil Patel, noted the attacks demonstrated deliberate targeting rather than opportunistic scanning, with threat actors exploiting known sector weaknesses. In the aftermath, unaffected retailers including Holland & Barrett and AllSaints accelerated crisis communication planning, prioritized digital transformation initiatives, and established specialized "people security" teams focused on enhancing employee cybersecurity awareness and third-party vendor risk management protocols. The collective financial impact across targeted retailers reached hundreds of millions of pounds, establishing the incident as one of the most costly cyber campaigns against UK retail infrastructure.

Sources
Sources available to members
1 source