Introduction
In the ever-evolving world of retail, cyber threats are no longer a distant concern, they’re a daily reality. Over the past year, around 612,000 UK businesses reported experiencing a cyber breach or attack. Phishing remains the most common and disruptive method, targeting 85% of those affected.
The retail sector, in particular, sits on a goldmine of customer data, credit card details, email addresses, and purchase histories, all of which are highly attractive to cybercriminals. With many retailers operating across multiple platforms, from online stores to third-party marketplaces, their digital attack surface is vast and often difficult to monitor in real time.
In this environment, even a single breach can trigger a domino effect: financial loss, operational downtime, and lasting reputational damage. While some attacks are successfully blocked, many go undetected, suggesting the true scale of the threat may be far greater than reported.
As digital dependency grows, so does the urgency for proactive, intelligence-led cybersecurity.
Recent Retail Cyber Attacks: A Wake-Up Call
In 2025, the UK retail sector was shaken by two major ransomware attacks targeting Marks & Spencer (M&S) and Co-op, both believed to be conducted by the ScatteredSpider threat actor, using DragonForce ransomware. These incidents weren’t just another set of digital disruptions. They revealed the escalating boldness and reach of modern cybercrime.
The M&S breach reportedly originated through a third-party IT supplier, Tata Consultancy Services (TCS). Once inside, the attackers went beyond technical disruption, sending a direct ransom email to the M&S CEO, combining infiltration with psychological pressure. This shift from silent data theft to overt intimidation marks a new level of audacity in attacker behaviour.
Soon after, Co-op was hit in a potentially connected attack, also believed to be conducted by ScatteredSpider using the DragonForce ransomware. Though the full impact wasn’t disclosed, the two incidents suggest a broader campaign aimed at compromising supply chains and vendor ecosystems.
These back-to-back breaches highlight a critical vulnerability in retail operations: interconnectedness. Retailers often rely on a wide network of external vendors, cloud platforms, and third-party tools, each one a potential entry point. When one link breaks, the fallout can be swift and widespread.
For an industry already under pressure from tight margins and evolving consumer demands, these attacks serve as a stark reminder that cybersecurity is no longer optional, it’s foundational. It must be embedded across operations, partnerships, and leadership priorities.
Social Engineering on the Rise: Insights from CYJAX on the UNC6040 Campaign
While ransomware groups like DragonForce dominate the headlines, other sophisticated actors are quietly exploiting human error over code. According to recent intelligence, the financially motivated threat group UNC6040 has been executing vishing campaigns against multinational organisations, including those in English-speaking markets.
Instead of exploiting software vulnerabilities, UNC6040 relied entirely on social engineering, impersonating IT support over the phone to trick employees into granting access to services like Salesforce, Microsoft 365, and Okta. Once inside, the attackers deployed a modified version of Salesforce’s Data Loader tool to exfiltrate sensitive data.
In many cases, the breach wasn’t followed by immediate extortion. Instead, attackers waited months before demanding ransom, sometimes passing access to other groups who sell the data on its behalf. Alongside this the threat actor claimed affiliation with the infamous ShinyHunters group, believed to be an attempt to amplify the pressure.
The group also used Mullvad VPN IP addresses to mask its activity and targeted weaknesses in third-party app permissions, rather than infrastructure itself. These findings reinforce a crucial lesson: even well-secured systems can fall when users are misled.
Strengthen Your Defences: See CYJAX in Action
As threat actors become more creative and targeted, the retail industry must shift from reactive defence to proactive threat anticipation. From phishing and ransomware to voice-based social engineering, attackers are adapting fast, and so must your security strategy.
CYJAX provides real-time, intelligence-led solutions that help organisations detect, understand, and respond to evolving cyber threats before damage is done. Want to see how it works?
Book a personalised CYJAX demo and explore how our threat intelligence platform can help protect your business, customers, and reputation.
Receive our latest cyber intelligence insights delivered directly to your inbox
Simply complete the form to subscribe to our newsletter, ensuring you stay informed about the latest cyber intelligence insights and news.