Human Error at the Heart of Recent Ransomware Attacks on UK Retail Giants 

Several recent ransomware attacks on UK retailers demonstrate that human error is a primary factor in cybersecurity breaches. Recent incidents involving Marks & Spencer (M&S), Harrods, and Co-op highlight how human risk plays a critical role in enabling these attacks. While technical vulnerabilities contribute to the problem, the underlying factor often remains human behavior, whether through compromised credentials or exploited helpdesk protocols. 

Marks & Spencer attack: Prolonged disruption and supplier fallout 

British retail giant Marks & Spencer has been working this month  to address fallout from a major ransomware attack. The incident is attributed to the threat actors known as Scattered Spider. The attack disrupted payment systems, halted online ordering, and forced hundreds of warehouse workers to stay home. At the time of writing online orders remain paused, and the company has pulled job postings from its website and halted recruitment efforts. Some stores have faced food shortages as certain systems were taken offline to manage the attack. Suppliers, including Greencore and Nails Inc., told the BBC there have been disruptions, and some have resorted to manual processes to keep up with demand. While technical vulnerabilities played a role, the root cause traces back to human risk — specifically, the exploitation of employee credentials. 

According to multiple reports, attackers breached the company’s systems by obtaining the NTDS.dit file from a Windows domain controller, containing hashed credentials. These credentials were likely acquired through social engineering tactics, such as phishing or multi-factor authentication (MFA) bombing, where users are overwhelmed with MFA requests until they inadvertently approve one. 

 The financial toll of the M&S attack is significant. Disruptions to online ordering cost the company approximately £3.8 million per day, while the broader incident potentially wiped £500–700 million off its market value. The company’s share price was down over 14% days after the attack. The damage highlights how the intersection of human error and ransomware can lead to catastrophic business consequences. 

Social Engineering leads to network access and data theft in Co-op incident unlocks network access 

Co-op, another major UK retailer, also became a target this month. Cybercriminals exploited human vulnerabilities by directly targeting IT personnel. According to reports, attackers used social engineering techniques to convince IT workers to reset a legitimate employee's password, allowing unauthorized access to critical systems. Once inside, the attackers moved laterally through the network, gaining deeper access and potentially harvesting sensitive data, including parts of the membership database. 

The attack's impact is severe in Scotland's islands, where Co-op is the primary grocery retailer. Many stores say they are dealing with shortages of fresh food items, including milk, fruit, and vegetables. Deliveries to stores across the UK were disrupted due to the attack's impact on Co-op's logistics systems. 

To contain the threat, Co-op took proactive measures such as partially disabling internet access, requiring employees to keep their cameras on during meetings, and instructing staff to verify participants’ identities in calls. These actions reflect a layered approach to mitigate potential lateral movement once a breach occurs. 

 The National Cyber Security Centre (NCSC) has also issued guidance following the attacks, advising retailers to strengthen helpdesk password reset procedures to reduce the risk of similar breaches. This guidance comes as ransomware groups continue to evolve their tactics. According to the latest Coalition report, ransom demands decreased by 22% in 2024, averaging $1.1 million, with the latter half of the year seeing demands drop below $1 million for the first time in over two years. This decline is attributed to a shift in strategy, with attackers increasingly focusing on data theft rather than relying on encryption-based extortion, highlighting the need for robust data protection practices. 

Retail under attack: Harrods also attacked by threat actors 

Harrods, the iconic UK luxury department store, also recently confirmed it was targeted in a cyberattack. In response to unauthorized access attempts, Harrods proactively restricted internet access across its sites, including its Knightsbridge flagship and online platform, to safeguard its systems. While the company has not disclosed specific details about the breach, it did confirm that social engineering tactics were involved. 

Human targets, human actors. Scattered Spider and DragonForce: A human-centric attack alliance 

The threat actors behind the attacks are reported to be known as Scattered Spider and are linked to DragonForce, a ransomware group that operates as a Ransomware-as-a-Service (RaaS) provider. DragonForce claimed responsibility for the attacks on M&S, Co-op, and the attempted hack on Harrods. Security experts believe that while DragonForce offers the ransomware infrastructure, Scattered Spider is among the affiliates using it to conduct attacks. According to the US Cybersecurity and Infrastructure Security Agency CISA), rather than relying on technical exploits, these groups manipulate employees through tactics such as MFA fatigue attacks, SIM swapping, impersonation of IT support staff, and phishing attacks. Their focus on exploiting human behavior rather than systems distinguishes them from more traditional ransomware groups. Many ransomware groups are increasingly shifting away from solely relying on malware, focusing instead on stealing sensitive data and credentials for extortion or sale on dark web forums. This evolution reflects a growing preference for less detectable and more versatile methods, though malware remains a tool for some. 

Scattered Spider’s methods often involve creating attack waves targeting multiple organizations within the same industry. In fact, NCSC published a blog noting that the retail sector should be on guard against ransomware attacks and take steps to mitigate their potential. 

The pattern of Scattered Spider aims to maximize disruption and public attention, leveraging human risk as the central point of compromise. Their collaboration with groups like DragonForce allows them to rapidly scale their efforts, combining aggressive phishing and credential theft with ransomware deployment. See examples of the techniques used to gain access from Mimecast’s threat intelligence team. 

Recent research from Mimecast reveals 95% of data breaches are caused by human error and just 8% of employees accounting for 80% of security incidents. Organizations must prioritize identifying high-risk individuals and implementing targeted training to mitigate these vulnerabilities. Additionally, with over 90% of threats delivered via email, it’s critical to focus on blocking these entry points to prevent attackers from gaining access to credentials and moving laterally within systems. Security leaders can take these key actions to reduce vulnerabilities and strengthen defenses against ransomware attacks. 

• Strengthen pre-delivery protections. Stop ransomware before it reaches users by implementing robust threat detection systems. Focus on filtering out phishing emails, malicious attachments, and fraudulent websites to minimize entry points for attackers. Ensuring email-based threats are blocked is a foundational step in preventing credential theft and lateral movement. 
• Monitor and understand human risk. Utilize data and analytics to identify individuals within your organization who may be more vulnerable to cyber threats. Take proactive steps to address their risks through contextual awareness and tailored action plans. 
• Equip and empower employees. Regularly provide targeted cybersecurity training and timely reminders to help employees recognize and respond to threats. Encourage behaviors like verifying password reset requests and flagging suspicious activity as part of daily habits. 
• Apply adaptive security measures. Develop flexible security controls that adjust based on risk levels. This allows high-risk individuals or scenarios to receive additional protections without burdening overall operations. 
• Prioritize post-breach detection. Ensure that suspicious internal activities are closely monitored. Detect and respond swiftly to unusual behavior, such as unauthorized data movement or harmful communications, to prevent further harm from compromised accounts. 
• Ensure data resilience. Maintain secure, redundant backups of critical information and files. Design systems that allow for quick data restoration, preventing the need to pay ransoms and ensuring continuity in the face of attacks. 

Final thoughts: From risk to resilience 

Ransomware is a persistent threat, and recent attacks highlight how human behavior often serves as a key vulnerability. Strengthening defenses requires a focus on preventative measures, equipping employees with the knowledge and tools to reduce error and closely monitoring for unusual activity. Mimecast enhances these efforts by blocking over 90% of email-based threats at their source, preventing attackers from gaining a foothold. By addressing human risk and adopting a comprehensive cybersecurity approach, organizations can significantly lower their chances of falling victim to future attacks.