When we last wrote about the rising tide of cyberattacks hitting the retail sector, the headlines were already sobering: disruption at major brands, ransomware claims, and attackers showing a deep understanding of how to break into systems and exploit trust.
But that was just the beginning.
Since then, the threat landscape has widened. Retail, automotive, public sector, transport, and legal services have all been impacted in new and costly ways - exposing organizations not just to downtime and data loss, but to a more systemic risk: a lack of readiness.
With production lines impacted and losses for victims reported to be in the tens of millions, it represents a resilience failure that will have far reaching consequences.
This is not a blame game. If anything, these events show how complex, capable, and coordinated threat actors have become, and how easy it is to underestimate the business impact of even a single gap in policy, tooling, or planning.
Quantifying the reputational impact
In recent months, the fallout from cyberattacks has extended far beyond IT teams - impacting profits, operations, and public trust.
In September, the Co-operative Group reported an £80 million profit hit following a “malicious cyberattack” that disrupted internal systems and slowed logistics, prompting scrutiny from customers and media alike.
Later in the month, Harrods confirmed a data breach affecting over 430,000 customers - caused not by an internal system failure, but a third-party vendor compromise. The data exposed included names, contact details, and purchase histories, though no passwords or payment data was accessed. Harrods emphasized that its own infrastructure was not breached, but the reputational and operational consequences were still significant, especially as this marked its second reported cyber incident of the year.
These examples are part of a growing pattern, one where businesses, regardless of sector or cyber maturity, are being tested by attackers exploiting the weakest link in their environments, often through third-party access or social engineering.
These of course are just the tip of the iceberg, with significant attacks causing disruption within the automotive sector resulting in operations being paused with one major manufacturer following a reported ransomware-related cyberattack. While full attribution has yet to be confirmed, initial reports suggest a group claiming to be affiliated with Scattered Spider took responsibility.
This same collective has been linked to attacks on the casino industry as well as several retail and insurance targets - frequently leveraging social engineering and identity compromise rather than what people may describe as ‘sophisticated’ 0/n days.
Importantly, the costs of these attacks are mounting up. The automotive attack alone has resulted in support through a £1.5 billion loan guarantee to help stabilize its supply chain and wider operations.
This isn’t a story of negligence. It’s a reminder that even businesses with modern infrastructure can be caught off guard when response planning, cyber insurance, and real-time detection aren’t treated as core priorities.
On attribution: what we know so far
While official attribution is still pending, a group claiming affiliation with Scattered Spider has publicly taken credit, posting alleged evidence on dark web channels and messaging platforms.
As we noted in our Scattered Spider threat profile, this group specializes in identity-based attacks and the use of trusted tools, bypassing traditional security controls without relying on zero-days. Their tactics mirror broader trends we’ve observed across sectors: reconnaissance, lateral movement, social engineering, and targeted extortion.
Whether or not this was Scattered Spider, the tactics and outcomes are consistent with the modern ransomware playbook.
Beyond retail: new sectors in the firing line
Recent weeks have shown just how widespread and unpredictable these attacks have become:
-
A coordinated cyberattack on airport systems caused delays at major airports across Europe, with one suspect already arrested
-
HMRC confirmed a breach involving taxpayer data, with the extent of access still under review
-
A UK law firm was fined £60,000 by the ICO for failing to prevent a cyber attack that exposed sensitive client data
These incidents cut across industries but share common failure points: unpatched systems, poor access control, insufficient monitoring, and slow detection of attacker movement inside trusted environments.
Raj Samani, Chief Scientist at Rapid7 had the following to say,
“One thing is clear. The role of actionable intelligence that is both timely and with high fidelity has never been more important. Waiting for IoCs simply does not work when credentials are stolen, or bought and the threat actor uses legitimate services to exfiltrate data”.Resilience isn’t optional - it’s foundational
The lesson across recent attacks, from retail to automotive to public infrastructure - isn’t just that systems can fail. It’s that cyber resilience is too often treated as optional, until it’s too late. This isn’t a crisis of technology. It’s a crisis of readiness. In 2025, cybersecurity is no longer a “tech issue”, it’s a business risk, a supply chain risk, and a reputational risk.
To meet today’s threat landscape head-on, organizations need to invest in more than just tooling:
What every business needs now
-
Proactive exposure management
Know what’s vulnerable and exploitable and prioritize the exposures attackers actually use -
Clear incident response planning
Define roles, escalation paths, and communications protocols before the breach happens -
Identity-first security
Detect credential abuse early, enforce least privilege, and prevent escalation through MFA and monitoring -
Operationally relevant cyber insurance
Ensure your policy covers real-world losses, not just forensics -
Visibility across vendors and infrastructure
Security partnerships should extend beyond internal systems including third-party tools and suppliers -
Security awareness and simulation
Train employees to recognize and report impersonation, social engineering, and phishing attempts -
Board-level visibility and buy-in
Cybersecurity must be embedded in strategy, not just compliance
Even a brief breach without these controls can result in weeks of disruption, regulatory risk, and long-term financial damage.
