M&S, Co-op cyberattackers duped IT help desk

Two of Britain’s most well-known retailers, Marks & Spencer and Co-op Group, have fallen victim to cyberattacks that began with a surprisingly simple tactic: hackers impersonating employees while contacting the companies’ IT help desks. According to a report from technology news site BleepingComputer, the attackers were able to convince support staff to reset passwords for employee accounts, providing them with direct access to internal networks.

A Classic Exploit in a Modern Threat Landscape

This incident highlights a long-standing weak spot in corporate cybersecurity — human error in frontline support services. The National Cyber Security Centre (NCSC) of the UK has since urged businesses of all sizes to reassess their help desk protocols to defend against similar breaches.

“Criminal activity online — including, but not limited to, ransomware and data extortion — is rampant. Attacks like this are becoming more and more common. And all organisations, of all sizes, need to be prepared,” said Jonathon Ellison, National Resilience Director, and Ollie Whitehouse, CTO at NCSC, in a joint blog post.

Financial and Operational Fallout

The impact on Marks & Spencer has been immediate and significant. Since disclosing the cyber incident on April 22, the retailer’s share price has dropped 12%, including a 4% fall on Tuesday alone. On April 25, M&S was forced to suspend clothing and home orders via its website and mobile app, with no clear timeline for when online services will resume. Some food product availability has also been disrupted.

Deutsche Bank analysts estimate the financial hit at around £30 million ($40 million) to date, with an ongoing weekly impact of approximately £15 million as operations remain hampered. While cyber insurance is expected to cover much of the initial £30 million loss, insurers typically offer coverage for a limited period.

Beyond direct revenue losses, the company faces additional expenses from external cybersecurity consultants, IT remediation, and efforts to strengthen digital infrastructure for future resilience.

A Growing Threat from Organized Cybercrime Groups

Complicating matters, a hacking group calling itself DragonForce claimed responsibility for the attack on M&S, as well as breaches at Co-op and London luxury retailer Harrods. The group alleged it had stolen sensitive employee data and potentially personal information from up to 20 million Co-op customers.

BleepingComputer reported, citing multiple sources, that the attack on M&S was believed to be carried out by a hacking collective known as Scattered Spider, using DragonForce ransomware. However, the NCSC has not confirmed a direct link between the incidents.

Ciaran Martin, the former CEO of the NCSC, told Reuters that the extended disruption at M&S is unsurprising given the scope of the attack and the complexities of rebuilding compromised systems.

Industry Insight: Help Desks as a Prime Attack Vector

This incident underscores a critical — and often overlooked — vulnerability in corporate IT infrastructure: the help desk. Social engineering attacks, where hackers exploit human psychology rather than technical flaws, remain one of the most effective ways to breach secure networks.

The UK’s NCSC and cybersecurity experts globally are now advising organizations to introduce multi-factor authentication for password resets, stricter verification protocols, and ongoing staff training to counter these social engineering tactics.

Notably, Scattered Spider — reportedly behind this attack — has been linked to previous high-profile breaches, including incidents at MGM Resorts and Caesars Entertainment in 2023, where similar tactics were used to infiltrate corporate networks via help desks.

As this type of attack grows more frequent and sophisticated, businesses are being forced to reckon with the reality that their greatest vulnerability might not be their firewalls or encryption — but the people behind the screens.