printer friendly version

Retailers under cyberattack

Recent cyberattacks on major UK retailers like Marks & Spencer and the Co-op are not just headline-grabbing stories; they provide a cautionary tale of the evolving threat landscape facing modern retail globally. For African retailers accelerating digital transformation, these incidents serve as a crucial case study in what can go wrong when uptime, not just data, is under attack.

In April, two of Britain’s biggest retailers got hit by a massive cyberattack by the notorious Scattered Spider group, leading to substantial financial losses, operational disruptions and compromised customer data. M&S; suffered losses of £300 million (roughly R7,3 billion) due to the attack, with supply chains affected for weeks. On top of the direct losses, over £1 billion was stripped from the organisation's market value. Similarly, the Co-op experienced data breaches affecting customers’ personal information, while Harrods reported attempted cyberattacks, but managed to maintain online operations.

These attacks are not just about stolen data; they took whole systems offline. In retail, downtime is a critical threat; it affects sales, customer trust, and brand loyalty – instantly.

A new kind of threat actor

Unlike traditional ransomware gangs, Scattered Spider is decentralised, native English-speaking, and highly adaptive. Scattered Spider is not merely an opportunistic hacking group; it operates more like a well-funded, well-organised crime syndicate.

With some members as young as 19, they coordinate their activities on platforms like Discord and Telegram. They are agile, patient and disturbingly good at blending in. Added to this, they have great expertise in human psychology, as showcased during their attacks on Vegas casinos in 2023.

Their primary weapons are not just digital, they are human. They have mastered social engineering. They specialise in exploiting human trust. From vishing (voice phishing) to impersonating internal staff and triggering what is referred to as MFA fatigue, they are skilled manipulators who understand both systems and people.

MFA fatigue is one of the growing tactics they are known for, which involves triggering repeated multi-factor authentication (MFA) prompts, hoping the bombarded employees eventually click ‘approve’ to make the interruptions stop.

Another alleged tactic Scattered Spider used in its latest attacks involved calling IT helpdesks to reset credentials, gaining access to their target’s infrastructure and subsequently deploying a ransomware-as-a-service tool. The outcome? Encrypted systems, stalled operations, and a long road to recovery.

Anna-Collard.

Why Africa should be paying close attention

Retailers across Africa – particularly in South Africa, Nigeria, and Kenya – are digitally transforming at a rapid pace. Cloud-based POS systems, centralised inventory platforms, and data-driven loyalty programmes are now standard. These digital advancements also expand attack surfaces.

High employee turnover, remote workforces, and under-resourced helpdesks can compound exposure. While business English is common in South Africa, this linguistic advantage also makes local teams more susceptible to social engineering by fluent English-speaking attackers.

Our local executives are not naïve. Many are acutely aware of the risks. What is needed now is clarity on what really matters, and cutting through the noise.

Pepkor IT’s CISO, Duncan Rae, delivered an insightful talk at a security summit in May where he warned that cybersecurity teams are often overwhelmed, not just by threats, but by too many competing priorities. “Teams are bombarded with shiny, new tools and threat reports spreading fear, uncertainty, and doubt (FUD), which sometimes makes organisations lose sight of the basics”, he warned.

“These basics include managing human risk, addressing third-party exposure, and hardening vulnerabilities,” said Rae.

What needs to change?

Legacy systems, shadow IT, and poorly enforced policies create entry points. Attackers do not need to break in if they can just log in.

For African retail leaders, this is a call to fortify the human layer. Train your frontline teams, especially the helpdesk and customer support. Teach them to detect manipulation. Make secure behaviour the norm, not the exception.

Equally important is embedding cybersecurity into leadership conversations. Cybersecurity is not just an IT function. It is a board-level business risk. Executives must ask tough questions about readiness, incident response, and accountability.

From awareness to action

Too often, security training is treated as a box-ticking exercise; it requires a more thoughtful approach. Training must resonate, be contextual, culturally relevant, and delivered in local languages where appropriate.

Business leaders must ask themselves the following:

* Could an attacker trick your helpdesk into a password reset?

* Would your staff recognise a social engineering attempt?

* Do you test these scenarios regularly?

If the answer is ‘no’ to any of these, your organisation is vulnerable, but the good news is that change is possible – and fast – when you start investing in the human element. Cyber resilience is a collective responsibility, and in an interconnected world, learning from each other’s crises is one of the smartest defences we have.

Share this article:

Further reading: