In early 2025, a series of cyberattacks targeted the UK retail industry. Major retailers such as Marks & Spencer (M&S), Co-op, and Harrods—companies trusted far beyond their roles as retail brands—were among the victims. The impact of the breaches highlighted serious gaps in external asset visibility.
In this post, we review the security breaches experienced by these companies and assess how an Attack Surface Management (ASM) solution might have allowed for early detection and mitigation of internet-exposed assets. Based on the real interface of Criminal IP ASM, we demonstrate how each function could have contributed to preventing the attacks.
Retail Industry Under Attack: Why It’s a High-Value Target for Hackers
The retail industry is structurally vulnerable to cyber threats. Data such as customer names, payment details, and purchase records are highly valuable to hackers. Moreover, numerous interfaces—including store POS, logistics systems, mobile applications, and admin portals—are internet-facing, resulting in a broad attack surface. In addition, the multi-tiered supply chain and system integration with third-party vendors often create blind spots in security—vulnerabilities that attackers actively exploit.
Threat Overview: Cyber Attacks on Three Major Retailers
1. Marks & Spencer (M&S)
- Incident Date: April 22, 2025
- Impact: Customer data breach, nationwide payment system disruptions, temporary suspension of Click & Collect service.
- Notable Detail: The hacker directly targeted the CEO, demanding a ransom.
- Official Statement: “No payment information was compromised; however, customer data was breached” (as reported by WSJ)
2. Co-op
- Attack Group: DragonForce
- Impact: Database containing customer names, emails, and other personal details was stolen.
- Official Statement: “No financial data was leaked, but some member information was compromised.”
3. Harrods
- Attack Period: Concurrent occurrence, suspected to be an organized attack.
- Common Factor: All indicate infiltration due to the exposure of external assets.
Detection of Exposed Assets Using Criminal IP ASM
Criminal IP ASM automatically collects IT assets such as exposed organization IPs, domains, certificates, and ports, and detects risks in real time. The detected risks can be easily monitored through dashboards and reports, allowing for responses based on threat prioritization (High/Medium/Low).
Criminal IP ASM enables the systematic management of externally exposed assets through seven key features, allowing for the early detection of cyber threats and a proactive response.
Each feature follows a workflow of Detection → Classification → Tracking → Alerting → Response, and is designed to ensure effective security operations in complex, multi-system environments such as the retail industry.
The following section outlines the role of each feature and how retail companies like M&S, Co-op, and Harrods could have mitigated threats using them.
1. Dashboard – A Clear Overview of All Assets and Risks
The dashboard visualizes key data such as overall asset status, detected risks, geographic distribution, and service-related information across the organization.
This enables quick identification of high-risk areas or countries and helps users intuitively understand the scale and nature of the threats.
→ Global retail companies with stores in multiple countries, such as M&S, could have quickly identified region-specific risks through their dashboards and developed a global response strategy.
2. IP Assets – IP Inventory Detectable Externally
The IP Assets (Application) menu displays a list of the organization’s externally detectable IP addresses, along with information on open ports, active applications, and associated Autonomous System (AS) details.
It also automatically highlights newly discovered IP assets within a recent period, enabling early detection and swift response to newly exposed infrastructure.
→ An exposed external IP, such as Co-op’s unmanaged test server, would likely have been detected and mitigated early through the IP Assets menu.
3. Domain/Certificates – Comprehensive Monitoring of Domains and Certificates
This menu enables organizations to monitor domain and subdomain status, SSL certificate validity and expiration, encryption standards, and more from a single view.
Since expired certificates and neglected subdomains are frequently targeted by attackers, centralized visibility is a key component of a proactive security strategy.
→ For example, if a test page were exposed under *[.]marksandspencer[.]com , it could be identified and addressed through this menu.
4. Risks – Prioritizing Automatically Detected Threats
The Risk menu categorizes vulnerabilities, outdated software, and open ports automatically detected by ASM into risk levels (High/Medium/Low).
Security teams can prioritize and address urgent issues and allocate internal resources more effectively.
→ For example, an RDP server with port 3389 open and outdated Apache (2.4.6) are classified as ‘High’ risk.
5. Tracking Log – Tracking Risk Change History
The Tracking Log menu shows risk occurrences and resolutions for each asset in a chronological log. This helps security teams review the effectiveness of security measures or analyze attack patterns over time to determine the optimal response timing.
→ As seen in the Co-op case, when attackers perform a pre-scan before launching an attack, changes in risk status are logged in this menu, enabling forensic analysis and tracking of response actions.
6. OSINT – Detecting Information Exposed on Google Search
The OSINT menu detects in real-time whether an organization’s assets or sensitive directories (e.g., admin, backup) are exposed on search engines, based on publicly available Google Index data. Exposed information creates a direct access risk, making early prevention crucial.
→ If sensitive directories like ‘admin’ or ‘backup’ were exposed on external search engines, they could have been quickly detected and blocked.
7. Dark Web – Detect Exposed Asset Information on the Dark Web
The Dark Web menu allows you to verify whether the organization’s email addresses, domains, accounts, and other information are being traded on the dark web. It also provides detailed context such as the leak time and site names. This helps prevent secondary damage and facilitates proactive external messaging.
→ If M&S customer data had been shared on the dark web after the attack, this menu would have allowed real-time monitoring of its distribution and enabled the early release of a response message.
FAQ
Q. Why is the retail industry vulnerable to cyberattacks, and why are existing security solutions not enough?
The retail industry handles high-value assets such as customer information and payment data, while operating various online touchpoints like physical stores, websites, and mobile apps—resulting in a broad attack surface. Exposed ports, test systems, and unused subdomains often serve as easy entry points for attackers, and complex supply chains or outsourced systems can create security blind spots. However, traditional solutions such as firewalls, antivirus software, and EDR primarily focus on protecting internal systems and fail to detect internet-exposed assets or Shadow IT. In the M&S and Co-op cases, externally exposed assets were used as entry points in actual attacks. Preventing this requires the implementation of an external Attack Surface Management (ASM) solution like Criminal IP ASM.
Conclusion
The recent series of cyberattacks targeting three major UK retailers is not just a case of internal system flaws—it illustrates how externally exposed assets can escalate into organization-wide breaches. Attackers are constantly scanning for unnoticed vulnerabilities, and without proactive detection, there’s no real chance to defend.
Criminal IP ASM automatically identifies the attack surface and provides response guidance based on risk prioritization. It’s a critical tool that shifts the focus from post-incident response to pre-incident prevention
In relation to this, you can refer to Exposed Admin Panel of a National Information Society Agency: an ASM Perspective.
This report is based on data from the cyber threat intelligence search engine Criminal IP and the intelligence-driven attack surface management solution Criminal IP ASM. You can explore the full capabilities of Criminal IP ASM and monitor your own attack surface through a free demo.
Sources: Criminal IP (https://www.criminalip.io/), News1(https://www.news1.kr/world/europe/5772650), WSJ(https://www.wsj.com/tech/cybersecurity/marks-and-spencer-group-says-hackers-stole-customers-personal-data-fbc2cb73?), BBC(https://www.bbc.com/news/articles/cr58pqjlnjlo, https://www.bbc.com/news/articles/crkx3vy54nzo),
Related Article: