UK retailers are facing a rising tide of cyberattacks, with M&S, Co-op, and Harrods the latest targets — and now, experts are warning that small shops and businesses are also at risk.
The attacks have disrupted operations, exposed customer data, and prompted emergency changes to internal systems. But while these are larger brands, SMEs should pay attention.
Cyberattacks have serious implications for all sectors and sizes. That includes retail and hospitality, where digital payments and online services are becoming increasingly central in day-to-day operations.
M&S, Co-op, and Harrods cyber attacks, explained
Cybercrime has struck three of the UK’s most recognisable retailers in recent weeks. M&S, Co-op, and Harrods have all fallen victim to cyber attacks that disrupted operations and rattled consumer trust.
The trouble began on April 21, when M&S customers reported issues using contactless payments and Click-and-Collect services. CEO Stuart Machin later confirmed the company was responding to a cyber incident, prompting“temporary changes” to operations.
By April 25, online orders were suspended, job listings were removed, and stores were reporting stock shortages. Not surprisingly, the retailer’s share price also took a big hit.
Just over a week later, the Co-op reported a similar breach. The fallout has been severe, with many stores experiencing empty shelves. In response, staff have been told to leave cameras on during virtual meetings and keep sensitive conversations out of Teams chats.
Then, on May 2, Harrods confirmed it had also been targeted by a cyber attack. The department store called in cybersecurity specialists, and fortunately, managed to mitigate a serious disruption.
What’s behind the attacks?
A ransomware group called DragonForce has since claimed responsibility for all three incidents. One cyber expert has said it could take three years for the trio of affected retailers to recover. But before then, DragonForce has warned that more attacks are on the way.
Andrew Northage, regulatory and compliance partner at Walker Morris, told the Retail Gazette that cyber threats are constantly evolving. “If you think you can stand still and be cyber-protected, that would be a big mistake to make”, he said.
That warning is particularly relevant for SMEs, who often lack dedicated IT teams, internal expertise, or contingency plans for cyber attacks. And with hackers becoming more sophisticated, being unprepared could lead to serious business disruption.
According to the government’s Cyber Security Breaches Survey 2025, one in five firms experienced at least one cyber attack in the past year. While larger organisations remain the main targets, 25% of small businesses also reported dealing with cybersecurity threats.
On a more positive note, the overall rate of attacks has dropped slightly, from 22% in 2024 to 20% in 2025, possibly due to increased awareness and better preventative measures.
What can SMEs learn from the attacks?
While the recent cyber attacks hit high-profile names, like M&S, Co-op, and Harrods, small businesses are just as vulnerable. And, alarmingly, smaller firms often lack the financial buffers and in-house tech support that help large companies bounce back.
The consequences of an attack can be immediate and devastating to smaller businesses. For example, imagine a local cafe losing access to its point-of-sale (POS) system during a busy weekend service. Orders can’t be processed, card payments fail, and a day’s earnings are lost, potentially putting cash flow under pressure for weeks.
For online stores, a breach could mean leaked customer data and suspended orders. This could lead to refund requests, negative reviews, and a hit to reputation. To avoid this, SMEs should start by reviewing the cybersecurity of their core systems, particularly POS setups.
Many cloud-based systems now come with built-in features like encrypted transactions, tokenisation, and real-time fraud alerts. Providers such as Square, Zettle by PayPal, and Clover offer added layers of protection and frequent updates to boost cybersecurity.
Additionally, basic cyber hygiene also remains one of the best lines of defence against cyber attacks. Here are some immediate steps you can take to protect your business against online threats:
- Set up two-factor authentication (2FA) across your devices and accounts
- Regularly train your staff on phishing scams and how to spot suspicious activity
- Ensure frequent backups of your customer and business data
- Make sure your software and systems (including card readers) are regularly updated
Don’t follow big brands into complacency
It’s easy to assume small businesses aren’t at risk of cybercrime. But as recent events show, even large companies can be caught off guard. If they can fall victim, so can you.
Not to mention, the cost of complacency is much higher for SMEs. Without an internal cybersecurity team or recovery plan, a single online breach can halt operations, drain your finances, or permanently damage customer trust.
The key takeaway here is that cyber resilience isn’t about scale, it’s about readiness. With suitable systems in place and a proactive approach, small businesses can fend off threats just as well as bigger names. A clear plan, up-to-date tech, and thorough training can make the difference between a temporary blip and a full-blown crisis.
