When Britain's Biggest Retailers Get Absolutely Destroyed by a Phone Call

Right, let's talk about the most embarrassing cybersecurity disaster in British retail history. M&S, the company that's been clothing the nation for 140 years, just lost £300 million because some criminal rang their help desk and convinced a member of staff to reset a password. Co-op, the mutual that's supposed to look after its members, just exposed 20 million customer records using exactly the same pathetic attack.

Not sophisticated malware. Not nation-state hackers. Not zero-day exploits that would challenge GCHQ. A bloody phone call.

The Parliamentary Hearing That Exposed Everything

Yesterday's Business and Trade Sub-Committee hearing was like watching a slow-motion car crash in real time. M&S Chairman Archie Norman, sitting there in Westminster, had to explain to MPs how one of the most recognizable brands in Britain got absolutely destroyed by criminals who learned their trade watching YouTube tutorials.

Here's what Norman admitted under oath: "We didn't have any business continuity plan for this, we didn't have a cyber attack plan." Let that sink in for a moment. A £12 billion retailer with 33 million customers and they had no plan for cyber attacks in 2025.

This is like running a nuclear power plant without an evacuation plan and acting surprised when things go wrong.

The attack timeline reads like a textbook example of how not to do cybersecurity. DragonForce hackers had been inside M&S systems since February 2025, quietly stealing password databases and mapping out their network. On April 17, they made a phone call to the Tata Consultancy Services help desk, impersonated an M&S employee, answered some basic security questions (probably gleaned from LinkedIn and company websites), and got administrative passwords reset.

Within hours, they were encrypting virtual machines and bringing down the entire M&S online operation. 46 days of complete online sales shutdown. £3.8 million in daily losses. 200 warehouse workers sent home. Store shelves empty because inventory systems were down.

The Social Engineering That Shouldn't Work in 2025

Here's what makes this so infuriating: this attack succeeded because of failures that were entirely preventable using basic cybersecurity hygiene that's been standard practice for over a decade.

The attackers used "sophisticated impersonation" according to Norman, but let's be honest about what that means. They researched M&S employees on social media, gathered enough personal information to seem legitimate, then rang the help desk during busy periods when staff were pressured to solve problems quickly.

Scattered Spider, the English-speaking criminal group behind this attack, specializes in exactly this type of social engineering. They're not technical wizards. They're confidence tricksters with phones and patience. Graham Cluley noted that these are "a typical loose collective of hackers who quite often don't even know each others real names."

The fact that this basic con job worked on organizations with multi-million-pound IT budgets should terrify every business owner in the UK.

Co-op: Because One Disaster Wasn't Enough

As if M&S wasn't embarrassing enough, Co-op managed to get hit by exactly the same tactics. Up to 20 million customer records potentially compromised because help desk staff fell for the same phone-based social engineering.

Rob Elsey, Co-op's Chief Digital Information Officer, told MPs that "the malicious activity occurred about an hour after they gained access." One hour. That's how long it took criminals to go from successful phone call to accessing sensitive customer data.

This isn't sophisticated cyber warfare. This is basic criminality exploiting fundamental security failures that have been well-documented for years.

The BBC had direct contact with DragonForce, who shared samples of Co-op customer records to prove their claims. Think about that for a moment: criminals were so confident in their success that they were giving media interviews while actively breaching one of Britain's largest mutual organizations.

The Help Desk Security Theatre

Let's examine the specific failures that enabled these attacks, because they're being repeated in businesses across the UK right now.

Identity Verification Bollocks: Both M&S and Co-op relied on security questions that could be answered using publicly available information. Employee names, departments, and basic personal details are trivial to obtain through LinkedIn research and social media stalking.

No Call-Back Verification: Proper help desk security requires calling back the requesting employee on registered company numbers to verify identity. This simple step would have prevented both attacks entirely.

Pressure to Solve Problems Quickly: Help desk staff are trained to be helpful and solve problems efficiently. Criminals exploit this by creating urgency and pressure, making staff more likely to bypass security procedures.

Lack of Escalation Procedures: Password resets for administrative accounts should require management approval and additional verification. Instead, front-line help desk staff had the authority to reset passwords that controlled critical business systems.

No Monitoring of Unusual Requests: Multiple password reset requests, especially for privileged accounts, should trigger automatic security alerts. Neither organization detected the pattern of suspicious requests that preceded the attacks.

The Tata Consultancy Services Failure

Here's where this gets even more infuriating. The social engineering attack succeeded through Tata Consultancy Services, the outsourced IT provider managing M&S help desk operations. So we're not just talking about M&S security failures, we're talking about vendor security failures that M&S apparently never audited or monitored.

Norman's testimony revealed that "a third-party" was involved, later identified as TCS. This means M&S outsourced critical security functions to a vendor without ensuring that vendor maintained the same security standards M&S claimed to follow internally.

This is vendor risk management failure on a scale that would be embarrassing for a startup, let alone a FTSE 250 company with decades of experience.

The Response That Revealed More Failures

Norman's description of the response is almost as damaging as the attack itself. He described the situation as "traumatic" with the cyber team getting "barely any sleep" and admitted that "everybody at M&S experienced it."

But here's the most telling admission: the attackers communicated primarily through the BBC rather than direct contact. Norman said it was "an unusual experience to be brushing your teeth in the morning when somebody comes onto the BBC with a communication from the people who are allegedly attacking your business."

This suggests M&S had no established communication channels for incident response, no crisis management procedures for cyber attacks, and no way to engage with attackers when necessary for recovery operations.

The company also made an "early decision that nobody at M&S would deal with the threat actors directly," delegating negotiations to professional security advisors. While this might sound like good policy, it also suggests they were completely unprepared for the reality of modern ransomware operations.

The Financial Carnage

Let's talk numbers, because that's what finally gets board-level attention.

M&S Losses:

• £300 million estimated operating profit impact for 2025/26

• £3.8 million daily losses during 46-day online suspension

• Over £1 billion drop in market value

• 33% of clothing and home business disrupted

Co-op Impact:

• Up to 20 million customer records potentially compromised

• Complete system rebuilds required

• Regulatory investigation costs

• Reputation damage that's impossible to quantify

These aren't just accounting entries. These are real business consequences that affect employees, customers, suppliers, and shareholders. The M&S online suspension lasted 46 days. Think about that: a major British retailer couldn't sell products online for almost seven weeks because criminals made some phone calls.

The Vendor Dependency Disaster

The attacks expose a critical vulnerability in modern business operations: catastrophic vendor dependency. M&S trusted TCS to provide secure help desk services without apparently auditing or monitoring those security procedures.

When your vendor's security failures can destroy your business, vendor management becomes existential risk management. Yet most UK businesses treat vendor relationships as procurement exercises focused on cost rather than security competence.

Norman told MPs that M&S is now "making sure learnings from security incidents are discussed and dispersed, particularly at boardroom level." But this suggests they weren't taking vendor cybersecurity seriously before losing £300 million to preventable attacks.

What This Means for Every UK Business

If M&S and Co-op, with all their resources and supposed expertise, can get destroyed by basic social engineering, what does that mean for your business?

The brutal reality is that most UK SMBs have even worse help desk security than the organizations that just lost hundreds of millions to phone-based attacks:

• Your help desk procedures are probably non-existent

• Your staff training on social engineering is minimal or absent

• Your vendor security auditing is likely limited to asking for certificates

• Your incident response plan fits on a Post-it note

The government's latest survey shows that only 48% of small businesses conduct cyber risk assessments, only 40% use two-factor authentication, and only 19% provide cybersecurity training to staff. These are exactly the vulnerabilities that enabled the M&S and Co-op attacks.

The Solutions Are Embarrassingly Simple

This is what makes these attacks so infuriating: they were entirely preventable using basic cybersecurity controls that cost less than a weekend in Brighton.

Proper Help Desk Security Procedures:

• Call-back verification using registered company numbers for all password resets

• Management approval required for administrative account changes

• Security questions based on information not available publicly

• Escalation procedures for unusual or urgent requests

• Regular training on social engineering tactics

Multi-Factor Authentication:

• Hardware security keys for all administrative accounts

• No exceptions for "urgent" access requests

• Regular MFA audits to ensure compliance

• Backup authentication methods that can't be bypassed

Vendor Security Management:

• Regular security audits of critical service providers

• Contractual cybersecurity requirements and liability clauses

• Monitoring of vendor security procedures and incident response

• Alternative suppliers to reduce single points of failure

Incident Response Planning:

• Documented procedures for cyber attack response

• Regular testing and training of incident response teams

• Established communication channels for crisis management

• Legal and technical resources identified in advance

Every single one of these controls would have prevented the M&S and Co-op attacks. The technology costs £20-50 per user and takes days to implement. The training costs nothing but time.

The Regulatory Response Coming Your Way

Norman's testimony included recommendations for mandatory reporting requirements. He told MPs: "We do think that mandatory reporting is a very interesting idea" and noted that "quite a large number of cyber attacks never get reported to the NCSC."

This means the government is likely to impose mandatory breach reporting for businesses above certain sizes. If you think compliance is expensive now, wait until you're required to report every security incident to regulators who can impose unlimited fines.

The ICO is already investigating both incidents, and the precedent of unlimited GDPR fines means the financial consequences could extend far beyond the immediate operational losses.

The Uncomfortable Truth About British Cybersecurity

The M&S and Co-op disasters reveal something deeply uncomfortable about the state of UK cybersecurity: we're not failing because the threats are too sophisticated. We're failing because we refuse to implement basic security hygiene that's been proven to work.

These attacks succeeded because of human failures, not technical ones. No zero-day exploits. No nation-state-level resources. Just criminals with phones and enough patience to research their targets.

DragonForce has become one of the most active ransomware operations precisely because their social engineering tactics work against organizations that think cybersecurity is about buying expensive tools rather than fixing fundamental process failures.

Why This Will Keep Happening

The economics of social engineering attacks are compelling for criminals. Why develop expensive zero-day exploits when you can achieve the same results with phone calls? Scattered Spider and similar groups are proving that human vulnerabilities are more profitable and easier to exploit than technical ones.

Until UK businesses acknowledge that cybersecurity is fundamentally about people and processes, not just technology, these attacks will continue destroying organizations that thought vendor certificates and compliance frameworks provided meaningful protection.

The criminals are laughing at us because we keep making the same mistakes, then acting shocked when basic attacks succeed.

The Bottom Line: Wake Up or Get Destroyed

Norman committed to sharing "war stories" with other company boards to improve sector-wide preparedness. But sharing stories isn't enough when the fundamental problems remain unaddressed.

The choice for UK businesses is stark: implement basic cybersecurity hygiene now, or become the next parliamentary hearing where executives explain how phone calls destroyed their operations.

M&S and Co-op won't be the last major organizations to get destroyed by social engineering. The techniques that worked against them work against every business that prioritizes cost reduction over security competence in their vendor relationships.

Your call. But don't say nobody warned you when the criminals come calling with your own help desk on the line, asking if you'd like to reset your password for "urgent business requirements."