How UK retailers got hacked, and the lasting consequences of data breaches.

A string of ransomware attacks recently hit some of the UK’s biggest retail brands, leaking millions of customer records.

What made these breaches possible wasn’t just technical gaps — it was people. Each breach exposed the same two weak points:

• Employees who can be tricked into granting access
• Passwords that are easy to steal or reset

We’re looking at what happened, what these weaknesses reveal and what your organisation can do now to avoid becoming the next target.

What to know about these ransomware attacks 

A group calling itself DragonForce has claimed responsibility for the rapid series of attacks, all done in a span of two weeks:

Marks & Spencer (M&S): The cybercriminal group targeted the high-street giant over the Easter weekend, disrupting contactless payments across its physical stores and forcing it to suspend online orders. 
 
How did they get in? They used social engineering. The attackers impersonated M&S employees and convinced the retailer’s help desk to reset the passwords linked to those employees, allowing them to breach internal systems.

Co-op: DragonForce also attacked Co-op’s back-office systems and call centres shortly after M&S. The supermarket chain, which has over 6 million members, clarified that only names and contact information were exposed, not passwords and financial details.

Still, this issue creates a risk of phishing attacks. There’s no sign that the stolen data has been used so far, but the scale and sensitivity of the information involved keep the threat active.

Harrods: The luxury London department store publicly confirmed an attempted attack on 1st May, making it the third high-profile UK retailer to be targeted.

Harrods responded by immediately restricting internet access across its sites. Both its website and stores continued operating normally and no data theft or ransom demand has been confirmed. The retailer has not publicly attributed the incident to DragonForce, but the timing and tactics point to a coordinated campaign.

Tighter checks and higher premiums

Following these incidents, the UK's National Cyber Security Centre called on businesses to tighten authentication processes, especially around password resets and to guard against social engineering.

Insurers are also adjusting their risk models accordingly. Analysts now expect cyber insurance premiums for UK retailers to rise by as much as 10%.

Why these attacks might lead to more cyber attacks 

The recent breaches carry lasting consequences because the stolen data — names, addresses, phone numbers and in some cases payment details — create fresh opportunities for future intrusions.

How stolen data gets reused

Once hackers have personal data, they can use it to move laterally within a network to escalate their access privileges, manipulate other users and bypass systems that rely on identity verification. Common follow-on threats include:

• Phishing and spear-phishing: Attackers create emails or messages that look legitimate to trick victims into sharing sensitive data or clicking links that install malware on their devices or networks.
• Identity theft: With enough personal information, criminals can impersonate individuals to open new credit accounts and commit financial fraud under someone else’s name.
• SIM-swap fraud: Bad actors can hijack a mobile number and port it to a new SIM to intercept one-time passwords or two-factor authentication codes, ultimately gaining direct access to the victim’s banking, email and other sensitive accounts. 
• Credential stuffing: Fraudsters can also test hacked passwords across dozens of websites to see where else they work. This takes advantage of people’s tendency to reuse login details and passwords across multiple accounts. 
• Coercive impersonation frauds: Fraudsters can retarget those who have lost their data, often contacting them pretending to be from their banks fraud department and convincing them of suspicious behavior on their accounts. If they’ve already been a victim of data loss the fraudsters bank on them being more susceptible in believing their data is being used by criminals. From here they can apply just enough pressure to lead them into making transfers to so-called safe accounts to protect their assets. This is commonly known as APP fraud. 

The long tail of a breach

These attacks don’t end when the systems are cleaned up. In most cases, data breaches shake customer confidence and many don’t return. Research shows that up to 80% of consumers in developed countries stop doing business with a company if their personal information is compromised.

How can banks, retailers and others protect against cyber attacks?

To strengthen security, organisations need to address the vulnerabilities that allowed these lapses to happen in the first place: passwords and human error.

Replacing weak passwords with more robust alternatives.

The problem with passwords and one-time passcodes (OTPs) is that they can be phished for, guessed, intercepted, or simply given away. Outdated password authentication methods also often fail to meet PSD2 and EMV® 3-D Secure requirements.

The scale of the ‘password problem’ cannot be overstated, according to Verizon’s 2024 Data Breach Investigations Report, 81% of hacking-related data breaches were caused by stolen or weak passwords and more than 2.8 billion passwords - hashed or otherwise - were posted for sale (or free for the taking) in criminal forums. 

JT’s Silent Authentication+ is a safer and faster alternative. Instead of asking users to type in credentials or enter OTPs, it uses a cryptographic key stored on the user’s SIM or eSIM to silently verify identity in the background. This removes friction and eliminates the user’s exposure to phishing.

• It’s fast and seamless: Users are authenticated instantly with no codes or passwords required.
• It’s secure by design: Authentication happens silently using a cryptographic key, so there’s nothing to steal through social engineering.
• It fits your existing workflows: Use it for onboarding, logins, payments and real-time support without disrupting the user experience.

Silent Authentication+ strengthens trust while simplifying the user experience by eliminating the weakest points in the login process.

Reducing SIM takeovers with SIM Swap

With almost 3,000 recorded cases in 2024, SIM swap fraud has become one of the simplest and most effective ways fraudsters hijack digital identities. They steal mobile numbers and copy them to a new SIM to intercept calls and texts meant for the victim — including authentication codes. That access is often enough to take over bank accounts and high-value services.
 
JT's SIM Swap service offers a fully managed SIM Swap Service that checks whether the SIM linked to a customer’s phone number has recently changed, which may signal that a fraudster has taken control of the number.
 
JT's Sim Swap Service:

• Compares the phone number (MSISDN) to the SIM’s unique ID (IMSI) using live data from mobile operators
• Integrates via API into fraud prevention workflows, allowing your organisation to trigger additional checks or block high-risk activity in real time
• Filters out benign activity to reduce false positives
• Delivers telco-grade insights and audit-ready data to help you meet regulatory requirements

By providing timely network-level intelligence, JT’s SIM Swap solution can give banks, retailers and fintechs a clearer picture of risk before attacker's strike.

Stopping APP fraud with Scam Signal

Scammers don’t always need to break into systems. Often, they just need to trick the right person or intercept the right code. That’s exactly what happens in Authorised Push Payment (APP) fraud: criminals pose as a trusted business or government agency to cheat victims into sending money or sharing personal information. 

JT’s Scam Signal analyses mobile activity patterns to identify APP calls before payments are made, so you can take action.

Already used by some of the UK’s largest high street banks to protect over 14 million customers, it can reduce:

• Scams in progress by 41%
  
• Overall fraud by 44%
  
• False positives by 55%

Now that mandatory reimbursement rules are in effect, payment service providers are expected to cover the cost of APP fraud. Scam Signal helps you stop scams to reduce your reimbursement exposure.

Learn more about JT's Mobile Intelligence fraud prevention solutions 

As scams become faster and harder to detect, organisations need ways to respond instantly, at the earliest sign of risk.

JT’s multi-layer Mobile Intelligence solutions help you do exactly that, using telecom data to strengthen authentication and stop fraud at the source.

• Silent Authentication+ verifies users in the background without passwords or codes
• JT's SIM Swap Service detects SIM changes that may indicate account takeovers
• Scam Signal blocks APP fraud before funds are transferred

Get in touch with our team to see exactly how we can support your fraud prevention strategy.