Data Breaches, Doubt and Disruption: Unpacking the Retail Cyber Attacks

By Kerryann White

You shop in your favourite stores. You swipe your card. You don’t overthink it. You trust. 

This simple reality was completely uprooted when a wave of cyber-attacks hit some of the UK’s major retailers within the last month. Grocery stores giant Marks & Spencer, Co-op, and Harrods all fell victim to the hackers, leaving them to suffer the consequences of one of the worst cyber invasions to date. Officials at the National Cyber Security Centre (NCSC) have described the retail attacks as a “wake-up call” for UK businesses. The incidents have had mass media coverage, each one anticipating the coming events of the investigation. The intriguing matter lies within the question: what does this truly mean for customers, the future of shopping, and the companies themselves?

Trust, Interrupted

For the millions of customers who enter their preferred stores almost every day, these attacks have shaken more than just systems – they’ve ruined the trust and confidence that was once undoubtedly placed within these retailers. At the Co-op, while no passwords or financial information were compromised, it has been confirmed that names, contact details, and dates of birth of loyalty members were stolen. Despite CEO Shirine Khoury-Haq expressing her deepest apologies, claiming “we are very sorry that this situation has arisen”, and M&S seeing no evidence of customer data being accessed, consumers are worried and anxious. 

Many remain unsure of whether or not these stores have the ability to keep their data safe, and some have been reassessing their loyalty to these franchises. In fact, research indicates that shoppers will not easily forgive this breach, and about 7 in 10 consumers say they would stop shopping with a brand completely following a cybersecurity incident. That isn’t just a dent in reputation, that’s a complete collapse of consumer faith.

The weary customers are continuing to put pressure on these businesses in their demand for transparency and reassurance amongst the chaos. Harrods told its clientele that they “need not do anything differently at this point” after its attack, with the aim to calm fears. Yet, this does little to offer comfort to those shaken up and consumer confidence remains at an all-time low. The real test of time will be whether shoppers will ever feel safe enough to share their personal details or shop online with these companies ever again. 

Error 404: Business Not Found

For the actual retailers themselves, the fallout has no doubt been swift and costly. M&S was forced to suspend all online clothing and home orders after encountering serious IT problems over Easter, popular services like contactless payments and click-and-collect were unobtainable, and they even saw temporary food shortages on their shelves. In a time when shoppers are usually hungry to splurge on new season outfits and picnic goods, the M&S share price tumbled roughly 9% (almost £700 million in value) in the days after the breach went public. 

Co-op shut down parts of its IT systems due to an intrusion, disrupting back-office functions and prompting a large-scale data breach response. Luckily, Harrods managed to prevent major disruption by limiting internet access during an attempted breach, protecting themselves from the loss experienced by M&S, but without coming out unscathed. 

All three retailers have been thrust into crisis mode, bringing in cyber security teams, issuing apologies, and CEOs working “day and night” to contain the damage. These companies must rebuild public trust and prove their ability to safeguard data in an age of tech-enabled consumer habits and increasingly sophisticated hacking systems.

What Now?

Unfortunately, these circumstances aren’t the usual failings that companies can just push under the rug and move on. Trade groups and officials have sounded alarms, warning that what happened to these three companies can happen to anyone and anywhere if companies do not prepare themselves. Britain’s Cabinet Office minister Pat McFadden convened emergency briefings with national security officials and has announced plans to tell all UK companies to make cyber security an “absolute priority” in light of recent incidents. He is also expected to propose a Cyber Security Bill aimed at strengthening the laws and support for cyber resilience. Such a high-level reaction certainly underscores that the attacks on retailers are being deemed as a part of a broader threat environment, and these won’t be the last of the attacks we see. What once might have been seen as rare or exceptional is now being widely recognised as an inevitable part of the future. 

Sources

James Davey and Sarah Young, “Britain’s M&S Enters Second Week of Sales Disruption After Cyberattack,” Reuters, May 2, 2025.

Sarah Butler, “Co-op Apologises After Hackers Extract ‘Significant’ Amount of Customer Data,” The Guardian, May 2, 2025.

Kristen Doerer, “Consumers Are Becoming Apathetic to Cyber Incidents, Research Finds,” Cybersecurity Dive, January 13, 2025.

Matt Burgess, Lily Hay Newman, and Dhruv Mehrotra, “Hacking Spree Hits UK Retail Giants,” WIRED, May 3, 2025, https://www.wired.com/story/hacking-spree-hits-uk-retail-giants/.

Reuters, “Britain to Warn Companies Cyber Security Must Be ‘Absolute Priority’,” Reuters, May 2, 2025,