A recap on what’s happened so far
First it was Marks and Spencer, then Co-op and next Harrods to feel the brunt of cyber attacks from a group calling itself Dragonforce during April and May 2025. The attacks are understood to be ransomware attempts, with M&S looking to be the most affected, at least in the short term.
Little has been disclosed publicly so far, and reporting has focussed on the obvious impact on retail operations, including online shopping and card payments in stores.
The M&S share price has dropped significantly, reportedly wiping £500m from their total value, and it has been suggested that the incident is costing them £40m a week.
It’s hard to imagine the level of stress that must be felt within these companies, especially by the technical teams trying their best to protect their networks and recover services, and we hope it’s resolved soon.
But could more have been done prior to this?
How prepared were the retailers for this kind of attack?
We don’t have any firsthand knowledge of the companies involved, other than their obvious size and reputation. Based on this, it would be inconceivable to think that any of them lacks a cybersecurity team focussed on protecting the data they hold and process.
However one clue to readiness could be whether they hold any certifications to recognised cybersecurity standards. In the UK, there are two obvious ones to consider; Cyber Essentials and ISO27001.
Cyber Essentials
This is a UK Government-backed scheme that has been running for quite a number years now, and there are over thirty thousand organisations certified to the basic version, which requires controls to be in place in the following five areas:
Firewalls
Secure configuration
User access control
Malware protection
Security update management
See our earlier blog for more details on these controls.
The idea of this standard is to address the five areas of weakness that account for over 80% of the breaches that happen, so it’s a great starting point on an organisation’s journey to reduce risk.
Unfortunately, a search on the IASME website suggests that none of the retailers involved are certified to the NCSC’s Cyber Essentials scheme at either basic or advanced level. Of course, this doesn’t necessarily mean that they don’t have these controls in place, but the lack of certification does make you question the degree of board level commitment to cybersecurity and their willingness to prove publicly to their customers that they take the issue seriously.
The ISO27001 standard
The big brother of Cyber Essentials is the international standard for information security, cybersecurity and privacy protection, ISO/IEC 27001:2022 (just ISO27001 to its friends).
This is a well-established, globally-recognised standard which requires a certified organisation to put in place an information security management system, or ISMS. The ISMS involves assessing risk on a regular basis and identifying controls, from a reference set of ninety-three, to proactively reduce risk levels over time.
See our earlier blog for more details on the ISO27001 standard.
Becoming certified to the ISO27001 standard shows that an organisation is on top of cybersecurity and is managing it on an ongoing basis. It doesn’t guarantee that the kind of attacks we’ve seen recently won’t happen, but it does demonstrate publicly that resources have been allocated to try to prevent them.
A visit to the M&S website makes no reference to certification to the ISO27001 cybersecurity standard, so if they do hold a certificate they are keeping it very quiet.
Similarly, the Harrods website makes little reference to information security, stating only that they use “appropriate security measures” to protect data.
The Co-op website also gives no space to cybersecurity beyond a current message from their CEO which references their privacy policy, which also makes no mention of how they protect customer data.
What does this mean for the customers of these retailers?
All three of these retailers are well known and respected organisations who provide quality goods and services to loyal customers in the UK. They collect, hold and process a vast amount of personal data from these customers every day and have both a legal and moral responsibility to protect that data appropriately.
In the current circumstances then it would be reasonable for their customers to be just a little disappointed that none of them hold the certifications that would show that they are taking their obligations seriously.
We wish all three retailers well in recovering from these devastating attacks, and we’ll be happy to help if they decide to work towards the certifications that will reassure their customers in the future.
