Exploring the source of major retail cyber attacks

UK retail brands have been under a cyber siege in 2025.

Late April and early May saw Marks & Spencer, the Co-Operative Group and Harrods all hit by attacks that crippled various business functions, from ecommerce platforms to payment processing.

Each of these attacks was well documented in the media, and for good reason. The financial and societal impacts of attacks on retailers are monumental.

M&S perhaps stands as the most glaring example. Not only were shoppers left unable to buy online from the company for months, but the firm itself stated that the hack cost it more than £300 million in lost sales.

For threat actors, the primary motivating factor is typically financial gain: the greater the damage that they can inflict on a company, the more likely they are to be able to extort money from it. From deploying ransomware and stealing payment data to acquiring and threatening to leak personally identifiable information (PII), there are several routes through which they can apply pressure to targets to benefit financially.

What makes retailers particularly appealing targets for cybercriminals is their inherent vulnerabilities. These are companies that often have a series of third-party dependencies, legacy systems, and work in fast-paced operating environments – factors that can result in security issues or oversights that provide threat actors with a range of potential entry points.

Owing to this combination, it is perhaps little surprise that the retail sector has become one of the hardest hit sectors in relation to cybercrime, now among the top three according to Allianz’s analysis of large cyber claims over the past five years. And increasingly, we’re seeing several retailers falling victim to the same attack patterns.

The MFA bombing uptick in retail

In the recent M&S and Jaguar Land Rover cyber attacks, both companies were exploited by a technique proliferated by the infamous Scattered Spider hacker collective known as Multi-Factor Authentication (MFA) bombing.

In MFA bombing, threat actors attempt to bypass security controls that would normally stop them by manipulating the human in the loop, rather than defeating the technology itself. The MFA system is working as intended; the weak point becomes the person being pressured. Threat actors aim to exploit human psychology, for example, by taking advantage of feelings of stress, confusion and urgency. MFA remains a strong layer of security, but users need to stay alert to unusual authentication requests, as this could be part of a social engineering attack.

After acquiring login credentials through phishing or dark-web purchases, hackers use automated technologies to barrage individuals with MFA prompts. Given that retailers are companies that have large numbers of staff, suppliers and IT systems, it makes sense that threat actors would use this approach. Constantly flooding employees with notifications can lead to MFA fatigue, leaving them frustrated and, in turn, more likely to accidentally approve a fraudulent request. In some cases, hackers may also call or message individuals pretending to be IT support to pressure them into approving a login.

For this technique to work, all they need is one prompt out of hundreds to be approved. With a single click, the door to customer data, payment details and critical operational systems is flung wide open. And, as we’ve seen from this year’s attacks against UK retailers, the consequences can be catastrophic. A single successful breach can lead to ransomware demands, online disruption, lost sales, damaged reputation and regulatory fines.

The 2025 UK Cyber Security Breaches Survey found that businesses are lagging on multi-factor authentication. Only 40% of businesses have rolled out two-factor authentication (2FA), for example. This is a gap that must be bridged.

Multi-layered protection for multi-factor authentication

In response, several national cybersecurity bodies, including CISA, released a joint advisory, outlining key actions for organisations to take in mitigating the threat from Scattered Spider.

Fully protecting an organisation from MFA bombing requires a combination of efforts, many of which align with general good cybersecurity practices, such as regularly updating passwords. Since MFA bombing requires your credentials first, strong passwords are a critical first line of defence.

Additionally, educating and training users to recognise suspicious MFA activity is also vital. Every employee needs to be aware of the risks associated with approving suspicious login requests – if you receive an unexpected prompt, deny it and report it to your IT department immediately.

Adaptive MFA systems should also be considered. These take an advanced approach to MFA, using context-based access controls to analyse additional factors about a login attempt. This can include the location of login attempts; the device, operating system and browser used; and the user’s typical behaviour, for example, the time the user usually takes to authenticate. By combining multiple factors, adaptive MFA can make smarter authentication decisions, flagging suspicious logins while enabling low-risk ones to proceed without additional verification.

Adopt phishing-resistant MFA

Each of these efforts can help to reduce risks. However, firms can go even further, adopting phishing-resistant MFA that uses cryptography to stop attackers from stealing or intercepting your login credentials, even if they trick you into entering them on a fake website.

By using authentication methods such as FIDO2 security or biometrics, MFA bombing becomes even more difficult to execute. One effective example is origin binding, where credentials are bound to the specific website domain (e.g., yourbank.com). If you are tricked into trying to log in on a fake phishing site (e.g., your-bank.com), the cryptographic check will fail automatically, and the credentials cannot be used.

For retailers, going the extra mile has never been more important. From M&S to Jaguar Land Rover, some of the UK’s biggest companies have fallen victim to this form of attack. By implementing the right controls, MFA can become a strategic enabler, protecting users, protecting critical systems, safeguarding customer data, reinforcing brand trust and supporting shareholder value.

It is a fast, cost-effective, and simple-to-use business-critical shield, and retailers that treat it as such will be better prepared to navigate today’s evolving cyber threat landscape.

‍