Cyber attacks ‘tipping point’ warning issued after Harrods and M&S targeted

Cyber attacks surged into prominence in 2025, inflicting significant financial damage on major British businesses and exposing widespread vulnerabilities across the economy.

High-profile targets included automotive giant Jaguar Land Rover, retail stalwart Marks & Spencer, and luxury department store Harrods, underscoring how firms of all sizes are susceptible to sophisticated digital threats.

Andrew Bailey, Governor of the Bank of England, articulated his belief that cyber attacks represent one of the most substantial threats to UK financial stability, stressing the "critically important" need for collaborative defence.

Mike Maddison, chief executive of cyber security firm NCC Group, described 2025 as a "tipping point."

He stated: "Cyber attacks are far from new, but 2025 has shown just how deeply cyber risk is intertwined with economic stability and business continuity."

Data from NCC Group revealed a record-breaking surge in global ransomware attacks, with 590 incidents recorded in January and 886 in February.

open image in gallery

Ransomware, a malicious software, allows cyber criminals to encrypt computer systems or steal data, holding it hostage until a payment is made.

A survey by insurer Hiscox earlier this year indicated that 59 per cent of small to medium-sized businesses had experienced a cyber attack in the preceding 12 months, with 27 per cent facing a ransomware demand.

Of those who paid, 60 per cent recovered some or all data, though 31 per cent reported attackers demanding further payments, according to the survey of 5,750 global respondents.

The UK’s National Cyber Security Centre (NCSC) reported handling 204 "nationally significant" cyber attacks in the year to September, a sharp increase from 89 the previous year.

Mr Maddison noted: "Compared to previous years, these attacks have been more far-reaching and costly, reaffirming that cyber security is no longer just an IT concern."

He added: "CEOs and government leaders should now be acutely aware that cyber resilience is fundamental to the UK’s long-term growth and resilience."

The most significant and costly cyber attack in the UK this year was arguably on Jaguar Land Rover (JLR).

open image in gallery

The carmaker halted production across its UK factories for five weeks from September 1, following a hack the day prior.

This disruption led to a revenue plunge of over £1 billion for the quarter to September and a substantial loss for the company.

Crucially, the shutdown was also cited as a key factor in the UK economy contracting in September and October due to slowing car production.

Experts from the non-profit Cyber Monitoring Centre estimated the incident cost the country around £1.9 billion, labelling it the "most financially damaging cyber event ever to hit the UK."

Food, fashion, and homeware retailer Marks & Spencer also suffered a major hack, which had extensive ramifications and highlighted the risk of customer data theft from prominent household brands.

The retailer was forced to suspend all online orders for approximately six weeks and faced empty shelves due to disruptions to its logistics systems after being targeted around the Easter weekend.

M&S reported a £324 million loss in sales, though it managed to recover £100 million through an insurance payout.

Customer personal data, potentially including names, email addresses, postal addresses, and dates of birth, was also compromised.

M&S was not alone; luxury department store Harrods and supermarket group Co-op were among other retailers hit by damaging cyber attacks in 2025.

The Co-op’s chief confirmed that data belonging to all 6.5 million of its members had been stolen.

Mr Maddison warned that 2025 "should be seen as a clear warning, not a one-off peak," anticipating cyber criminals will increasingly leverage artificial intelligence for phishing attempts and to identify system vulnerabilities.

He predicted: "Supply chains will remain prime targets, as their complexity means disruption can spread quickly across sectors, intensifying the pressure to pay ransoms."

However, he also observed: "At the same time, cyber maturity is improving," noting that "Boards increasingly recognise that true cyber resilience goes beyond prevention and detection."

In response, the Government is developing a Cyber Security and Resilience Bill, which aims to empower regulators to fine companies failing to comply with cyber security regulations.

New proposals from the Home Office will mandate businesses to notify the Government if they intend to pay a ransom to cyber criminals, while also prohibiting public sector bodies and operators of critical national infrastructure from making such payments.