Insight

Retail cyber storm: Practical cyber-security guidance after the M&S & Co-op breaches.

Advice for employers11th June 2025

Why does the M&S & Co-op cyber-security breaches matter to the recruitment business, like yours, even if we don't sell socks or groceries? It’s important to understand how, why and what businesses can do to prevent and protect from potential breaches impacting the livelihood of many.

The background

Over the Easter weekend, Marks & Spencer's systems were disrupted, halting both in-store and online operations. Shortly after, the Co-op revealed a significant breach involving customer and employee data. Analysts at Deutsche Bank estimate M&S's direct profit loss at around £30 million, while the Co-op faces reputational damage and potential regulatory scrutiny.

Both incidents began with criminals impersonating staff to reset privileged passwords via the IT help desk, leading to ransomware attacks and data theft. The UK's National Cyber Security Centre (NCSC) has urged all organisations to review help desk processes and tighten identity checks.

If your business stores personal data on candidates, clients, or employees, this could happen to you. Email, help desk, collaboration tools, and HR databases could present vulnerabilities. Social-engineering phone calls are a cost-effective and often successful method for criminals.

What happened, and what you can do.

Phase	What happened	What you can do
Recon	Attackers gathered staff details from LinkedIn and breached inboxes.	Remember that public profiles and inbox rules can leak enough information to impersonate staff. Consider how you make your staff aware of these risks.
Initial access	Attackers called the IT helpdesk pretending to be locked-out employees, and convinced agents to reset Multi Factor Authentication enrolment (MFA) and passwords.	Verify identity (e.g., callback on a known number). Document and drill the process.
Privilege escalation	Once inside, the cyber-attackers targeted admin dashboards to disable defences and deploy Dragon Force ransomware (Ransomware-as-a-Service (RaaS) affiliate program that uses 2 versions of ransomware to target its victims, which can be tailored to maximise its impact).	Least-privilege access and admin session recording reduce the size and scope of impact.
Impact	M&S suspended all online orders for more than 10 days; Co-op admitted to customer data exposure and back-office outages.	Make sure you have cyber-incident response plan. [1]Incident-response plans must include business continuity run books and communication templates.

Five actions for your business to take sooner rather than later

1. Sort out your helpdesk reset process

What you can do:

Require a call-back to a pre-registered employee phone number for all password/MFA resets.
Introduce a short, shared secret or token in your business (recommended by NCSC for privileged users).
Script the questioning so helpdesk agents are consistent, even under pressure.

2. Mandate phishing-resistant Multi-Factor Authentication (MFA) everywhere in your business

What you can do:

Move from SMS or voice codes to app-based or FIDO2 hardware keys.
Enforce MFA re-registration approval by a second admin.

What is Multi-Factor Authentication (MFA)

Multifactor authentication (MFA) is a great way to confirm your identity by requiring at least two different forms of proof. This can include something like your password and additional methods such as a fingerprint or other biometric data. MFA adds extra layers of security that go beyond what a password alone can offer.

Two-factor is form of MFA which many people know of. This method only asks for two pieces of information, while some MFA systems might include three or more for added protection.

For example

When logging into an email account that uses MFA, you might first enter your account password (the first factor) and then type in a one-time passcode that your email provider sends to your mobile phone via text (the second factor). If the account is particularly sensitive, you may also need a third form of verification, such as a hardware key.

You will be able to access the system only if all required factors are confirmed. If something doesn’t match, your login attempt will be unsuccessful. This way, your accounts stay secure and protected.

3. Harden privileged accounts

What you can do:

Separate admin identities from day-to-day user accounts.
Enforce just-in-time elevation with automatic expiry. Just-in-time (JIT) access provides users with the minimum level of access required to a system, only when they need it, and for a limited amount of time. By reducing how long users can reach sensitive applications or data, JIT access makes sure that permissions aren’t left open indefinitely.

4. Test your backups — offline!

What you can do:

Verify you can restore your data within your Recovery Time Objective and/or Recovery Point Objective targets time.
Ensure that backups are stored and secured such that they cannot be edited.

5. Run tabletop exercise focused on social engineering

What you can do:

Use the NCSC’s free “Exercise in a Box” scenarios to rehearse an attack, starting with a help-desk compromise.
Ensure the comms, legal, and executive teams are involved with any and all of these exercises.

Key takeaways

The M&S and Co-op breaches were not caused by highly sophisticated, unknown vulnerabilities. Instead, they highlight how attackers often exploit everyday operational gaps.

The strongest defence against such threats is a well-supported workforce — one that is empowered with effective training, robust verification processes, phishing-resistant MFA, and clear, regularly rehearsed incident response plans. With these measures in place, organisations can build resilience and significantly reduce the likelihood of successful attacks.