British govt agents step in as Harrods becomes third mega retailer under cyberattack
- Reference: 1746181512
- News link: https://www.theregister.co.uk/2025/05/02/ncsc_steps_in_as_harrods/
- Source link:
It confirmed the incident in a statement, hinting that, like Co-op's case earlier in the week, the attack may not have been successful.
"We recently experienced attempts to gain unauthorised access to some of our systems," it told The Register.
[1]
"Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.
[2]
[3]
"Currently all sites including our Knightsbridge store, H beauty stores, and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.
"We are not asking our customers to do anything differently at this point and we will continue to provide updates as necessary."
[4]
Harrods opted not to answer The Register's questions about what exactly was meant by restricted internet access, if there are currently any product supply concerns for stores, or whether the incident involved ransomware.
None of the three UK retailers currently battling cybersecurity issues – M&S, Co-op, and now Harrods – have confirmed whether ransomware was involved, although the rumor mill is whirring with mutterings of [5]Scattered Spider's involvement.
Threat intel expert and current SANS instructor Will Thomas warned UK retailers on Thursday evening to take proactive measures to fortify their cyber defenses.
[6]
The UK is about to enter another long weekend, with a public holiday on Monday, so now would be the time.
Thomas [7]said via X: "There is an active cybercriminal (Scattered Spider-style) ransomware campaign targeting your sector."
It also seems as though the hit on Harrods was the final straw for the UK's National Cyber Security Centre (NCSC), whose CEO was moved to speak publicly on the spate of attacks.
Richard Horne, CEO at the GCHQ cybersec offshoot, confirmed the organization was assisting all three retailers on Thursday, and said the ongoing saga should serve as a wake-up call to all other organizations.
"The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public," he said.
"The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
"These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively."
It's currently unknown if all three cyberattacks are linked in some way. No organization has officially attributed any of the attacks to specific groups or cybercriminals, and no one has claimed responsibility for them either.
Suggestions of Scattered Spider, a known affiliate of ransomware groups, being involved in the attack on M&S were commingled with rumors of [8]DragonForce ransomware being used.
In such cases, if negotiations were to stall for whatever reason, the [9]usual approach taken by ransomware crews would be to publicly disclose the incident to apply pressure to negotiations.
However, infosec watchers have kept a close eye on DragonForce's leak site which has mysteriously been down for several days. No other names have thus far entered the mix.
M&S and Co-op latest
It was just under two weeks ago that the [10]issues at M&S started to take hold. Various aspects of the business were suspended, some of which have been reinstated while others remain at a halt.
Some shoppers reported stock issues at their local stores, with images of empty shelves flying around social media, although the retailer has not publicly acknowledged any stock issues.
Customer service reps are trickling information out in public responses, however. At first, Click & Collect orders were the first to be made unavailable to customers, with online and app orders still up and running. Now, all online and in-store orders have been paused, according to an [11]update shared on Friday morning. Returning orders continues to be difficult for customers too.
Marks & Spencer CEO Stuart Machin offered his apologies to customers in a statement on Friday.
"We are really sorry that we've not been able to offer you the service you expect from M&S over the last week," he said.
"We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible.
"Thank you from me and everyone at M&S for all the support you have shown us. We do not take it for granted, and we are incredibly grateful.
"Our teams are doing the very best they can, and are ready to welcome you into our stores – whether you are shopping for food or for fashion, home, and beauty this bank holiday weekend.
"Thank you for your support, and thank you for shopping with us. We will continue to keep you updated."
Like M&S, the Co-op was the second retailer to confirm an attempted cyberattack this week, although details of its situation are not as readily available.
The company has not updated any information in its official statement since the first one it released following the attack.
A spokesperson for the company said: "We have recently experienced attempts to gain unauthorized access to some of our systems.
"As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact to some of our back office and call center services.
"All our stores (including quick commerce operations) and funeral homes are trading as usual.
"We are working hard to reduce any disruption to our services and would like to thank our colleagues, members, partners, and suppliers for their understanding during this period.
"We are not asking our members or customers to do anything differently at this point.
"We will continue to provide updates as necessary."
ITV News' business and economics editor Joel Hills shared what he said was an internal memo sent to staff by Rob Elsey, Co-op's chief digital information officer, which said the company VPN was taken down.
[12]M&S stops online orders as 'cyber incident' issues worsen
[13]M&S takes systems offline as 'cyber incident' lingers
[14]Ransomwared NHS software supplier nabs £3M discount from ICO for good behavior
[15]'Newport would look like Dubai' if guy could dumpster dive for lost Bitcoin drive
"We would ask for your patience as we take some additional pre-emptive actions on remote access to continue to keep our Co-op safe," [16]the memo said. "This means, if you work from home, you won't be able to access systems and apps that require you to sign in using a VPN, all other services will work as normal.
"Co-op locations will not be impacted by work on remote connections therefore if you are having issues accessing systems or need to access applications, please work from a Co-op location."
The memo also revealed that staff were asked not to record or transcribe [17]Teams calls , ensure all attendees are expected and are on camera, and avoid submitting sensitive information to any Teams chats. ®
Get our [18]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aBTsHkJ5ZU5Lj5W_81TiRgAAANU&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBTsHkJ5ZU5Lj5W_81TiRgAAANU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBTsHkJ5ZU5Lj5W_81TiRgAAANU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aBTsHkJ5ZU5Lj5W_81TiRgAAANU&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://www.theregister.com/2025/04/08/scattered_spider_updates/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cybercrime&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aBTsHkJ5ZU5Lj5W_81TiRgAAANU&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[7] https://x.com/BushidoToken/status/1917991625135145421
[8] https://www.theregister.com/2025/03/27/security_shop_pwns_ransomware_gang/
[9] https://www.theregister.com/2024/10/22/akira_encrypting_again/
[10] https://www.theregister.com/2025/04/25/ms_halts_online_orders/
[11] https://x.com/marksandspencer/status/1918224297237115152
[12] https://www.theregister.com/2025/04/25/ms_halts_online_orders/
[13] https://www.theregister.com/2025/04/24/marks_spencer_outage_ongoing/
[14] https://www.theregister.com/2025/03/27/ransomwared_nhs_software_supplier_nabs/
[15] https://www.theregister.com/2024/10/16/wales_bitcoin_landfill_lawsuit/
[16] https://x.com/ITVJoel/status/1917669565254738138/photo/1
[17] https://www.theregister.com/2024/04/02/milcrosoft_teams_license_changes_global/
[18] https://whitepapers.theregister.com/
Re: We can't continue to regard these simply as "IT Problems"
That's the problem: Management don't fund any preparitory/defensive work before any attack as they feel it's scare mongering by the techies so money down the drain. It's only once they've been hit does management really understand the consequencies.
My place was hit a while ago and money was suddenly flowing on IT security initatives,
There's an arguement to be had that every organisation should endure at least one painful cyber incident.
Re: We can't continue to regard these simply as "IT Problems"
I totally agree, coming at it from the position of selling equipment that performs a critical function in national and international telecoms networks, we always provide options that include greater resilience and with enhanced monitoring and management to find issues early and fix them when they do. The network designers and engineers nearly always understand and will agree on a well engineered solution and when it comes to sign off by the accountants the questions gets asked "what is the ROI?" (there isn't any), "this extra stuff is only costing more to run", etc. etc. and of course they are right, and of course we want to sell as much as we can, but the state things get pared down to because it's classed as an overhead to be reduced is frankly scary sometimes - the issue of what it will cost if there is a problem doesn't seem to feature.
Re: We can't continue to regard these simply as "IT Problems"
Only one quibble with your post: management NEVER learns nor suffers real consequences,
Re: We can't continue to regard these simply as "IT Problems"
> The failure of the electricity grids in Spain and Portugal has amply demonstrated our dependence on a whole variety of technologies and our lack of preparedness for their inevitable failures. Although failures are relatively rare, their effects can be very pervasive and prolonged.
Speaking of which: There was also a fire at one of the most critical 400kV substations which barely made the news a few days ago...
https://www.bbc.co.uk/news/articles/cx2wvz4pjryo
Fortunately it didn't cause a major outage, but this sort of thing is becoming startlingly common
I bet the spooks are, well, spooked.
Once is happenstance, twice is coincidence, three times is enemy action.
Fortnum & Mason
At least they are still OK.
Re: Fortnum & Mason
Thank goodness, my cat Tiddles III would be most displeased if her caviar didn't arrive on time.
Mangement don't care
However sysadmins, I'd just check your domain admin groups this afternoon. See if anything has popped up that shouldn't be there. 3 day weekends & a 4 day week where staff will be on holiday is the prefect time to be encrypting away.
Who knows what one of your Devops morons might have installed from a random github library
M&S Store shopping - no stock at the best of times
Not sure if any other UK reg commentators can say the same, but my local branch of M&S (Southport) have now stopped selling men's suits of any kind.
The assistants say "go to Liverpool, there's more range there". But there really isn't. I'm not some obscure size - just a regular 6 foot 4 bloke.
The only option to buy a simple black suit from M&S is online. Which I now can't
Re: M&S Store shopping - no stock at the best of times
The principle of having a range of stock in store seems to have been abandoned. I've had trouble for years buying items of clothing in specific sizes for elderly relatives. The message seems always be to go online. This presumably must generate a lot of unnecessary returns as a result of not being able to see or try garments in store. There seems to be space - there are even stores where the floor space has been actively reduced - but perhaps there is less wastage overall if the majority of stock is kept centrally.
Having done some work with a clothing retailer there is a genuine problem in matching the size variations in manufacturing orders to the eventual demand. In the old days, when most of the manufacturing was done in the UK, they could place an initial order and top it up depending on how the season went. Now, you're stuck with what came on the boat.
Re: M&S Store shopping - no stock at the best of times
Then stop buying suits from M&S .
Their quality has crashed over the last couple of decades anyway, the woolblend stuff they used to sell was of decent quality. There's no particular point in paying a premium price for some polyester blend made in China stuff that's so bad that you wouldn't buy it if you could feel it before handing the money over. It's not like they are particularly short on competition.
Re: M&S Store shopping - no stock at the best of times
I'd recommend John Lewis for a suit. I'm 6ft 3 and I find the clothes are better at JL than M&S anyway.
Also, as a tall bloke - do you too get fucked off that all the 33 long jeans are always at the bottom of the rack, while the 29" leg trousers are on the top rack?
Surely it should be the other way round!?
Re: M&S Store shopping - no stock at the best of times
Andy, try 2tall.com. At 6ft 4in you are a bit short (bet you've always wanted to hear that!) and follow the measuring guidelines precisely. Clothes fit nicely and returns are simple. Mail order as it should be.
I'm a happy customer, John (6ft 8in)
security , no it's in the way
been working in this area for years and for a number of online services. The last thing considered is security - the first thing is the api working - no - give it admin rights - it's working yes. right now we go live with it but I said it's not secure take away the priviliedge. Don't be stupid , it's working man, the last thing that will happen is we get attacked online, it's very rare. - agile for you
my previous company got hacked through a redis vunerability and managed to startup bitcoin server's in EC2 and my current place got a ransomware attack.
When I started at my current workplace their opionion (even the CEO) said all their websites should be online, even though they had explicit customers for specific api's , I said whitelist thier IP's. The answer, "No, don't be silly that's too inflexible and restrictive"
I got asked to enable WAF rules, some of these rules broke the API but just needed exclusions, they said too complicated, leave some of the rules out.
Almost all of them do yearly pentests, these are total bollocks, they get given a fixed environment with little exposed and don't do internal pen testing, i.e. all the middleware services/load balancers on the internet which don't need to be and s3 buckets - this is usually number 1 of the list. What they should get is every endpoint exposed externally and tests these for all types of attacks. Also internally they should check security patches are either auto or manually patched regularly as they come out to be thorough but how to maintain this , dunno, some companies won't pay for full time security engineers when I guess they need to spend more money on functionaility. It's a question of "what happens if we do get hacked"
I still remember my first job in a large investment bank in 1997, there was an audit by a large well known auditer and I was asked to install some sophos software on some Unix servers. When the audit finished , I was asked to remove the software.
Maybe the government should have legislation to any commercial businesses that online presence means security first and the prviledge of least acess to do whats required and regular patching , exposing only the required services and nothing else should be part of the mandate and they should get a thrid party to do end-to-end testing.
Re: security , no it's in the way
We've had problems with permissions in Microsoft world: We give accounts the correct limited permissions but when we log support calls saying it doesn't work MS just say "Oh just give the account Admistrator rights: That'll fix it" and want to close the ticket.
"Harrods, a globally recognized purveyor of all things luxury,"
I'll bet it's more globally recognised for other things these days.
Did anyone see the story about Co-Op ?
*Now* they suddenly decide it's a good idea that all participants in a meeting* have their cameras on to prevent unauthorised access.
What fucking idiot signed off on a policy to the contrary.
*Meeting. Not a sermon or broadcast to the masses.
We can't continue to regard these simply as "IT Problems"
The failure of the electricity grids in Spain and Portugal has amply demonstrated our dependence on a whole variety of technologies and our lack of preparedness for their inevitable failures. Although failures are relatively rare, their effects can be very pervasive and prolonged.
Although there are technology weaknesses that need to be fixed, it seems like much more work needs to be done to ensure business processes can continue when things go wrong. That might come at some cost and inconvenience by deliberately introducing barriers between system components that have previously been integrated for operational efficiency to reduce contagion and offer more points of human intervention for remediation. However, considering the increasing number of incidents and the increasing dependence on a relatively small number of platforms, there's a growing risk of sudden economic damage equivalent to that of a major natural disaster.