Harrods, a globally recognized purveyor of all things luxury, is the third major UK retailer to confirm an attempted cyberattack on its systems in under two weeks.
It confirmed the incident in a statement, hinting that, like Co-op’s case earlier in the week, the attack may not have been successful.
“We recently experienced attempts to gain unauthorised access to some of our systems,” it told The Register.
“Our seasoned IT security team immediately took proactive steps to keep systems safe and as a result we have restricted internet access at our sites today.
“Currently all sites including our Knightsbridge store, H beauty stores, and airport stores remain open to welcome customers. Customers can also continue to shop via harrods.com.
“We are not asking our customers to do anything differently at this point and we will continue to provide updates as necessary.”
Harrods opted not to answer The Register’s questions about what exactly was meant by restricted internet access, if there are currently any product supply concerns for stores, or whether the incident involved ransomware.
None of the three UK retailers currently battling cybersecurity issues – M&S, Co-op, and now Harrods – have confirmed whether ransomware was involved, although the rumor mill is whirring with mutterings of Scattered Spider’s involvement.
Threat intel expert and current SANS instructor Will Thomas warned UK retailers on Thursday evening to take proactive measures to fortify their cyber defenses.
The UK is about to enter another long weekend, with a public holiday on Monday, so now would be the time.
Thomas said via X: “There is an active cybercriminal (Scattered Spider-style) ransomware campaign targeting your sector.”
It also seems as though the hit on Harrods was the final straw for the UK’s National Cyber Security Centre (NCSC), whose CEO was moved to speak publicly on the spate of attacks.
Richard Horne, CEO at the GCHQ cybersec offshoot, confirmed the organization was assisting all three retailers on Thursday, and said the ongoing saga should serve as a wake-up call to all other organizations.
“The disruption caused by the recent incidents impacting the retail sector are naturally a cause for concern to those businesses affected, their customers, and the public,” he said.
“The NCSC continues to work closely with organisations that have reported incidents to us to fully understand the nature of these attacks and to provide expert advice to the wider sector based on the threat picture.
“These incidents should act as a wake-up call to all organisations. I urge leaders to follow the advice on the NCSC website to ensure they have appropriate measures in place to help prevent attacks and respond and recover effectively.”
It’s currently unknown if all three cyberattacks are linked in some way. No organization has officially attributed any of the attacks to specific groups or cybercriminals, and no one has claimed responsibility for them either.
Suggestions of Scattered Spider, a known affiliate of ransomware groups, being involved in the attack on M&S were commingled with rumors of DragonForce ransomware being used.
In such cases, if negotiations were to stall for whatever reason, the usual approach taken by ransomware crews would be to publicly disclose the incident to apply pressure to negotiations.
However, infosec watchers have kept a close eye on DragonForce’s leak site which has mysteriously been down for several days. No other names have thus far entered the mix.
M&S and Co-op latest
It was just under two weeks ago that the issues at M&S started to take hold. Various aspects of the business were suspended, some of which have been reinstated while others remain at a halt.
Some shoppers reported stock issues at their local stores, with images of empty shelves flying around social media, although the retailer has not publicly acknowledged any stock issues.
Customer service reps are trickling information out in public responses, however. At first, Click & Collect orders were the first to be made unavailable to customers, with online and app orders still up and running. Now, all online and in-store orders have been paused, according to an update shared on Friday morning. Returning orders continues to be difficult for customers too.
Marks & Spencer CEO Stuart Machin offered his apologies to customers in a statement on Friday.
“We are really sorry that we’ve not been able to offer you the service you expect from M&S over the last week,” he said.
“We are working day and night to manage the current cyber incident and get things back to normal for you as quickly as possible.
“Thank you from me and everyone at M&S for all the support you have shown us. We do not take it for granted, and we are incredibly grateful.
“Our teams are doing the very best they can, and are ready to welcome you into our stores – whether you are shopping for food or for fashion, home, and beauty this bank holiday weekend.
“Thank you for your support, and thank you for shopping with us. We will continue to keep you updated.”
Like M&S, the Co-op was the second retailer to confirm an attempted cyberattack this week, although details of its situation are not as readily available.
The company has not updated any information in its official statement since the first one it released following the attack.
A spokesperson for the company said: “We have recently experienced attempts to gain unauthorized access to some of our systems.
“As a result, we have taken proactive steps to keep our systems safe, which has resulted in a small impact to some of our back office and call center services.
“All our stores (including quick commerce operations) and funeral homes are trading as usual.
“We are working hard to reduce any disruption to our services and would like to thank our colleagues, members, partners, and suppliers for their understanding during this period.
“We are not asking our members or customers to do anything differently at this point.
“We will continue to provide updates as necessary.”
ITV News’ business and economics editor Joel Hills shared what he said was an internal memo sent to staff by Rob Elsey, Co-op’s chief digital information officer, which said the company VPN was taken down.
“We would ask for your patience as we take some additional pre-emptive actions on remote access to continue to keep our Co-op safe,” the memo said. “This means, if you work from home, you won’t be able to access systems and apps that require you to sign in using a VPN, all other services will work as normal.
“Co-op locations will not be impacted by work on remote connections therefore if you are having issues accessing systems or need to access applications, please work from a Co-op location.”
The memo also revealed that staff were asked not to record or transcribe Teams calls, ensure all attendees are expected and are on camera, and avoid submitting sensitive information to any Teams chats. ®
