Cyber

This is the second in our Retail Resilience series. Check out the first article, Cyber Risk in UK Retail: A Golden Quarter Under Threat

Threat actors have retail firmly in their sights. High profile breaches across giants, from Cartier, Co-op and Adidas to Marks & Spencer, underscore just how much is at stake. With sprawling customer data, complex supply chains and relentless digital transformation, the sector is a prime target for sophisticated threat groups. Kroll's Threat Intelligence Team strongly indicates that Scattered Spider and Cl0p, pose a high risk to the retail sector. This article outlines the challenges they present, then sets out the steps retailers should take to ensure their resilience amid a turbulent threat landscape.

Retailers at Risk

The retail industry has long been a prime target for cyber criminals, and the threat is only growing more serious. Why? Retailers process huge volumes of sensitive financial data—making them especially attractive to attackers looking for a direct payoff. Major breaches aren’t new: in 2007, TJX lost 45 million credit card numbers, and in 2013, Target exposed information tied to 40 million cards and 70 million customers.

Recent incidents show just how high the stakes have become. In September 2025, Jaguar Land Rover paused production for nearly six weeks after a ransomware attack, causing a 17% drop in retail sales and a 24% dip in wholesale volumes. Earlier this year, Harrods disclosed that unauthorized access through a supplier exposed records for more than 430,000 customers, while UK grocer Co-op lost £206 million in revenue and £80 million in profits after a breach impacting 6.5 million customer records. Marks & Spencer, meanwhile, suffered a multiweek ecommerce shutdown, reportedly losing £15 million each week.

Many of these attacks—three in the last year alone—have been linked to the same cybercriminal group, Scattered Spider. For retailers, the message is clear: sophisticated, financially-motivated attacks are hitting harder and more frequently, paralyzing supply chains and directly impacting the bottom line.

  Sources: BBC, Bleeping Computer, Bloomberg, Reuters

 

Going Shopping: Why Threat Actors Love Retail

Retailers sit at the intersection of valuable data, complex logistics and rapid change—making them a favorite target for cybercriminals.

• Rich in Customer Data
  Retail organizations collect and process vast amounts of sensitive data—payment card details, addresses and more. Threat actors know they only need to find one weak link, whether it’s a payment processor, e-commerce platform or logistics partner.
• Complex, Multilayered Supply Chains
  Retail success depends on intricate, multilayered supply chains, each introducing new risks. Disruptions from geopolitics, shifting regulations and climate events add to the challenge. As software supply chains grow, 72% of organizations now cite them as their biggest blind spot, especially as code from outside vendors increases the attack surface.
• Legacy Technology, Unpatched Systems
  Retailers depend on a patchwork of digital platforms—point-of-sale technology, inventory management, mobile apps—to stay agile. But outdated software and delayed security updates create gaps that sophisticated ransomware groups can exploit. Rapid adoption of trends like generative AI without adequate safeguards only raises the stakes.
• Cybersecurity Training Gaps
  Many retail companies still underinvest in cybersecurity training, even as employee turnover and credential mismanagement multiply risks. Every employee and system can become an entry point for attack if best practices aren’t understood and enforced. The fast turnover of retail employees can also add to the risks due to poor management of credentials, insider threats and lack of awareness around security fundamentals.
• The Risk of Seasonal Spikes
  High-traffic events like Black Friday and the holiday season don’t just draw in customers—they also attract threat actors looking to capitalize on publicity and the flood of new data. These peak periods can leave retailers especially exposed.

 

The bottom line: Digital transformation has made retail faster and smarter, but also riskier. Staying ahead requires ongoing vigilance, investment and culture change—starting at the top.

 

Familiar Adversaries Go on a Shopping Spree

Already two of the most recognized names in the threat landscape, Scattered Spider and Cl0p continue to evolve, making them a significant threat to retail businesses.

 

Scattered Spider: Efficient and Organized

Scattered Spider, which works with the DragonForce ransomware cartel, is known for its speed and proficiency. Now a major international cybercrime group, Scattered Spider first emerged in around 2021 and began targeting major companies. CISA describes the group as using “multiple social engineering techniques—including push bombing—and subscriber identity module (SIM) swap attacks, to obtain credentials, install remote access tools, and/or bypass multifactor authentication (MFA).” 

After targeting insurance companies in 2023, the group was disrupted by U.S. law enforcement. Now, it is back in action, thought to be behind cyberattacks on U.S. insurers and retailers in Europe, primarily the UK. In April and May 2025, well-established UK retailers, such as Harrods, Marks & Spencer and Co-op, fell victim to attacks by Scattered Spider, with the latter two companies experiencing significant operational disruption. While there was a spate of incidents in the second quarter of 2025, Kroll’s Threat Intelligence Team has indicated that Scattered Spider is likely setting out again to take aim at retailers, particularly in light of Black Friday and the holiday season.

Approach
Analysis indicates Scattered Spider’s previous attacks on retail included the use of phishing attacks for initial access, off-the-shelf tools to enable lateral movement and ransomware-as-a-service used to encrypt and exfiltrate sensitive data. It has also been suggested that a key tactic used to target retail was exploiting service desk employees through highly sophisticated social engineering attacks, with one attack reportedly involving duping an IT help desk into resetting credentials and enabling unauthorized access to internal systems.

 

Cl0p: Notorious and Versatile 

The prolific and versatile ransomware operation, Cl0p, is run by an organized cybercrime group known as TA505 and focuses on self-hosted file transfer solutions and the extortion of sensitive data. CISA describes Cl0p as “a ransomware variant associated with the FIN11 threat actor group and the double extortion tactic”. Observed since February 2019, the group has targeted a wide range of sectors and has extorted over $500 million in ransom payments. While Cl0p is known for targeting the financial, healthcare, manufacturing and media industries, it is now thought to be increasing its focus on the retail sector. This is evidenced by the group’s behavior in the first quarter of 2025, with it responsible for 46% of all retail companies appearing on data leak sites. Attacks included those on American warehouse supermarket chain, Sam’s Club and luxury retailer, Saks Fifth Avenue.

Approach
Cl0p has evolved since it first emerged but now tends to focus on zero-day attacks, developing and deploying exploits against previously unknown vulnerabilities, such as MOVEIt. Research has also identified that Cl0p operators are combining their scattergun approach to compromising targets with a more strategic stance.

The ransomware typically spreads via malicious email attachments, websites and links. Instead of relying on encrypting files to demand ransom, Cl0p combines data theft and a quadruple extortion model in which victims refusing to pay risk have their stolen data leaked on a Tor-hosted data leak site, known as ‘CL0P^_-LEAKS’. 

 

Blocking the Threat Actors: Key Recommendations 

By taking key steps now, alongside the support of a trusted security partner, businesses can better defend themselves against the potential disruption and damage of an attack. 

• Empower Teams 
  Retailers must act fast to evaluate their help desk policies and educate their workforce. This requires training employees to identify and report the latest social engineering tactics.
• Strengthen Detection Capability at Pace 
  Invest in modern threat intelligence and indicators of compromise (IOCs) to spot emerging attacks and rapidly contain threat activity. Conduct regular red team exercises and threat emulation assessments—based on current adversary tactics—to identify and address gaps as well as monitor known IOCs.
• Prioritize Fundamental Security Controls 
  Retail companies must ensure their security fundamentals are in place, by reviewing identity and access management policies enforcing least-privilege principles and equipping all endpoints with endpoint detection and response and next-gen antivirus solutions to detect and stop suspicious activity early. Controls must be redesigned to address an expanding attack surface and detection capabilities should be strengthened and integrated with up-to-date threat intelligence and emulation exercises. Alongside this, identity and access management policies and controls should be reviewed and least-privilege principles enforced. Endpoint protection must be robust and cloud services secured in line with best practices. Retail companies should also consider FIDO2 authentication for sensitive roles.
• Be Ready to Respond 
  Establish one (or multiple) incident response retainers and touch base with your vendors regularly. As part of full response, conduct incident response exercises—ideally focused on emulating a business-aligned ransom and extortion event—to identify and address gaps. Incident response plans should be tested regularly, ideally using scenarios modeled after real-world attacks like those by Scattered Spider and Cl0p. 

 

Safeguarding Retail: How Kroll Can Help

At Kroll, we are proud to have earned a reputation as a trusted security partner for leading retailers. We help clients in that space to strengthen their detection capabilities and prepare for emerging threats, supporting both large-scale transformation and tactical, targeted capability uplifts to help mitigate cyber threats.

Kroll Cyber Risk experts respond to over 3,000 security events every year. We manage incidents of all types, complexity and severity for organizations across diverse industries. You can count on Kroll’s unique frontline experience not only in a crisis, but also for proactive planning and mitigation strategies. We are among the top service providers preferred by major cyber insurance companies and offer client-friendly incident response retainers for peace of mind.

Designed to help you uncover hidden weaknesses before they are exploited by attackers, our assessment services include help desk social engineering testing and policy/playbook reviews and security operations assessments, focused on logging, detection engineering and response playbooks and prioritization of exposures and risks. Our services for retail companies also include cloud security assessments and identity security assessments, including SSO, MFA and Active Directory hardening. We provide testing of capabilities through our elite offensive security experts, mimicking targeted threat actors through red team exercises and breach and attack simulation platforms. We also enable endpoint security product configurations, aligned to vendor recommendations.

Our experts can boost your company’s readiness through tabletop exercises aligned to your business model and crisis management workflows, modeled after modern attack scenarios. This is supported by tailored employee education and training to prevent your own team from becoming a security risk. Enhance your preparedness even further with threat intelligence briefings tailored to the retail sector.

Kroll’s Enterprise Risk Retainer helps organizations stay ahead of emerging risks with proactive risk management, financial predictability and expert-led incident response services. By combining pre-negotiated incident response SLAs with service credits applied to a wider variety of enterprise risk services when needed, businesses can mitigate risks effectively while maintaining operational resilience.

In the event of a security incident, we bring decades of experience of helping clients notify their customers affected by breaches of all sizes—from a small number of individuals to complex situations involving millions of data subjects across multiple jurisdictions, time zones and languages. Our expertise also includes sensitive data discovery analytics in the event of data theft to support victim and regulator notification.

 

Discover Our Cyber Security and Data Resilience Services