M&S, Co-op, and Harrods suffered cyber attack in the spring of 2025. As for the Co-operative Group, it recently estimated an ‘impact to profitability’ of £107m. The Co-op said that its restricting of systems to contain the threat had an estimated £285m direct impact on revenue.
Niall McConachie, regional director (UK and Ireland) at Yubico, says: “As we reflect on the cyber incidents that impacted the retail sector over the last year, the main take-away is that threat actors are constantly innovating with their tactics. We can no longer rely on the old advice of simply asking employees to create more complex passwords or using basic two-step verification. Scammers are now incredibly adept at bypassing these legacy defences, including the use of artificial intelligence (AI)-powered phishing to create increasingly sophisticated social engineering attacks. The focus shouldn’t just be about asking staff to be more vigilant; it’s about the industry adopting strong and capable infrastructure to stop these attacks at the source.
“The good news is that stepping up security doesn’t have to mean adding friction to the employee journey. By moving away from shared secrets and implementing phishing-resistant MFA, such as physical passkeys, retailers can eliminate the vulnerabilities of easily intercepted or forgotten credentials. Passkeys offer a seamless, passwordless login experience by replacing all the cumbersome, insecure login solutions with a simple-to-use cryptographic ‘key’ and verification method requiring the physical touch of the key – ensuring the person who’s supposed to gain access does. By combining hardware-backed protection with modern, phishing-resistant security, retailers can safeguard data and, most importantly, preserve customer trust.”
And Dave Spence, Cybersecurity Leader at DXC Technology UKI said: “A cyber attack on the scale of the recent M&S incident could happen again today. One year on, it remains a stark reminder that the threat has not diminished. Large-scale, business-disrupting attacks remain entirely viable, particularly where attackers exploit identities, people or trusted third parties to bypass traditional defences.
“Zero Trust is no longer optional. DXC’s Trust Report shows that 66 per cent of organisations cite legacy systems as the biggest barrier to implementation, leaving the same vulnerabilities exposed in recent high-profile breaches. While 72 per cent recognise emerging threats as the catalyst for strengthening Zero Trust, execution continues to lag ambition. Prevention alone is no longer sufficient. Resilience – the ability to detect, respond and recover at speed – is now what separates leaders from laggards.”
Photo by Mark Rowe: Scotmid Coop, Burghead, north east Scotland.
